Aran

In the beginning, there must have been a security hole somewhere on my server, which was an accident. Everything I've investigated so far was very cleverly planted, though - I'm still working backwards from that. The shell script was first placed there on February 27, and it was then used to mess with the site on March 6. I discovered the attack about 1-2 days after that.

Sorry for rambling on; I'm on fire right now. As a puzzle, this is more awesome than NotPron any day. The obfuscation attempts are kind of cute. They took the PHP code (a web shell, as expected), converted it into an array of ascii bytes, XORed each byte with the number 143, then put the result and the decoding&execution code into a base64-encoded string. And then, for good measure, keywords like "create_function" and "base64_decode" are entered in strings like "\x62\x61\x73\x65\x36\x34\x5f\x64\x65\x63\x6f\x64\x65", to make it just a bit more obscure. The original, unobfuscated web shell, by the way, wins points for extremely legible, properly indented code. And for being protected by an MD5-hashed password which took me over five minutes to reverse. If this is not an off-the-shelf PHP script cribbed from somewhere, then someone really put some effort into writing something he then went to a lot of trouble ensuring nobody would read. Edit: Script source was pastebinned about a week ago (the version on my site is two weeks old). Not sure if it was by an attacker or another victim, but the hashed password is the same: http://pastebin.com/0ke29L3G . Script is also old - mentioned in a blog post two years ago, still the same password. That's actually kind of odd - I can imagine a script like that being passed around for years, but if the password hash is the same everywhere that strongly implies a single person using it. Okay, I've learned all I can on that angle. Now to find out how the script got there - I suspect one of the many web applications I've installed as a test and then rarely updated. When I'm done here, I'll strictly limit test installations to my own computer from now on.

This is exciting work. I'm getting close to the point where they got in - or at least the final stage of the attack. The logs show a POST to a PHP file at the exact moment the files got manipulated, and that PHP file is not mine. It's been there since Feb 27, and it contains, needless to say, some fairly evil-looking eval() code... this has been in the making for a while. Going to see if I can un-obfuscate that code, and examine the logs on Feb 27 to see how the file got there.

As far as I'm aware, I spent much more time as "Arancaytrus" before this. Still riffing on a theme, but much more slowly to match my rate of posting.

This wasn't a script kiddie with too much time on his hands; it's a for-profit operation - possibly to recruit visitors for a botnet. Fortunately, this sort of thing is also easier to fix than random destruction. What'll take time is figuring out how to stop it happening again.

Thanks for the heads-up. It's indeed broken. Investigating now... Oh. Interesting. Holy cow. Okay, I've been hosting my own websites for seven years now, and I've never ever had an intrusion. Someone's gone and added an eval(base64_decode([...])) to the top of all PHP files on my server. All sites were affected. Sorry, the whole site is going dark and will stay off until I've figured out the attack vector, plugged it and fix any backdoors that were installed. In the meantime, Google's cache or the Wayback archive should contain everything you're looking for on the site. Edit: They were indeed pretty thorough. They added the code to all 1410 PHP files within my various web-root folders, but left other PHP files (and non-PHP files) alone. I've decoded and analyzed the PHP code, and it seems to by a fairly well-written but unsophisticated worm to insert a remote Javascript call into every page. I'm still trying to get my hands on a copy of that Javascript by faking a request to the remote server, but it's not giving me anything. Could be ad injection, could be an attempt to further compromise visitors with browser vulnerabilities. If you've visited my site in the last 35 hours, and are not using the latest version of an open-source browser, you may want to check for viruses and stuff.

Originally Posted By: ixfd64 So far, all of Spiderweb's games are fantasy/medieval-themed RPGs. However, Encyclopedia Ermariana mentions a major space battle that occurred in the Alxus star system. This gave me an idea: what if Jeff designed a space-based RPG? I think a deviation from the traditional medieval-themed games could bring in more customers. Thoughts? Re Alxus specifically: I don't know of Jeff ever canonizing any fanlore. I do know a few great space RPGs (depending on definition; for example I'd include the Escape Velocity series due to its backstory and dialogue). Space (mostly empty, filled with a number of distinct places to travel between, using some sort of FTL jump) represents a major switch in game mechanic compared to what SW does (a huge world for you to walk around in and explore, and everything within walking distance). But you don't actually have to portray space - it's possible to just walk around in city-sized space stations.

Would this be solved by specifically exempting Spiderweb's reserved rights, but restricting others? Or can Spiderweb distribute it under any terms they choose, leaving the notice without any force? IANALeither; I guess the question is whether Spiderweb's reserved rights are transferable.

Views would definitely be able to emit XML. The trick would be to have it bypass the normal page template and send the output directly, but that should also be possible. The standalone script would probably be more work and less stable. I actually have a D8-based prototype I'm working on (even managed to get Views to work, though that'll get tricky once D8 does anything major to the Field API). I haven't done anything with it since October 2011, but I just brought it up to speed and working again. Unfortunately it's not much further along than the screenshot that's still in my sig. On the other hand my vacation just started and I've already dived into Drupal again. (Ideally, instead of manually configuring all the content types and views this time, I'd like to write them into an installation profile so a test site can be installed without much hassle. It'd also make it possible to work on it with git or some other version control...)

Originally Posted By: Sick Muse I tinkered around with something similar to this a few years back; basically an automated scenario browser/download program that got it's information from a directory via XML. It ended up getting tabled, but maybe I'll take a second glance at it. I remember that! Also that I wanted to write the XML stuff into the Blades Forge, to allow it to function as a repository. (Which would be possible, but first require an essential rewrite and migration of the site to a more current version of Drupal.)

possibly because you have expensive hobbies, like eating food <3 you both. Also, this Reason Rally thing is the first event I've considered crossing the Atlantic just to attend, because it sounds really cool. Sadly, it doesn't fit into my schedule. Hoping some of it will be on Youtube.

