Issues with your account? Bug us in the Discord!
Malicious activity again - The Great Machine wiki temporarly unavailable
Random Chaos
Actually Carefully-selected Order in disguise
in Zocalo v2.0
It appears that someone tried to do some code injection on our site...again. This time they managed to completely break the site and did not appear to get a working inject, though I am still searching for anything that might be left behind.
Someone needs to get Sanfam to upgrade our software :p - I'm sure one of our main apps, such as vBulletin or MediaWiki, is the source. Either that or one of our hosted sites. We don't exactly run much else.
[COLOR=Red][B]UPDATE - STATUS - December 17th, 2012:
[/B][/COLOR]Forums
- online for now; I did some heavy cleaning today, December 16/17th; hope it stays clean until I have a chance to upgrade the forums
The Great Machine
- offline pending upgrade and cleaning; upgrade is 90% done; image directories are heavily infested and must be cleaned, other files may also be bad
ITF archive site (/b5game)
- offline pending cleaning; heavily infested throughout
Someone needs to get Sanfam to upgrade our software :p - I'm sure one of our main apps, such as vBulletin or MediaWiki, is the source. Either that or one of our hosted sites. We don't exactly run much else.
[COLOR=Red][B]UPDATE - STATUS - December 17th, 2012:
[/B][/COLOR]Forums
- online for now; I did some heavy cleaning today, December 16/17th; hope it stays clean until I have a chance to upgrade the forums
The Great Machine
- offline pending upgrade and cleaning; upgrade is 90% done; image directories are heavily infested and must be cleaned, other files may also be bad
ITF archive site (/b5game)
- offline pending cleaning; heavily infested throughout
Comments
I have completed further analysis on the attack. This was an email spam "helper" application that was dropped on the server. It does not appear to have do any sort of harvesting of data from the server (though there is nothing to say another script wasn't dropped then removed didn't harvest data). I did all my analysis in a self contained virtual machine in case there was anything harmful hiding inside this morass, but there wasn't.
[B]Some of the files hit:[/B]
[LIST=1]
[*]firstones.com/.htaccess - they redirected all access to a script on our wiki
[*]forums/global.php - they included the same wiki script here, I guess for anyone that got missed by the .htaccess?
[*]tgm/includes/Wiki.php - this was the main hit point, containing active code (described below) and was redirected to
[*]tgm/images/thumb/... - various wiki uploaded image directories had injected files in them (described below)
[/LIST]
[B]Affect:[/B]
Wiki.php had a very interesting method of hiding data. They used strings cast to functions. I haven't encountered this sort of obfuscation before, but it is quite ingenious, and pretty good at hiding the attempt. However, it is far from infallible.
This in turn referenced and ran compressed, obfuscated code masquerading as images in the TGM images directory. This was fairly standard fair as far as obfuscation goes. It took a few minutes to decompress and turn it into readable code, mostly because the files were so large text editors tended to lag up a bit while working on it.
The code, when finally readable, was a fairly strait forward proxy system that masqueraded several of our web pages as pages on a remote server, injecting content relating to various spam enhancement pills. It looks like the principal purpose of the attack was to get people to click on links that looked like legitimate websites (such as ours!) in spam emails, then shoot them off to various attack methods.
It appears that the core origin of the attacks most likely originated from the wiki. I cannot guarantee this is the case, but given the exact locations I found the various files, I suspect the Wiki's image downloader/uploader was the original source.
[COLOR=Red][I][B]In response to this, I have shut down the TGM Wiki until it can be upgraded to a newer version of MediaWiki.[/B][/I][/COLOR]
The one good thing about this: It looks like some component of either our server configuration or our wiki configuration didn't work quite as planned for the attacker, resulting in the access denied messages we were seeing yesterday. It appears that the file (Wiki.php) that the injection hit wasn't cooperating with their plans.
For those interested, it looks like the spam source is the "ISP" inferno-dot-name. From a little bit of research on Google, this host is quite well documented sending spam and other malicious goodies, and looks to be a hacker's personal ISP that he rents out the resources of (*cough* most likely infected victim computers that don't know they are being rented *cough*).
How far can we upgrade MediaWiki and vBulletin without getting Sanfam involved? Do we need a new vBulletin license?
vBulletin takes money and thus Sanfam. I have the license keys and login information for vBulletin, so as long as Sanfam gets the donations and pays for it, I can do all the work.
I'm sure the guys at Sector 14 are thinking about it. :cool:
Sigh...
So need what? 10$ from each active member? I think we can wing that pretty easily!
This did make me have to make a few fixes to the forums. [B][I]If you encounter any issues with the forums, let me know here.[/I][/B]
I am going to look into upgrading the forums around the end of the year. They will likely be down for a day or so while I do it.
The vB upgrade will be to vBulletin 5 - [url]http://www.vbulletin.com/features/[/url]
It's going to look a ton different, and skinning it to a Babylon 5 theme will take a bit of time.
---
Other parts of the main site:
TGM I am still fighting because of mods that were added onto the site. I think in the end, TGM will be stripped of these MediaWiki mods, because frankly we don't use them and they are causing me nothing but headaches during the software upgrade.
I will also be killing the News Submission system, since it feeds into a management panel that I disabled over a year ago due to SQL injection vulnerabilities. I wonder how many people have submitted news only to see it never appear!
Based on the number of emails I used to get before I gave up on the system, loads of people.
I still think the original attack vector was the wiki, but they stuck scripts all over the place once they got in, making it a pain to clean up the mess. So far it looks like spam advertising is their goal more than anything else, but I'm still trying to figure out what all this new attack script I found tonight actually does. An IP posted something to the page, and immediately the site went down. I was on the forums at the time, which allowed be to quickly identify the vector and start the cleanup this time...
I think I have the site cleaned to the point they have to hit another exploit to get us again. They had a ton of files sitting around to use - I am guessing these were missed in my last cleanup.
I still need to update the forum. I know of a couple holes in what we are running. At least one more week before I can do that. Anyone want to help prod Sanfam to get a donation drive going?
I'll look into that tomorrow.
---
Correction - editing is fixed. My [url=http://www.openbsd.org/cgi-bin/man.cgi?query=sed&sektion=1]SED[/url] was overzealous :D