Fledgling Fyora Darklord2831 Posted March 7, 2012 Share Posted March 7, 2012 So, lately, I've been working on a D&D conversion of the Avernum setting, and I was going to use the Encyclopedia Ermariana as a reference guide for some things. But, whenever I go to the site, it shows an error. I'm just wondering if it's just me, maybe it's Google Chrome, or if anyone else is having trouble connecting to it. Quote Link to comment Share on other sites More sharing options...
Magnificent Ornk Aran Posted March 8, 2012 Share Posted March 8, 2012 Thanks for the heads-up. It's indeed broken. Investigating now... Oh. Interesting. Holy cow. Okay, I've been hosting my own websites for seven years now, and I've never ever had an intrusion. Someone's gone and added an eval(base64_decode([...])) to the top of all PHP files on my server. All sites were affected. Sorry, the whole site is going dark and will stay off until I've figured out the attack vector, plugged it and fix any backdoors that were installed. In the meantime, Google's cache or the Wayback archive should contain everything you're looking for on the site. Edit: They were indeed pretty thorough. They added the code to all 1410 PHP files within my various web-root folders, but left other PHP files (and non-PHP files) alone. I've decoded and analyzed the PHP code, and it seems to by a fairly well-written but unsophisticated worm to insert a remote Javascript call into every page. I'm still trying to get my hands on a copy of that Javascript by faking a request to the remote server, but it's not giving me anything. Could be ad injection, could be an attempt to further compromise visitors with browser vulnerabilities. If you've visited my site in the last 35 hours, and are not using the latest version of an open-source browser, you may want to check for viruses and stuff. Quote Link to comment Share on other sites More sharing options...
Rotghroth Rhapsody waterplant Posted March 8, 2012 Share Posted March 8, 2012 I'm disappointed to hear that someone has disrupted your work like this. How much better would the world be if everyone just left other people's stuff the hell alone. Hope you can sort it out quickly, Polaran. Quote Link to comment Share on other sites More sharing options...
Magnificent Ornk Aran Posted March 8, 2012 Share Posted March 8, 2012 This wasn't a script kiddie with too much time on his hands; it's a for-profit operation - possibly to recruit visitors for a botnet. Fortunately, this sort of thing is also easier to fix than random destruction. What'll take time is figuring out how to stop it happening again. Quote Link to comment Share on other sites More sharing options...
Well-Actually War Trall Actaeon Posted March 8, 2012 Share Posted March 8, 2012 Originally Posted By: Polaran Fortunately, this sort of thing is also easier to fix than random destruction. There aren't many occasions that can be said. On an only marginally related note... are you officially "Polaran" now? I finally stopped calling Lilith Thuryl, but I'm afraid that there are such issues lurking 'round all the corners. Quote Link to comment Share on other sites More sharing options...
Hatchling Cockatrice Mea Tulpa Posted March 8, 2012 Share Posted March 8, 2012 Thurilith actually went out of her way to change her name. Aran has shifted his PDN on a handful of occasions and kept 'Aran' in it frequently, so it is probably safe to assume there's no real change. Quote Link to comment Share on other sites More sharing options...
Magnificent Ornk Aran Posted March 9, 2012 Share Posted March 9, 2012 As far as I'm aware, I spent much more time as "Arancaytrus" before this. Still riffing on a theme, but much more slowly to match my rate of posting. Quote Link to comment Share on other sites More sharing options...
Magnificent Ornk Aran Posted March 10, 2012 Share Posted March 10, 2012 This is exciting work. I'm getting close to the point where they got in - or at least the final stage of the attack. The logs show a POST to a PHP file at the exact moment the files got manipulated, and that PHP file is not mine. It's been there since Feb 27, and it contains, needless to say, some fairly evil-looking eval() code... this has been in the making for a while. Going to see if I can un-obfuscate that code, and examine the logs on Feb 27 to see how the file got there. Quote Link to comment Share on other sites More sharing options...
