Hacker possibly targetting OOTP online leagues

[Cooleyvol]

First off, I'm placing blame at no one's feet.

TSW has had only one league affected out of our 14 leagues easily linked from any league on our network. That league is an OOTP league that runs Getch's utility.

Is it the only OOTP league we have that runs Getch's stuff? No, but its one of only two.

In my experience CMS are notorious for security holes, so I'd surmise that most of those affected were hit b/c of the CMS running the sites on Fidel's space, but it seems that there's a window in through Getch's utilities. We don't use CMS and have vBulletin, so I'm guessing since those windows were closed, the only other vulnerability left for us was Getch's utility.

I just reupped the index page of our affected site and all is well again, but I will check with that other league running Getch to see if they've seen this as well.

[gollum65]

Quote:

Originally Posted by Cooleyvol

First off, I'm placing blame at no one's feet.

TSW has had only one league affected out of our 14 leagues easily linked from any league on our network. That league is an OOTP league that runs Getch's utility.

Is it the only OOTP league we have that runs Getch's stuff? No, but its one of only two.

In my experience CMS are notorious for security holes, so I'd surmise that most of those affected were hit b/c of the CMS running the sites on Fidel's space, but it seems that there's a window in through Getch's utilities. We don't use CMS and have vBulletin, so I'm guessing since those windows were closed, the only other vulnerability left for us was Getch's utility.

I just reupped the index page of our affected site and all is well again, but I will check with that other league running Getch to see if they've seen this as well.

FYI, I don't use a CMS, my forum is SMF, and we're not hosted by Fidel. But, we do use Getch's utils. I'd probably shut the league down without them. lol. But if they are allowing access to unsavory types, I'd hope Getch could identify how and fix it. Not saying that I'm blaming anything either. Just saying.

[Cooleyvol]

I'd also look to upgrade SMF if its not up to date as well.

[Alan T]

Quote:

Originally Posted by gollum65

FYI, I don't use a CMS, my forum is SMF, and we're not hosted by Fidel. But, we do use Getch's utils. I'd probably shut the league down without them. lol. But if they are allowing access to unsavory types, I'd hope Getch could identify how and fix it. Not saying that I'm blaming anything either. Just saying.

It might be tough for him to identify how they are being exploited (if they even are) without someone providing the information from their system being hacked.

Someone who has been hacked should be able to see what the new timestamp of the page was that was re-written. You then should be able to go through your system logs (or have your system administrator do so) to see what was done during that time. It should be pretty clear in the logs what was used to rewrite the page with the exploit ****** within it.

If it was getech's tools, you would then be able to show exactly what was being exploited for him to fix it. Or you can find out if it was something else instead.

[gollum65]

Yeah, if it happens again to me, I will be tracking things to see if I can identify how they got in. I didn't have system log access before. The web host is working with me now.

And we were on SMF 1.16 till yesterday morning. Now we're on 1.17

[kq76]

I know someone said they had already contacted Getch about it previously, but I just PMd him to make sure he knows there's concern and to add what he can. I initially said I'd ask fhomess and Solonor about it, but that was because I thought I heard Getch hadn't been around in awhile. I just noticed otherwise.

I'd like to thank everyone who has contributed everything they can to aid in flushing this out. Obviously most of us don't know all that much about this stuff so whatever we can learn from those of you who do is great. It's awesome to see how fast our community can come together to resolve a common problem.

[MustangLM]

Suicide Squeeze has been hacked several times recently by john mohov. We changed web hosts, but after a few days the hack returned. Our forum runs on SMF 1.17 currently.

Tech support advised me that my global permissions were set to allow files to be written to. They fixed the permissions for me and installed a back up. At the time we were running SMF 1.16 and as soon as the site came back up, I upgraded to SMF 1.17. Two days later we were hacked again. Hopefully that's not the case for you Paul, but don't be surprised if it happens again.

I contacted tech support again and they did some additional digging. They claimed someone had stolen my ftp user name and password and hacked the site. They recommended I do a virus scan on my end, change my password and reinstall SMF. I ran the scan, but it came up empty. I even picked up another virus software package just to be certain the one I was using hadn't missed something. No virus found. I then changed my ftp password and got the site running again yesterday. It's been running for 24 hrs so far with no issues.

I'm not sure how they are getting my password, but one thing I noticed when I first installed OOTP 9 was that when I entered my ftp data for online play, the password was fully visible. At the time I remember thinking that was odd, but thought nothing of it. Maybe it was the same in previous versions, but I seem to remember it always being hidden. I know you need the commissioner password to view those features, but I'm curious if there isn't some security issue with that portion of OOTP. I've never had any issues in past versions of OOTP, just since using this one. Perhaps it's just a coincidence, but I'm curious now.

[Raidergoo]

For your FTP site password, I hope that it is something like 30 characters, with a good mix of uppercase, lowercase, special characters, and numbers, with no dictionary words.

It should look like:

SADGs}Q|kx-/?z^\hxHs3;FGcIU0b;4qM?)%]

Password security does not need to be perfect, it just needs to be good enough to be discouraging as to cause the hacker to get bored and move to the next mark.

[Raidergoo]

Dola,

If the username was determined by the hacker, that account should be killed, and never used again for any purpose whatsoever.

[gollum65]

My host didn't indicate they thought he had our ftp account info, but did recommend we change our password. And our new password is indeed as cryptic as you stated, so we should be good there. With the forum updated, the passwords changed, the file permissions fixed, et. al, I'm hoping this is the end of it for me.

As I told the good guys who take part in my league, if it continues I'm just going to shut the league down. I have better things to do then deal with this crap on a daily basis.

[Getch]

Hey guys,

I've been contacted by a few PM's about this. Unfortuantely, I don't know much about hacking, but I'll help out as much as I can.

