Issues with your account? Bug us in the chatroom at http://webchat.freenode.net?channels=#firstones

Malicious activity again - The Great Machine wiki temporarly unavailable

Random ChaosRandom Chaos Actually Carefully-selected Order in disguise
It appears that someone tried to do some code injection on our site...again. This time they managed to completely break the site and did not appear to get a working inject, though I am still searching for anything that might be left behind.

Someone needs to get Sanfam to upgrade our software :p - I'm sure one of our main apps, such as vBulletin or MediaWiki, is the source. Either that or one of our hosted sites. We don't exactly run much else.


[COLOR=Red][B]UPDATE - STATUS - December 17th, 2012:
[/B][/COLOR]Forums
- online for now; I did some heavy cleaning today, December 16/17th; hope it stays clean until I have a chance to upgrade the forums

The Great Machine
- offline pending upgrade and cleaning; upgrade is 90% done; image directories are heavily infested and must be cleaned, other files may also be bad

ITF archive site (/b5game)
- offline pending cleaning; heavily infested throughout

Comments

  • Lord RefaLord Refa Creepy, but in a good way
    I'll get the digital pitchforks. Someone pass the torches?
  • How about plasma torches, that we can turn into make shift PPGs!
  • Random ChaosRandom Chaos Actually Carefully-selected Order in disguise
    [I][B][COLOR=Red]The Great Machine Wiki is Temporarily Shut Down[/COLOR][/B][/I]

    I have completed further analysis on the attack. This was an email spam "helper" application that was dropped on the server. It does not appear to have do any sort of harvesting of data from the server (though there is nothing to say another script wasn't dropped then removed didn't harvest data). I did all my analysis in a self contained virtual machine in case there was anything harmful hiding inside this morass, but there wasn't.

    [B]Some of the files hit:[/B]
    [LIST=1]
    [*]firstones.com/.htaccess - they redirected all access to a script on our wiki
    [*]forums/global.php - they included the same wiki script here, I guess for anyone that got missed by the .htaccess?
    [*]tgm/includes/Wiki.php - this was the main hit point, containing active code (described below) and was redirected to
    [*]tgm/images/thumb/... - various wiki uploaded image directories had injected files in them (described below)
    [/LIST]
    [B]Affect:[/B]


    Wiki.php had a very interesting method of hiding data. They used strings cast to functions. I haven't encountered this sort of obfuscation before, but it is quite ingenious, and pretty good at hiding the attempt. However, it is far from infallible.


    This in turn referenced and ran compressed, obfuscated code masquerading as images in the TGM images directory. This was fairly standard fair as far as obfuscation goes. It took a few minutes to decompress and turn it into readable code, mostly because the files were so large text editors tended to lag up a bit while working on it.


    The code, when finally readable, was a fairly strait forward proxy system that masqueraded several of our web pages as pages on a remote server, injecting content relating to various spam enhancement pills. It looks like the principal purpose of the attack was to get people to click on links that looked like legitimate websites (such as ours!) in spam emails, then shoot them off to various attack methods.


    It appears that the core origin of the attacks most likely originated from the wiki. I cannot guarantee this is the case, but given the exact locations I found the various files, I suspect the Wiki's image downloader/uploader was the original source.



    [COLOR=Red][I][B]In response to this, I have shut down the TGM Wiki until it can be upgraded to a newer version of MediaWiki.[/B][/I][/COLOR]



    The one good thing about this: It looks like some component of either our server configuration or our wiki configuration didn't work quite as planned for the attacker, resulting in the access denied messages we were seeing yesterday. It appears that the file (Wiki.php) that the injection hit wasn't cooperating with their plans.


    For those interested, it looks like the spam source is the "ISP" inferno-dot-name. From a little bit of research on Google, this host is quite well documented sending spam and other malicious goodies, and looks to be a hacker's personal ISP that he rents out the resources of (*cough* most likely infected victim computers that don't know they are being rented *cough*).
  • BigglesBiggles <font color=#AAFFAA>The Man Without a Face</font>
    Good work catching all that, RC.

    How far can we upgrade MediaWiki and vBulletin without getting Sanfam involved? Do we need a new vBulletin license?
  • Random ChaosRandom Chaos Actually Carefully-selected Order in disguise
    MediaWiki is free and I can do it when I have the time.

    vBulletin takes money and thus Sanfam. I have the license keys and login information for vBulletin, so as long as Sanfam gets the donations and pays for it, I can do all the work.
  • BigglesBiggles <font color=#AAFFAA>The Man Without a Face</font>
    So... kickstarter? We can have "Build Babylon 5 in Earth orbit" as a stretch goal.
  • StingrayStingray Elite Ranger
    [QUOTE=Biggles;196593]So... kickstarter? We can have "Build Babylon 5 in Earth orbit" as a stretch goal.[/QUOTE]

    I'm sure the guys at Sector 14 are thinking about it. :cool:

    Sigh...
  • How much is vbullitin? ~200 to upgrade?