Easygoing Eyebeast Trenton. Posted March 10, 2012 Share Posted March 10, 2012 I need my info! I hope you can get the site running again. Tis usefull Quote Link to comment Share on other sites More sharing options...
Magnificent Ornk Aran Posted March 10, 2012 Share Posted March 10, 2012 Sorry for rambling on; I'm on fire right now. As a puzzle, this is more awesome than NotPron any day. The obfuscation attempts are kind of cute. They took the PHP code (a web shell, as expected), converted it into an array of ascii bytes, XORed each byte with the number 143, then put the result and the decoding&execution code into a base64-encoded string. And then, for good measure, keywords like "create_function" and "base64_decode" are entered in strings like "\x62\x61\x73\x65\x36\x34\x5f\x64\x65\x63\x6f\x64\x65", to make it just a bit more obscure. The original, unobfuscated web shell, by the way, wins points for extremely legible, properly indented code. And for being protected by an MD5-hashed password which took me over five minutes to reverse. If this is not an off-the-shelf PHP script cribbed from somewhere, then someone really put some effort into writing something he then went to a lot of trouble ensuring nobody would read. Edit: Script source was pastebinned about a week ago (the version on my site is two weeks old). Not sure if it was by an attacker or another victim, but the hashed password is the same: http://pastebin.com/0ke29L3G . Script is also old - mentioned in a blog post two years ago, still the same password. That's actually kind of odd - I can imagine a script like that being passed around for years, but if the password hash is the same everywhere that strongly implies a single person using it. Okay, I've learned all I can on that angle. Now to find out how the script got there - I suspect one of the many web applications I've installed as a test and then rarely updated. When I'm done here, I'll strictly limit test installations to my own computer from now on. Quote Link to comment Share on other sites More sharing options...
Well-Actually War Trall Actaeon Posted March 10, 2012 Share Posted March 10, 2012 ... It's all Greek to me, but I'm very impressed with your expertise, nevertheless. Quote Link to comment Share on other sites More sharing options...
Easygoing Eyebeast Trenton. Posted March 10, 2012 Share Posted March 10, 2012 So how long? a day? two? And was this done on purpose, where someone PLANTED whatever made that happen? Or was it an Accident. Quote Link to comment Share on other sites More sharing options...
Magnificent Ornk Aran Posted March 10, 2012 Share Posted March 10, 2012 In the beginning, there must have been a security hole somewhere on my server, which was an accident. Everything I've investigated so far was very cleverly planted, though - I'm still working backwards from that. The shell script was first placed there on February 27, and it was then used to mess with the site on March 6. I discovered the attack about 1-2 days after that. Quote Link to comment Share on other sites More sharing options...
Magnificent Ornk nikki. Posted March 10, 2012 Share Posted March 10, 2012 Oh, and since nobody has mentioned it yet, thanks for taking the time out to fix this for us, Aran. It is appreciated, even if it's a silent appreciation. Quote Link to comment Share on other sites More sharing options...
Easygoing Eyebeast Trenton. Posted March 10, 2012 Share Posted March 10, 2012 Yes. I forgot that. We are sounding to greedy for something you made. Quote Link to comment Share on other sites More sharing options...
Easygoing Eyebeast Dintiradan Posted March 10, 2012 Share Posted March 10, 2012 Well, glad you're having fun at least. Do you know if they got DB access? Quote Link to comment Share on other sites More sharing options...
Curious Artila Nescioquis Posted March 10, 2012 Share Posted March 10, 2012 Googling that MD5 found a nice analysis of the code, written almost a year ago. I wonder how widespread and how proprietary this code is. Quote Link to comment Share on other sites More sharing options...
Magnificent Ornk Aran Posted March 10, 2012 Share Posted March 10, 2012 In theory, anything goes. They got shell access, so they could read every single settings file containing database passwords. The script also has an SQL shell. (They can't connect to the database remotely, mind you.) In practice, the attack appeared highly focused and possibly automated, so it's unlikely they poked around just out of curiosity. I'll change the database passwords just in case. Quote Link to comment Share on other sites More sharing options...
