Encyclopedia Ermariana not working?

[Darklord2831]

So, lately, I've been working on a D&D conversion of the Avernum setting, and I was going to use the Encyclopedia Ermariana as a reference guide for some things. But, whenever I go to the site, it shows an error.

 

I'm just wondering if it's just me, maybe it's Google Chrome, or if anyone else is having trouble connecting to it.

[Aran]

Thanks for the heads-up. It's indeed broken. Investigating now...

 

Oh. Interesting.

 

Holy cow. Okay, I've been hosting my own websites for seven years now, and I've never ever had an intrusion. Someone's gone and added an eval(base64_decode([...])) to the top of all PHP files on my server. All sites were affected.

 

Sorry, the whole site is going dark and will stay off until I've figured out the attack vector, plugged it and fix any backdoors that were installed. In the meantime, Google's cache or the Wayback archive should contain everything you're looking for on the site.

 

Edit: They were indeed pretty thorough. They added the code to all 1410 PHP files within my various web-root folders, but left other PHP files (and non-PHP files) alone.

 

I've decoded and analyzed the PHP code, and it seems to by a fairly well-written but unsophisticated worm to insert a remote Javascript call into every page. I'm still trying to get my hands on a copy of that Javascript by faking a request to the remote server, but it's not giving me anything. Could be ad injection, could be an attempt to further compromise visitors with browser vulnerabilities. If you've visited my site in the last 35 hours, and are not using the latest version of an open-source browser, you may want to check for viruses and stuff.

[waterplant]

I'm disappointed to hear that someone has disrupted your work like this. How much better would the world be if everyone just left other people's stuff the hell alone.

 

Hope you can sort it out quickly, Polaran.

[Aran]

This wasn't a script kiddie with too much time on his hands; it's a for-profit operation - possibly to recruit visitors for a botnet.

 

Fortunately, this sort of thing is also easier to fix than random destruction. What'll take time is figuring out how to stop it happening again.

[Actaeon]

Originally Posted By: Polaran

Fortunately, this sort of thing is also easier to fix than random destruction.

There aren't many occasions that can be said.

On an only marginally related note... are you officially "Polaran" now? I finally stopped calling Lilith Thuryl, but I'm afraid that there are such issues lurking 'round all the corners.

[Men are from Slars]

Thurilith actually went out of her way to change her name. Aran has shifted his PDN on a handful of occasions and kept 'Aran' in it frequently, so it is probably safe to assume there's no real change.

[Aran]

As far as I'm aware, I spent much more time as "Arancaytrus" before this. Still riffing on a theme, but much more slowly to match my rate of posting.

[Aran]

This is exciting work. I'm getting close to the point where they got in - or at least the final stage of the attack. The logs show a POST to a PHP file at the exact moment the files got manipulated, and that PHP file is not mine. It's been there since Feb 27, and it contains, needless to say, some fairly evil-looking eval() code... this has been in the making for a while.

 

Going to see if I can un-obfuscate that code, and examine the logs on Feb 27 to see how the file got there.

[Trenton.]

I need my info! I hope you can get the site running again. Tis usefull

[Aran]

Sorry for rambling on; I'm on fire right now. As a puzzle, this is more awesome than NotPron any day.

 

The obfuscation attempts are kind of cute. They took the PHP code (a web shell, as expected), converted it into an array of ascii bytes, XORed each byte with the number 143, then put the result and the decoding&execution code into a base64-encoded string. And then, for good measure, keywords like "create_function" and "base64_decode" are entered in strings like "\x62\x61\x73\x65\x36\x34\x5f\x64\x65\x63\x6f\x64\x65", to make it just a bit more obscure.

 

The original, unobfuscated web shell, by the way, wins points for extremely legible, properly indented code. And for being protected by an MD5-hashed password which took me over five minutes to reverse. If this is not an off-the-shelf PHP script cribbed from somewhere, then someone really put some effort into writing something he then went to a lot of trouble ensuring nobody would read.

 

Edit: Script source was pastebinned about a week ago (the version on my site is two weeks old). Not sure if it was by an attacker or another victim, but the hashed password is the same: http://pastebin.com/0ke29L3G . Script is also old - mentioned in a blog post two years ago, still the same password. That's actually kind of odd - I can imagine a script like that being passed around for years, but if the password hash is the same everywhere that strongly implies a single person using it.

 

Okay, I've learned all I can on that angle. Now to find out how the script got there - I suspect one of the many web applications I've installed as a test and then rarely updated. When I'm done here, I'll strictly limit test installations to my own computer from now on.

