Server down

[URBANZ]

the thing i laugh about him he says he is a cop ( bullshit) but if he was he would know the laws like copyright and ect and look at this

http://www.gambino-army.com/test/ (SO CALLED GAME ENGINE THAT IS DEFO MCCODES)

login: demo/demo

i was having a look about and ffs mailbox looks the same uses same querys same as forum and for profiles he has just made them read usernames instead of ids i think he just needs to go live his pathetic life somewhere that dont bother anyone else

[Ishraq]

LMFAO

Laughing My FFing Ass Off........

Everything is the same. Even the shops. preferences. game stats.

It's so obvious some files were deleted or renamed like mainmenu.php That's easy to rename. You can rename that to usermenu or menu. Etc.

But for forums.php he got stuck there lol.

OMG.

for viewuser he changed it to profile. But that ?u=

Is still used HAHA

 

User Level: Administrator

Signed up: August 22, 2010 8:21:54 am

Last active: June 29, 2011 11:56:29 pm

Last Action: 150 days ago

Last Login: 150 days ago

Status: Offline

Age: 1 years, and 3 months old

Gender: Male

 

Typical viewuser details.

lol so much more I can say.......

[rulerofzu]

Regardless of Gambino whats funny is that you allowed your server to be compromised probably by sheer laziness.

[Dave]

Regardless of Gambino whats funny is that you allowed your server to be compromised probably by sheer laziness.

I wonder if they stole any user information? Thus making it a potential breach of the data protection act...

I'm seriously interested in seeing what they've done to the server because I doubt they just defaced it. They're clearly not whitehat thus most likely using their compromised servers for some profit gain.

[Spudinski]

No. 1 - If it was a DOS(since it was actually just one line) attack, it would've been easy to rescue if you actually attended to your damn sever.

No. 2 - Rooted via web exploit? Apache should chroot'ed, that's just terrible that you were so loathsome.

No. 3 - Turkey is easy to stop, ban their ipblock, allow home-orientated ISPs.

All this could have been avoided by following the most basic of security procedures: updating software.

Oh, ps: I'm positive that the attack was made through an hosted MCC version on the server, go figure.

Edited November 27, 2011 by Spudinski

[rulerofzu]

As the server was never actually offline. Just the index pages then Im assuming all they have done is replace the index files back to originals. So we are all discussing this on an exploited server.

The server hard drive should be wiped and everything reinstalled obviously not bringing back the redux demo, monodistrict and any other mccodes demos and updating VB to the latest version.

Really IF you cannot be bothered to do that then delete my account as I do not wish my details stolen and as David has stated your already in breach of the data protection act.

Ive already had one spam msg from here from someone I dont know. Have never know....

[Spudinski]

As the server was never actually offline. Just the index pages then Im assuming all they have done is replace the index files back to originals. So we are all discussing this on an exploited server.

The server hard drive should be wiped and everything reinstalled obviously not bringing back the redux demo, monodistrict and any other mccodes demos and updating VB to the latest version.

Really IF you cannot be bothered to do that then delete my account as I do not wish my details stolen and as David has stated your already in breach of the data protection act.

Ive already had one spam msg from here from someone I dont know. Have never know....

I agree.

That is the normal practice if the machine has been compromised... Actually, steps from my manual.

1. Unplug network cable.

2. Wipe hd, DoD method or better.

3. Re-install software from sources.

4. Restore a safe backup.

5. Plug cable back in.

6. Optional forensics, in which case you would've needed to replace step 2 with another hd.

As for the privacy laws and else, it don't think it counts for free message boards like this.

Edited November 27, 2011 by Spudinski

[Dave]

I agree.

That is the normal practice if the machine has been compromised... Actually, steps from my manual.

1. Unplug network cable.

2. Wipe hd, DoD method or better.

3. Re-install software from sources.

4. Restore a safe backup.

5. Plug cable back in.

6. Optional forensics, in which case you would've needed to replace step 2 with another hd.

As for the privacy laws and else, it don't think it counts for free message boards like this.

I doubt McCodes will do this.. for obvious reasons.

Hmm I'm not entirely sure.. but they do hold every users email address along with potential locations. Probably not much of an issue.

[Spudinski]

I doubt McCodes will do this.. for obvious reasons.

Hmm I'm not entirely sure.. but they do hold every users email address along with potential locations. Probably not much of an issue.

I have a strong suspicious that they keep archived passwords as well, either from access logs or another form.

See, my alias was hacked a day after this thread was made, and the only place who has held the credentials within the past two years is this site.

It's weird actually, because my present password on MWG is a randomly generated one, and my password on my mail account would take longer than a day to successfully have been bruted.