Ineffable Wingbolt Erebus the Black Posted March 10, 2012 Share Posted March 10, 2012 I think JIG had something similar happen to them as well. What do you think? Quote Link to comment Share on other sites More sharing options...
Magnificent Ornk Aran Posted March 10, 2012 Share Posted March 10, 2012 Sorry, "JIG" doesn't ring a bell... Quote Link to comment Share on other sites More sharing options...
Ineffable Wingbolt Erebus the Black Posted March 10, 2012 Share Posted March 10, 2012 Jay is Games, flash game portal, also advertises/reviews some of Jeff's games. Quote Link to comment Share on other sites More sharing options...
Hatchling Cockatrice Mea Tulpa Posted March 10, 2012 Share Posted March 10, 2012 AHA! Aran, the password for my subdomain (minmax) ftp changed a few weeks ago. I hadn't used it in a year so at the time I just figured I was misremembering it, but this makes more sense. That's not good -- might want to check what happened to your hosted subs, too. Quote Link to comment Share on other sites More sharing options...
Easygoing Eyebeast Dintiradan Posted March 10, 2012 Share Posted March 10, 2012 Oh dear, should have tried that sooner. It's been a while since I last logged in. (Tries to log in, both with and without key-based authentication.) I'm locked out too. Don't notice anything odd with my site, but there you go. Quote Link to comment Share on other sites More sharing options...
Magnificent Ornk Aran Posted March 10, 2012 Share Posted March 10, 2012 Oh, that's actually an older issue. Sorry, I forgot to tell you - I'll send you new passwords. My user account has no write access on your files (unless you added group write permissions to them, which are off by default), so the attack should be limited to my own sites. Edit: The attacker was thorough with the backdoor as well. Left not one, but roughly a hundred backdoors scattered throughout random places. If I hadn't grepped every single file for the hex-code "create_function" string ("\x63\x72\x65\x61\x74\x65\x5f\x66\x75\x6e\x63\x74\x69\x6f\x6e"), I'd never have found them buried in all those folders. I still don't trust that I found them all, so I'm doing a bit more based on timestamps. Don't have time to manually inspect every single PHP file, but I can run more detailed check on the ones changed at the right time. Edit: The files were created by an installer script that then deleted itself. ARGH. Quote Link to comment Share on other sites More sharing options...
Magnificent Ornk Aran Posted March 12, 2012 Share Posted March 12, 2012 (Bump) Encyclopedia is back. I've basically replaced the codebase with a fresh SVN copy, and also reset the skin and so on. I'll bring back skin customizations (like ads, not that anyone sees them ) eventually. The one thing I've learned in this is that a cluttered doc-root folder is a security risk. I will only keep parts of the actual deployed website in there, and keep all my development stuff on my own computer. Also using .htaccess to block files based on a whitelist: Only a few PHP files, and only image files in the skin and upload directories are accessible. All other sites are still down. I'll fix them up one by one. Some will take a bit longer while I make sure they don't have vulnerabilities (Drupal 5 is out of support, for instance, so the Blades Forge and PPP may be down a while), and some will have to be completely reorganized (eg. ermarian.net is an organically grown mess of scripts and pages and things I randomly made up over seven years; that won't go from now on). Edit: I'm still unsuccessfully trying to track down a copy of the illusive self-deleting script installer12.php. What I have found is a surprising number of sites with PHP shells. Quote Link to comment Share on other sites More sharing options...
Rotghroth Rhapsody Prince of Kitties Posted March 16, 2012 Share Posted March 16, 2012 Wow. The things you miss when you're asleep... Thanks for posting the details about this, Polaran - it was something of a learning experience for me. (Mostly learning how ignorant I am about code ubfuscation and other techniques used by blackhats, mind...) Quote Link to comment Share on other sites More sharing options...