If I age and have to pick once, no. With either one on their own, I'd go for it. There are plenty of occasions where I'd gladly put in eight hours of sleep while time stops, regardless of aging - and if I didn't age, I'd have no problem doing that every night. If you take away both, and add the option of actually doing stuff during the time stop, I'd go nuts with it. Even if we go the hard scifi route and say I can't use the internet or anything during it (mh... maybe if we slowed time instead of freezing it, computers would still be fast enough to keep up?) I'd put years into each night. Implement a hundred programming ideas I never had time for. Write the novels I always meant to. Catch up on watching all seasons of every popular science-fiction series of the last few decades, and read every book ever written (even the boring ones). Learn every language and every field of science or art in existence. I'd end up insane, but I'm sure it'd be fun. Edit: If you also defy the laws of physics and give me internet access, the results wouldn't be pretty. I'd try to start small by simply reading through every news site and blog there is, but pretty soon I'd be responding as well. I wouldn't know when to stop. You'd wake up to find my rambling comments making up most of the web's content. which is totally not a thing that happens already

Originally Posted By: Actaeon Oh, come on. Jeff could just license existing games to be coded for online co-op play. You could team up in gangs of dozens to slay demons and complete quests, and kill each other over loot because, after all, there's only one Demonslayer. Actually, I would have some doubts about a game advertised as "Avernum" that would be related to Spiderweb in name only and would likely make a shambles out of the setting and the games we've come to know.

From what I've seen and heard, successful MMORPGs are not good games, but addictive ones. I like the idea of MMORPGs in principle, but I think if SW set out to make a good one (with depth and challenge, as opposed to lots of grinding), it would not be popular enough to recoup the big investment in infrastructure.

This one is mine.

I used a dual-boot machine (Ubuntu / XP) for several years, and will never try that again. Two different Linux distributions, maybe; Windows is simply not a good neighbor. I've sunk more hours into troubleshooting that setup than getting any Wine game to run. (Admittedly, this is because sometimes I find out that it is impossible, and stop trying before wasting too much time.) All of the first 4 Avernum games and at least the first 2-3 Geneforge games worked in Wine (still haven't had the leisure to start on the rest) without much effort, though I've had some lags and mouse trouble.

Originally Posted By: Triumph Originally Posted By: Darth Ernie Originally Posted By: Terribly Ernest I've had two custom titles now, and it hasn't cost me a single cheesecake. speaking of which. what is a Humany-Wumany? It sounds like a reference to Dr. Who. Yep; it's a quote from the latest episode (the Christmas Special).

Originally Posted By: Dintiradan Trotter >> Strider Search your feelings. You know it to be true. Perhaps there could be an earlier scrapped version in which his name actually is Stomper, or Arrowroot son of Arrowshirt.

Originally Posted By: Harehunter Originally Posted By: Niemand Quote: no1 can't catch alorael. But Alorael is the number one poster. That would mean he posts so fast, not even he can catch himself. Now that is as good a definition of infinity as I have ever heard. The only thing more infinite than that is infinity raised to the infinite power. But that's just Inf^^4; Inf^^Inf would be much more infinite. Congratulations, Alorael! May your skribbane jar never grow empty and your rifle always fire true. To another ten years and another twenty-thousand!

Originally Posted By: Student of Trinity It's just falling while moving forward fast enough that the curvature of the Earth is sinking away beneath you as fast as you're falling down, so you never hit the ground. Orbit is falling forever.) Or, in the words of DNA, "throwing oneself at the ground and missing".

Jeff earning enough would also mean he can afford more risky innovations that may result in excellent games even if they don't sell as well - eg. Blades stuff.

Originally Posted By: The Ratt Originally Posted By: Polaran What on Earth do you put in a $2000 desktop? My last one cost barely $500 (sans TFT screen, but including two HDDs and SSD) and about the only thing it lacked to be game-worthy (when I put it together in '09, mind you; it's a bit old now) was a dedicated GPU. Have you considered putting together a custom machine with Linux, and leaving the old system as it is? You can build a decent (non-gaming, but great for power users) desktop on a fairly small budget. The drawback would be being stuck with an older machine for your non-Linux usage for the time being. Originally Posted By: The Ratt ...build info... for about $1200. Whoops, I overlooked that post. Well, that seems more reasonable for a self-built Intel machine. (My $500 estimate was based on an AMD64 architecture, of course.)

What on Earth do you put in a $2000 desktop? My last one cost barely $500 (sans TFT screen, but including two HDDs and SSD) and about the only thing it lacked to be game-worthy (when I put it together in '09, mind you; it's a bit old now) was a dedicated GPU. Have you considered putting together a custom machine with Linux, and leaving the old system as it is? You can build a decent (non-gaming, but great for power users) desktop on a fairly small budget. The drawback would be being stuck with an older machine for your non-Linux usage for the time being.

Originally Posted By: Narg Originally Posted By: Polaran posting from aboard Voyager 1. Yay, I didn't waste two hours in GIMP modifying ancient space probe computer systems for nothing! One-way tachyon machine isn't enough. 11.6 billion miles are over 17 light hours. (Of course, round-trip then doubles that, too.)

Originally Posted By: The (Armored) Ratt Wow, there are so many things that are absurd about that. Your speed is... very slow, and yet you are still faster than 12% (one in ten!) of the US. Is that because your up speed is faster than those people or do those people not have internet to begin with? Also the fact that you got a ping in hours is unbelievable to me; usually ping is in milliseconds. I really don't think it would take a signal more than 20 minutes to circle the globe (probably less). He's posting from aboard Voyager 1. It has a tendency to slightly increase your lag when you're a couple of light hours out.