[Actaeon]

... It's all Greek to me, but I'm very impressed with your expertise, nevertheless.

[Trenton.]

So how long? a day? two?

 

And was this done on purpose, where someone PLANTED whatever made that happen? Or was it an Accident.

[Aran]

In the beginning, there must have been a security hole somewhere on my server, which was an accident. Everything I've investigated so far was very cleverly planted, though - I'm still working backwards from that.

 

The shell script was first placed there on February 27, and it was then used to mess with the site on March 6. I discovered the attack about 1-2 days after that.

[nikki.]

Oh, and since nobody has mentioned it yet, thanks for taking the time out to fix this for us, Aran. It is appreciated, even if it's a silent appreciation.

[Trenton.]

Yes. I forgot that. We are sounding to greedy for something you made.

[Dintiradan]

Well, glad you're having fun at least. Do you know if they got DB access?

[Nescioquis]

Googling that MD5 found a nice analysis of the code, written almost a year ago.

I wonder how widespread and how proprietary this code is.

[Aran]

In theory, anything goes. They got shell access, so they could read every single settings file containing database passwords. The script also has an SQL shell. (They can't connect to the database remotely, mind you.)

 

In practice, the attack appeared highly focused and possibly automated, so it's unlikely they poked around just out of curiosity. I'll change the database passwords just in case.

[Erebus the Black]

I think JIG had something similar happen to them as well. What do you think?

[Aran]

Sorry, "JIG" doesn't ring a bell...

[Erebus the Black]

Jay is Games, flash game portal, also advertises/reviews some of Jeff's games.

[Men are from Slars]

AHA!

 

Aran, the password for my subdomain (minmax) ftp changed a few weeks ago. I hadn't used it in a year so at the time I just figured I was misremembering it, but this makes more sense.

 

That's not good -- might want to check what happened to your hosted subs, too.

[Dintiradan]

Oh dear, should have tried that sooner. It's been a while since I last logged in.

 

(Tries to log in, both with and without key-based authentication.)

 

I'm locked out too. Don't notice anything odd with my site, but there you go.

[Aran]

Oh, that's actually an older issue. Sorry, I forgot to tell you - I'll send you new passwords.

 

My user account has no write access on your files (unless you added group write permissions to them, which are off by default), so the attack should be limited to my own sites.

 

Edit: The attacker was thorough with the backdoor as well. Left not one, but roughly a hundred backdoors scattered throughout random places. If I hadn't grepped every single file for the hex-code "create_function" string ("\x63\x72\x65\x61\x74\x65\x5f\x66\x75\x6e\x63\x74\x69\x6f\x6e"), I'd never have found them buried in all those folders.

 

I still don't trust that I found them all, so I'm doing a bit more based on timestamps. Don't have time to manually inspect every single PHP file, but I can run more detailed check on the ones changed at the right time.

 

Edit: The files were created by an installer script that then deleted itself. ARGH.

[Aran]

(Bump)

 

Encyclopedia is back. I've basically replaced the codebase with a fresh SVN copy, and also reset the skin and so on. I'll bring back skin customizations (like ads, not that anyone sees them ) eventually.

 

The one thing I've learned in this is that a cluttered doc-root folder is a security risk. I will only keep parts of the actual deployed website in there, and keep all my development stuff on my own computer. Also using .htaccess to block files based on a whitelist: Only a few PHP files, and only image files in the skin and upload directories are accessible.

 

All other sites are still down. I'll fix them up one by one. Some will take a bit longer while I make sure they don't have vulnerabilities (Drupal 5 is out of support, for instance, so the Blades Forge and PPP may be down a while), and some will have to be completely reorganized (eg. ermarian.net is an organically grown mess of scripts and pages and things I randomly made up over seven years; that won't go from now on).

 

Edit: I'm still unsuccessfully trying to track down a copy of the illusive self-deleting script installer12.php. What I have found is a surprising number of sites with PHP shells.

[Prince of Kitties]

Wow. The things you miss when you're asleep...

 

Thanks for posting the details about this, Polaran - it was something of a learning experience for me.

 

(Mostly learning how ignorant I am about code ubfuscation and other techniques used by blackhats, mind...)

[Celtic Minstrel]

Huh, interesting reading about why the ermarian network was down. I discovered it a couple of days ago when I noticed that my avatar was missing on another forum; it was hosted on stuff.ermarian.net.

[wgerard]

This thing has really been more common with the lot of companies driving for more traffic going their website's way.

 

It is great that you were able to handle it early on rather than have people going their way thinking that it was something that was authorized to begin with.