Understated Ur-Drakon Celtic Minstrel Posted March 17, 2012 Share Posted March 17, 2012 Huh, interesting reading about why the ermarian network was down. I discovered it a couple of days ago when I noticed that my avatar was missing on another forum; it was hosted on stuff.ermarian.net. Quote Link to comment Share on other sites More sharing options...
Tenderfoot Thahd wgerard Posted March 21, 2012 Share Posted March 21, 2012 This thing has really been more common with the lot of companies driving for more traffic going their website's way. It is great that you were able to handle it early on rather than have people going their way thinking that it was something that was authorized to begin with. Not that I would want to start out and go hacking a ton of sites but what they do and have going is really impressive. Quote Link to comment Share on other sites More sharing options...
Well-Actually War Trall Balladeer Posted March 24, 2012 Share Posted March 24, 2012 I find this worrysome... more for the fact that I wouldn't know how to do all of the cleanup that you have if something like this were to happen to TrueSite... One year away from my BSIT:SE degree and I still feel wholly inadequate. Boo. Quote Link to comment Share on other sites More sharing options...
Magnificent Ornk Aran Posted March 31, 2012 Share Posted March 31, 2012 Update: The old PPP is this close to going online again. Since the old site is a complete unsalvageable mess of undocumented spaghetti code, I've started from scratch. Written a module that can access the old archives in a read-only form, and created a new theme for it (which will be reused in the new archive site too, whenever that's done). If I finish writing the user profile page and post list tonight, I can upload the whole thing and launch it. Quote Link to comment Share on other sites More sharing options...
Hatchling Cockatrice Mea Tulpa Posted March 31, 2012 Share Posted March 31, 2012 HOORAY! Quote Link to comment Share on other sites More sharing options...
Well-Actually War Trall Actaeon Posted March 31, 2012 Share Posted March 31, 2012 (It's just animated avatars that are against the rules, right?) Quote Link to comment Share on other sites More sharing options...
Hatchling Cockatrice Mea Tulpa Posted March 31, 2012 Share Posted March 31, 2012 Yes, although that particular image has had more than enough cameos here. Just IMHO. Quote Link to comment Share on other sites More sharing options...
Magnificent Ornk Aran Posted March 31, 2012 Share Posted March 31, 2012 One does not simply post a clapping Gimli. Quote Link to comment Share on other sites More sharing options...
Easygoing Eyebeast Dintiradan Posted March 31, 2012 Share Posted March 31, 2012 Fun fact: I thought you were Dantius the first time I read this thread. But what's wrong with users having their own image memes? Dantius has got the Kane Clap, I've got the champagne... Oh! Speaking of which! Woo Aran! (Let's just hope that Sailor Sun Myung doesn't make an appearance.) Quote Link to comment Share on other sites More sharing options...
Hatchling Cockatrice Mea Tulpa Posted March 31, 2012 Share Posted March 31, 2012 Lilith seems to be quite digusted with the Reverend Sailor. However, she apparently still has a sister image in readiness for a sister event. Quote Link to comment Share on other sites More sharing options...
Magnificent Ornk Aran Posted March 31, 2012 Share Posted March 31, 2012 Database dump is being transferred. I have to upload the entire archive data again as I did some stuff with it locally. I'm also on a shaky wifi behind a DSL line in a little taverna on the coast of Xora Sfakion (Crete), so it'll take a while (probably an hour or so). Quote Link to comment Share on other sites More sharing options...
Hatchling Cockatrice Randomizer Posted March 31, 2012 Share Posted March 31, 2012 I doubt this is how you want to spend your vacation. However the view seems nice. Quote Link to comment Share on other sites More sharing options...
Magnificent Ornk Aran Posted March 31, 2012 Share Posted March 31, 2012 Oh, I haven't spent my vacation like this; I just finished up some of the theming late at night. Sitting outside on the terrace right now listening to the roaring waves, and watching the unbelievably clear night sky. I mean, damn, this is awesome. (Unfortunately this is my last day here.) Quote Link to comment Share on other sites More sharing options...