My utlities use Perl, and not PhP. Not sure if that changes anything. I'm not sure how they could ever be used to hack a server. There's not a whole lot of open-ended coding in there to deviate from what it is supposed to do.

My utils have no access to ftp or login info. The login info that you see in my utils is separate from the server, and only allows access to more OOTPOU screens. Even as an admin, you can't do much.

Anyway, sounds like the person is getting access from the ftp server, which, as I said, my utils have no control over. Just a thought... OOTP stores the FTP server connection info in the league file. Perhaps that is somehow been compromised and that is how this person is hacking the sites?

Anyway, i'll help in any way I can. PM is the best way to get a hold of me, since I don't watch the boards a ton.

[MustangLM]

Our new password meets the criteria mentioned by Raidergoo as well. Hopefully that puts a stop to it.

[f.montoya]

Quote:

Originally Posted by Getch

Hey guys,

I've been contacted by a few PM's about this. Unfortuantely, I don't know much about hacking, but I'll help out as much as I can.

My utlities use Perl, and not PhP. Not sure if that changes anything. I'm not sure how they could ever be used to hack a server. There's not a whole lot of open-ended coding in there to deviate from what it is supposed to do.

My utils have no access to ftp or login info. The login info that you see in my utils is separate from the server, and only allows access to more OOTPOU screens. Even as an admin, you can't do much.

Anyway, sounds like the person is getting access from the ftp server, which, as I said, my utils have no control over. Just a thought... OOTP stores the FTP server connection info in the league file. Perhaps that is somehow been compromised and that is how this person is hacking the sites?

Anyway, i'll help in any way I can. PM is the best way to get a hold of me, since I don't watch the boards a ton.

Not to bring undue alarm regarding your utilities but of the 50 some sites I host, 4 were hacked. All four use OOTPOU. Of the others that did not get hit, only one uses OOTPOU. I want desperately to believe there is no security hole but when things like this happen the first thing I do as a webhost is look for common denominators among the affected.

That said, I did notice that the password field in the login form allows unusually long passwords. In addition, are there any verifications in the code there that will prevent perl code or even php code from being entered in that field? I haven't tried but you may want to try injecting a small "write file" piece of code and stick in there to see what happens.

Just a thought, Getch. You know I'm a big fan of your utilities and I appreciate your input here in this thread.

[gollum65]

I too appreciate your attention to this Getch. My league uses OOTPU and I wouldn't want to try to run a league without it. I don't believe it's OOTPU. I believe it's the forums. I know we all use different forums, but forums have never been known for their security. And my forum was the first thing that was attacked.....or more specifically an ajax chat room that's embedded in the forum.

[f.montoya]

Quote:

Originally Posted by gollum65

...or more specifically an ajax chat room that's embedded in the forum.

Forum addons are especially vulnerable to attacks. Those who make these mods will be the first to admit sometimes that writing secure code is something that doesn't get done until after there's significant negative feedback.

[Cooleyvol]

I just thought of this:

The TSW league that was affected doesnt have a forum on its webspace. TSW forums are on the TSW site.

That really leaves nothing out of the ordinary on the site besides Getch's utility and OOTP reports.

[gollum65]

Quote:

Originally Posted by f.montoya

Forum addons are especially vulnerable to attacks. Those who make these mods will be the first to admit sometimes that writing secure code is something that doesn't get done until after there's significant negative feedback.

That certainly crossed my mind, which is why I mentioned it.

[Stu]

I really don't understand how Getch's utilities could be exploited. I understand the logic of looking for commonalities between the sites that have been hacked but I'd be curious to know how a hacker would exploit it. The only vulnerability I could potentially see is if the person who installed it has the file permissions incorrectly set in which case it's not really a problem with the utility.

[Alan T]

Quote:

Originally Posted by Stu

I really don't understand how Getch's utilities could be exploited. I understand the logic of looking for commonalities between the sites that have been hacked but I'd be curious to know how a hacker would exploit it. The only vulnerability I could potentially see is if the person who installed it has the file permissions incorrectly set in which case it's not really a problem with the utility.

That is why I keep trying to say people who had their site compromised need to provide the information on how it was exploited rather than just jumping to conclusions and leaving it up to him to try to fix blindly.

Anyone who got hacked should be able to look at the timestamp of the page that was rewritten with the hidden ****** within it, and then go to your system/server admin and ask for help in tracking down the logfiles for that time frame (both ftp and http logs). Then it is just a case of looking through the logfiles to see what clearly caused the security hole.

Once you get that vital piece of information you can accomplish three very important things.. 1) Either turn off or remove the security hole on your system. 2) You can contact the person responsible for the application with the security hole to inform them of the problem and see if there is a fix. 3) You can warn/inform the community of the problem so others can be aware and take precautions before anything happens to them if they use the same code.

[Getch]

Quote:

Originally Posted by f.montoya

Not to bring undue alarm regarding your utilities but of the 50 some sites I host, 4 were hacked. All four use OOTPOU. Of the others that did not get hit, only one uses OOTPOU. I want desperately to believe there is no security hole but when things like this happen the first thing I do as a webhost is look for common denominators among the affected.

That said, I did notice that the password field in the login form allows unusually long passwords. In addition, are there any verifications in the code there that will prevent perl code or even php code from being entered in that field? I haven't tried but you may want to try injecting a small "write file" piece of code and stick in there to see what happens.

Just a thought, Getch. You know I'm a big fan of your utilities and I appreciate your input here in this thread.

There's a 20-char limit on the passwords.

What exactly happened? Did the entire site get hacked, or just the league HTML files? I could see how possibly you could use my utils to modify the league HTML files if someone got access as an admin.