|
||||
|
11-17-2008, 11:29 AM | #41 | |
All Star Starter
Join Date: Mar 2002
Location: Mass.
Posts: 1,963
|
Quote:
Getech, I haven't had a site get attacked but from what people say, it sounds like a standard ****** insertion. What is happening is the league's main page I assume is being modified with a small line of html code added to insert an ****** pointing at a specific offsite URL. That is all that is being done in this attack. |
|
11-17-2008, 11:50 AM | #42 |
All Star Reserve
Join Date: Jan 2006
Posts: 868
|
Heh, just because you haven't been infected doesn't mean it isn't my utilities. However, if files beyond the league HTML files are infected, that would rule out one idea I had.
If it happens again, I would look at the timestamps of the files in the OOTPOU directory and subdirectories. With the exception of logging in, anything inputted or done within OOTPOU is written to a file, which would have its timestamp updated.
__________________
Get the OOTP Online Utilities for online leagues! Includes Gamecast, Development, Live Sims, Voting and more. Check here for more details |
11-17-2008, 12:03 PM | #43 | |
All Star Starter
Join Date: Mar 2002
Location: Mass.
Posts: 1,963
|
Quote:
|
|
11-17-2008, 05:17 PM | #44 | |
Hall Of Famer
Join Date: Nov 2004
Posts: 6,069
|
Quote:
__________________
Fidel Montoya Asahi2 Baseball ex-Commissioner(Historical League Since 2004) www.allsimbaseball.com (OOTP web hosting - Customized sites for online leagues - Sign up, Connect OOTP and Play!) Share Your Mods - Free, unlimited and easy to upload to share your Mods instantly(free site registration required) Last edited by f.montoya; 11-17-2008 at 05:25 PM. |
|
11-17-2008, 10:02 PM | #45 |
Hall Of Famer
Join Date: Apr 2002
Location: Ft Smith AR
Posts: 2,681
|
The JL and the NPBL both use SMF forums software, and we both got spammed over the past week. We both updated to the new version, and haven't seen anything since, but this is either a coincidence, or it's connected somehow to the php hacks on the other leagues' sites.
|
11-17-2008, 10:04 PM | #46 |
Hall Of Famer
Join Date: Nov 2002
Posts: 3,585
|
I don't really know much more about this hacking thing with regards to the OOTPOU than Getch does, but I did think of one thing. A potential problem with the OOTPOU is that the passwords are stored unencrypted, so if your commish is using the same ID/password combo for the utils that he's using for the website, you'd be compromising your security.
__________________
StatsLab- PHP/MySQL based utilities for Online Leagues Baseball Cards - Full list of known templates and documentation on card development. |
11-18-2008, 02:01 PM | #47 | |
All Star Reserve
Join Date: Jan 2006
Posts: 868
|
Quote:
I really feel that if my utils had a security breach, it'd be somewhere as a user logged in. However, where is up in the air. Simply getting the server logs, as well as looking at the timestamps of files that changed at the time of the hack, will go a long way to solving this issue, rather than guessing at what it might be.
__________________
Get the OOTP Online Utilities for online leagues! Includes Gamecast, Development, Live Sims, Voting and more. Check here for more details |
|
11-18-2008, 04:17 PM | #48 |
All Star Reserve
Join Date: Jan 2006
Posts: 868
|
Hey guys,
I found a way to be able to edit files on the server from OOTPOU. It doesn't require being logged in either. I will patch it up as well as try to find other similar ways of doing it. Of course, this might not be how he pulled it off. You'd only figure it out by staring at my code until you saw how you could hack the URL to do it. But, I was able to create a file on the file system, so it should be fixed.
__________________
Get the OOTP Online Utilities for online leagues! Includes Gamecast, Development, Live Sims, Voting and more. Check here for more details |
11-18-2008, 05:04 PM | #49 | |
Hall Of Famer
Join Date: Nov 2004
Posts: 6,069
|
Quote:
As an update, it turns out that the 5th league that uses OOTPOU, that didn't get hit, was hiding all links to the utility from the public. Login and account verification via Mambo was necessary before the links, including login, were shown. Although the url's themselves were public, at first glance, the hacker intent on using OOTPOU may have thought it didn't exist and moved on. Anyway Getch, a quick Google on iframes and other injection methods could give you the same kind of list that the bad guy is using. That may also help. Thanks again! We certainly appreciate your looking into this.