    So need what? 10$ from each active member? I think we can wing that pretty easily!
  • Random ChaosRandom Chaos Actually Carefully-selected Order in disguise
    We also need someone to organize the campaign, which is a bit harder to do :p
  • Random ChaosRandom Chaos Actually Carefully-selected Order in disguise
    So, uh, which admin/mod wants to run the donate system and get us the money for the forums? Also, who want's to figure out how much it will cost. I can install the upgrade, but I'm too lazy to gather the money :p - and Sanfam is MIA as usual :p
  • Random ChaosRandom Chaos Actually Carefully-selected Order in disguise
    I am working on upgrading mediawiki. As part of this, I had to upgrade the version of PHP the server is running.

    This did make me have to make a few fixes to the forums. [B][I]If you encounter any issues with the forums, let me know here.[/I][/B]
  • Random ChaosRandom Chaos Actually Carefully-selected Order in disguise
    vB upgrade cost: $209.00
  • ShadowDancerShadowDancer When I say, "Why aye, gadgie," in my heart I say, "Och aye, laddie." London, UK
    Shared out that shouldn't be too much then!
  • Random ChaosRandom Chaos Actually Carefully-selected Order in disguise
    Definitely attack vector was the wiki - I activated the wiki for about a minute while working on upgrading it...and in that minute, we got hit again. Automated bot, definitely.
  • Random ChaosRandom Chaos Actually Carefully-selected Order in disguise
    Looks like attacks are continuing, albeit less direct now that TGM is down. One of the problems with firstones.com is that we host all sorts of mods with their own sites, and potentially vulnerable software which we don't have control over updating. I think some of the attack vector is coming in via the forums, which are dangerously outdated.

    I am going to look into upgrading the forums around the end of the year. They will likely be down for a day or so while I do it.

    The vB upgrade will be to vBulletin 5 - [url]http://www.vbulletin.com/features/[/url]

    It's going to look a ton different, and skinning it to a Babylon 5 theme will take a bit of time.

    ---

    Other parts of the main site:

    TGM I am still fighting because of mods that were added onto the site. I think in the end, TGM will be stripped of these MediaWiki mods, because frankly we don't use them and they are causing me nothing but headaches during the software upgrade.

    I will also be killing the News Submission system, since it feeds into a management panel that I disabled over a year ago due to SQL injection vulnerabilities. I wonder how many people have submitted news only to see it never appear!
  • BigglesBiggles <font color=#AAFFAA>The Man Without a Face</font>
    [QUOTE=Random Chaos;196787]I will also be killing the News Submission system, since it feeds into a management panel that I disabled over a year ago due to SQL injection vulnerabilities. I wonder how many people have submitted news only to see it never appear![/QUOTE]

    Based on the number of emails I used to get before I gave up on the system, loads of people.
  • BigglesBiggles <font color=#AAFFAA>The Man Without a Face</font>
    We're selling viagra again. :(
  • Random ChaosRandom Chaos Actually Carefully-selected Order in disguise
    Had to take the forums down for about an hour just now to clean up more infestation. The B5Game site is down also - that's our archive of the old Sierra site, for those that don't know - it is currently hosting around 45 attack scripts. The forums were hosting about the same number.

    I still think the original attack vector was the wiki, but they stuck scripts all over the place once they got in, making it a pain to clean up the mess. So far it looks like spam advertising is their goal more than anything else, but I'm still trying to figure out what all this new attack script I found tonight actually does. An IP posted something to the page, and immediately the site went down. I was on the forums at the time, which allowed be to quickly identify the vector and start the cleanup this time...
  • StingrayStingray Elite Ranger
    You sure the threat is not linked to the "passionate love making" thread? ;) Because that's a deadly attack vector if I ever saw one. :D
  • Random ChaosRandom Chaos Actually Carefully-selected Order in disguise
    Yep, sure - Refa is his own kind of infection :)

    I think I have the site cleaned to the point they have to hit another exploit to get us again. They had a ton of files sitting around to use - I am guessing these were missed in my last cleanup.

    I still need to update the forum. I know of a couple holes in what we are running. At least one more week before I can do that. Anyone want to help prod Sanfam to get a donation drive going?
  • Random ChaosRandom Chaos Actually Carefully-selected Order in disguise
    I think I broke editing posts. *grumble*

    I'll look into that tomorrow.

    ---

    Correction - editing is fixed. My [url=http://www.openbsd.org/cgi-bin/man.cgi?query=sed&sektion=1]SED[/url] was overzealous :D
  • BigglesBiggles <font color=#AAFFAA>The Man Without a Face</font>
    I prodded Sanfam. He sent me a response while I was offline (over the Pacific), and when I read it, he was offline.
  • Random ChaosRandom Chaos Actually Carefully-selected Order in disguise
    This is a test
  • StingrayStingray Elite Ranger
    I don't see any difference. It's still as nuts as it was before.
  • Random ChaosRandom Chaos Actually Carefully-selected Order in disguise
    Yeah, well, the spammer is bullheaded. Everytime I plug one hole, he finds another to come through. I managed to break posting while trying to fix his last one.
  • C_MonC_Mon A Genuine Sucker
    Well, great work you're doing for all of us. So keep at it! :)
  • Where is the "I hate the new layout but I will forget it in a week" thread?
Sign In or Register to comment.