 

Not that I would want to start out and go hacking a ton of sites but what they do and have going is really impressive.

[Balladeer]

I find this worrysome... more for the fact that I wouldn't know how to do all of the cleanup that you have if something like this were to happen to TrueSite... One year away from my BSIT:SE degree and I still feel wholly inadequate. Boo.

[Aran]

Update: The old PPP is this close to going online again. Since the old site is a complete unsalvageable mess of undocumented spaghetti code, I've started from scratch. Written a module that can access the old archives in a read-only form, and created a new theme for it (which will be reused in the new archive site too, whenever that's done).

 

If I finish writing the user profile page and post list tonight, I can upload the whole thing and launch it.

[Men are from Slars]

HOORAY!

[Actaeon]

 

(It's just animated avatars that are against the rules, right?)

[Men are from Slars]

Yes, although that particular image has had more than enough cameos here. Just IMHO.

[Aran]

One does not simply post a clapping Gimli.

[Dintiradan]

Fun fact: I thought you were Dantius the first time I read this thread.

 

But what's wrong with users having their own image memes? Dantius has got the Kane Clap, I've got the champagne... Oh! Speaking of which!

 

 

Woo Aran!

 

(Let's just hope that Sailor Sun Myung doesn't make an appearance.)

[Men are from Slars]

Lilith seems to be quite digusted with the Reverend Sailor. However, she apparently still has a sister image in readiness for a sister event.

[Aran]

Database dump is being transferred. I have to upload the entire archive data again as I did some stuff with it locally. I'm also on a shaky wifi behind a DSL line in a little taverna on the coast of Xora Sfakion (Crete), so it'll take a while (probably an hour or so).

 

[Randomizer]

I doubt this is how you want to spend your vacation. However the view seems nice.

[Aran]

Oh, I haven't spent my vacation like this; I just finished up some of the theming late at night.

 

Sitting outside on the terrace right now listening to the roaring waves, and watching the unbelievably clear night sky. I mean, damn, this is awesome.

 

(Unfortunately this is my last day here.)

[nikki.]

Paris and Crete? Colour me jealous , though yes, the view looks lovely. Now get off the Internet and do something fun!

[Aran]

http://pied-piper.ermarian.net/

 

It is done.

 

Please point out any problems you notice, but unfortunately I won't get around to fixing them until next week.

[Lilith]

Originally Posted By: HOUSE of S

Lilith seems to be quite digusted with the Reverend Sailor.

i'm what now

keep in mind last time you talked to me about it i was hung over and would have responded to anything you said with "ugh"

[Men are from Slars]

Aran, it looks terrific -- and seems to work more smoothly than the old version. Hooray!

[Dintiradan]

I found a couple errors:

 

Avernum Reloaded IC 2

 

Avernum Reloaded Summaries 2

 

(For reference, Avernum Reloaded OOC 2 works.)

[Callie]

Yay!

 

*is reading a thread started by Scorpius...*

[Men are from Slars]

Is it the one about laying eggs? That was my favourite.

[Callie]

Originally Posted By: Slarty

Is it the one about laying eggs? That was my favourite.

The one about lolcats. I asked if Scorpius ever made straightforward posts and he promptly replied with a link to pillow-y mounds of mashed potatoes.

Yeah...

[Kelandon]

I just re-read a bunch of my old posts. We had some fun arguments in late 2007 and early 2008. Whatever happened to those, anyway?

 

Some of my favorite one-liners:

 

"At some point, I suggested that I should make an Echoes scenario and TM should make a Slith Homeland scenario. I still think he should."

 

"I was about to say that ADoS is apparently the lesser man that I am not, but then I clicked on the link. ADoS knows more about being less than I ever will."

 

"This caused me to go back and check the '06 bannings. Ah, the memories."

 

"Evidently this is the reason that topic-locking exists."

 

"Man, you don't even like cheesecake." (Much funnier in context.)

 

"My point was simply that the fact that some people are damn fools cannot itself be blamed on Albert A. Gore."

 

And, to top it all off: "If you don't like it, shut up and stop reading."

 

Also, apparently broken: http://pied-piper.ermarian.net/member/4045?page=10

[Men are from Slars]

The one where Excalibur submits a blank http address.

 

EDIT: Kel, was that a response to my perverting Drakey's mango comment into a cheesecake comment?

[Dintiradan]

Heh, I was reading the one about attempted murder being a victimless crime. But yes, the egg-laying topic is my favourite. Half the community was giving bemused answers to the first question, the other half was remaining silent because we all knew what the follow-up question would be.

 

Excalibur: That's a broken link, by the way.