__________________
Fidel Montoya Asahi2 Baseball ex-Commissioner(Historical League Since 2004) www.allsimbaseball.com (OOTP web hosting - Customized sites for online leagues - Sign up, Connect OOTP and Play!) Share Your Mods - Free, unlimited and easy to upload to share your Mods instantly(free site registration required) |
|
11-18-2008, 05:37 PM | #50 |
All Star Reserve
Join Date: Feb 2007
Posts: 925
|
I certainly hope it wasn't OOTPU that was exploited and I've never stated I thought it was. I appreciate Getch being proactive and taking steps to make his utilities more secure.
|
11-18-2008, 06:25 PM | #51 |
Hall Of Famer
|
Ever since Fidel switching forums and we started over with a new database, no more problems so thanks for that Fidel.
__________________
From the wise mind of Davey Eckstein "Now all you need is a signature. A quote or initial, perhaps." [ |
11-18-2008, 08:18 PM | #52 |
Minors (Double A)
Join Date: Mar 2003
Location: newport beach
Posts: 199
|
for the record, the rude island baseball congregation loves us some fidel montoya.
|
11-23-2008, 06:38 AM | #53 |
Hall Of Famer
Join Date: Nov 2004
Posts: 6,069
|
__________________
Fidel Montoya Asahi2 Baseball ex-Commissioner(Historical League Since 2004) www.allsimbaseball.com (OOTP web hosting - Customized sites for online leagues - Sign up, Connect OOTP and Play!) Share Your Mods - Free, unlimited and easy to upload to share your Mods instantly(free site registration required) |
12-03-2008, 06:58 AM | #54 |
All Star Reserve
Join Date: Feb 2007
Posts: 925
|
Ok guys. My site was attacked twice more since I made my last post in this thread. This morning was the 2nd time, and this time they edited every single index.php file on my website. I lost count after 17. I have time stamps on all these files. I have the site saving logs for each day. The only thing I don't know is how to find out how the files were accessed. If anyone can tell me what log to look in and how to tell what was used to edit the files, please do so. commish(at)ashmaplebaseball.info is my email.
|
12-03-2008, 09:06 AM | #55 | |
Hall Of Famer
Join Date: Aug 2007
Posts: 2,360
|
Quote:
__________________
Founder of the Planetary Extreme Baseball Alliance (PEBA) Premiere OOTP fictional league where creativity counts and imagination is your only limitation Check for openings - contact us today! |
|
12-03-2008, 09:14 AM | #56 |
Global Moderator
|
Just been chatting to gollum about this.
I raised an issue with Andreas a couple of days after this thread started about a potential problem and was promised an emergency patch the following day which hasn't materialised. I don't know if this is how the hacker(s) have been compromising sites, but I was able to find the IP address of gollum's hacker within a couple of minutes of downloading his league and logging in to his ftp site and reading the log files. I could have quite easily at that point done all sorts of things to his site. Until the emergency patch comes out there's nothing that can be done to prevent this potential way in, unless you are able to set up a separate FTP user that only has access to the OOTP directories and no access to forums, etc. I'm not going to give the details of how this is done (for the obvious reasons that a searchable and indexed forum would put it into the public domain) *waits for the proverbial to hit the fan now* Last edited by Tony M; 12-03-2008 at 09:18 AM. |
12-03-2008, 09:33 AM | #57 |
All Star Reserve
Join Date: Feb 2007
Posts: 925
|
When Tony says "within a couple of minutes", he's being modest. We had been trading PMs about this, and while he was writing one, he went from "can I look at the logs" to "here's the hacker's information and what files he hacked".
Needless to say I'm STUNNED and very angry that an apparent exploit exists in OOTP9 that was known about by the developers and nothing has been done to correct it yet. This needs to be resolved NOW! Every OOTP Online League site is at risk until it is! The good news is, this appears to get Getch off the hook, or at least in these cases. |
12-03-2008, 09:46 AM | #58 |
Global Moderator
|
Until this patch comes out there are two things that can be done to remove this potential exploit.
1) Create an FTP user that only can access the exports and reports directory and use that in the Online League options 2) Remove any public link to the league file. If you have a new GM, give them a link in email. If the league can't be downloaded then you can't get the details you need to log-in |
12-03-2008, 10:51 AM | #60 |
Hall Of Famer
Join Date: Nov 2004
Posts: 6,069
|
Guys, this is scary. I have some 50+ online leagues that I host. I didn't even need to know how it was done to figure out how to do it(I got into my own site in 15 minutes)
The bad guy can easily plop in a piece of code and he can pretty much overwrite any index file he knows of(and that's a lot if you are using popular CMS's and community forum software). PLEASE get this patched Andreas and Markus!!!
__________________
Fidel Montoya Asahi2 Baseball ex-Commissioner(Historical League Since 2004) www.allsimbaseball.com (OOTP web hosting - Customized sites for online leagues - Sign up, Connect OOTP and Play!) Share Your Mods - Free, unlimited and easy to upload to share your Mods instantly(free site registration required) |
Bookmarks |
|
|