Magnificent Ornk nikki. Posted March 31, 2012 Share Posted March 31, 2012 Paris and Crete? Colour me jealous , though yes, the view looks lovely. Now get off the Internet and do something fun! Quote Link to comment Share on other sites More sharing options...
Magnificent Ornk Aran Posted March 31, 2012 Share Posted March 31, 2012 http://pied-piper.ermarian.net/ It is done. Please point out any problems you notice, but unfortunately I won't get around to fixing them until next week. Quote Link to comment Share on other sites More sharing options...
Hatchling Cockatrice Lilith Posted March 31, 2012 Share Posted March 31, 2012 Originally Posted By: HOUSE of S Lilith seems to be quite digusted with the Reverend Sailor. i'm what now keep in mind last time you talked to me about it i was hung over and would have responded to anything you said with "ugh" Quote Link to comment Share on other sites More sharing options...
Hatchling Cockatrice Mea Tulpa Posted March 31, 2012 Share Posted March 31, 2012 Aran, it looks terrific -- and seems to work more smoothly than the old version. Hooray! Quote Link to comment Share on other sites More sharing options...
Easygoing Eyebeast Dintiradan Posted March 31, 2012 Share Posted March 31, 2012 I found a couple errors: Avernum Reloaded IC 2 Avernum Reloaded Summaries 2 (For reference, Avernum Reloaded OOC 2 works.) Quote Link to comment Share on other sites More sharing options...
Understated Ur-Drakon Callie Posted April 1, 2012 Share Posted April 1, 2012 Yay! *is reading a thread started by Scorpius...* Quote Link to comment Share on other sites More sharing options...
Hatchling Cockatrice Mea Tulpa Posted April 1, 2012 Share Posted April 1, 2012 Is it the one about laying eggs? That was my favourite. Quote Link to comment Share on other sites More sharing options...
Understated Ur-Drakon Callie Posted April 1, 2012 Share Posted April 1, 2012 Originally Posted By: Slarty Is it the one about laying eggs? That was my favourite. The one about lolcats. I asked if Scorpius ever made straightforward posts and he promptly replied with a link to pillow-y mounds of mashed potatoes. Yeah... Quote Link to comment Share on other sites More sharing options...
Magnificent Ornk Kelandon Posted April 1, 2012 Share Posted April 1, 2012 I just re-read a bunch of my old posts. We had some fun arguments in late 2007 and early 2008. Whatever happened to those, anyway? Some of my favorite one-liners: "At some point, I suggested that I should make an Echoes scenario and TM should make a Slith Homeland scenario. I still think he should." "I was about to say that ADoS is apparently the lesser man that I am not, but then I clicked on the link. ADoS knows more about being less than I ever will." "This caused me to go back and check the '06 bannings. Ah, the memories." "Evidently this is the reason that topic-locking exists." "Man, you don't even like cheesecake." (Much funnier in context.) "My point was simply that the fact that some people are damn fools cannot itself be blamed on Albert A. Gore." And, to top it all off: "If you don't like it, shut up and stop reading." Also, apparently broken: http://pied-piper.ermarian.net/member/4045?page=10 Quote Link to comment Share on other sites More sharing options...
Hatchling Cockatrice Mea Tulpa Posted April 1, 2012 Share Posted April 1, 2012 The one where Excalibur submits a blank http address. EDIT: Kel, was that a response to my perverting Drakey's mango comment into a cheesecake comment? Quote Link to comment Share on other sites More sharing options...
Easygoing Eyebeast Dintiradan Posted April 1, 2012 Share Posted April 1, 2012 Heh, I was reading the one about attempted murder being a victimless crime. But yes, the egg-laying topic is my favourite. Half the community was giving bemused answers to the first question, the other half was remaining silent because we all knew what the follow-up question would be. Excalibur: That's a broken link, by the way. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.