[Dave]

I have a strong suspicious that they keep archived passwords as well, either from access logs or another form.

See, my alias was hacked a day after this thread was made, and the only place who has held the credentials within the past two years is this site.

It's weird actually, because my present password on MWG is a randomly generated one, and my password on my mail account would take longer than a day to successfully have been bruted.

Rather strange.. I wonder if McCode will follow the correct legal procedure when dealing with this mess. Will be a shock if they do.

[chicka]

Rather strange.. I wonder if McCode will follow the correct legal procedure when dealing with this mess. Will be a shock if they do.

Yea right. They don't take legal action against those running games with out a proper Mccodes license.. i'm sure nothing will be done, but who know's I could be wrong!!!

[gambino]

I love you guys. Your just the best in the world.

Thanks for leaving me those comments. That really makes me happy. I'll talk to you later. It was nice getting back on here.

[ColdBlooded]

They didn't get into ssh protocol. That's well secured and only the datacenter IP, Dabomstew's and my IPs can access. They injected the index.php/html into the host dir overwriting old index. I think I may have figured how they did it but won't disclose until I'm 100% sure myself.

[rulerofzu]

Sheesh you know less than I thought you did CB which is not a lot to begin with.

Lets dumb it down a bit for you.

A script is insecure on your server.

They hack into the server through the script (see look still no mention of SSH)

They then write onto the server itself and are now in control of your server.

So unless you wipe the drive then your server is still compromised.

[a_bertrand]

Well not true ruler. If a script is insecure, and your apache runs with let's say the user apache, you can write ONLY where the user apache has the right to write... which is normally not a lot. Now if you enable binary CGI then you could maybe face other kind of attacks as they could have entered with PHP and then switched to C/C++ and use one of the linux vulnerability to escalate the privileges. If this is the case then you are in big troubles but I highly doubt it. It look like (from a simple research of that kind of hackers and the effect I saw as user) simply a PHP attack and simply the index replacement nothing so bad in my opinion. Wiping the drive seems way useless for me, but well, hey, everyone is free to think differently.

[Spudinski]

Well not true ruler. If a script is insecure, and your apache runs with let's say the user apache, you can write ONLY where the user apache has the right to write... which is normally not a lot. Now if you enable binary CGI then you could maybe face other kind of attacks as they could have entered with PHP and then switched to C/C++ and use one of the linux vulnerability to escalate the privileges. If this is the case then you are in big troubles but I highly doubt it. It look like (from a simple research of that kind of hackers and the effect I saw as user) simply a PHP attack and simply the index replacement nothing so bad in my opinion. Wiping the drive seems way useless for me, but well, hey, everyone is free to think differently.

The fact is that someone was able to gain enough privileges to write somewhere(they already have read and execute privs), there's nothing that says they didn't use a vulnerable setuid program to gain access to other places.

[a_bertrand]

No need of "execute" priv as PHP doesn't need to be run from the OS and is not normally as it is run through the Apache PHP module. But yes, that doesn't mean they don't have a bigger breach... simply I doubt they did a lot.

[gambino]

well, if you said you (I think it was you) and someone elses IP address has access to the server, could it be that the hackers gained access using a proxy IP set up to look like your IP address? Also, my server has been set up where no one externally has access to the server through a different server or domain that isn't set up on the main server. But can only gain access to the control panel. I tried doing another means to access the server like using dreamweaver, but I get an error "Can not access server" so it's a fact that no one can gain access through an external source.

[Spudinski]

well, if you said you (I think it was you) and someone elses IP address has access to the server, could it be that the hackers gained access using a proxy IP set up to look like your IP address? Also, my server has been set up where no one externally has access to the server through a different server or domain that isn't set up on the main server. But can only gain access to the control panel. I tried doing another means to access the server like using dreamweaver, but I get an error "Can not access server" so it's a fact that no one can gain access through an external source.

The term for it is called spoofing, but it's rather easy to setup a firewall rule to check for it.

In addition, OpenSSHd would not be able to be configured without a password/key.

And what I think you're talking about is discarding echo icmp packets, which would result in remote places not being able to tell if you're online by using the traditional ping.

[gambino]

well, with the server configurations that was given to my from the server administration blocked the SSH port, which is 22, and blocked access ports from remote file access of 21. The only access you can get access to the files is from the local server or from the domain specified to the server. Other ports, which are used for external access, has also been blocked on my server so there's no way of pulling it from a remote source.

I may have gotten my control panel slowed down at certain times, but it's worth it if I want to be safe with my info.

Have y'all set the .htaccess file, and changed the server configuration? It would probably help most the time.

[Spudinski]

well, with the server configurations that was given to my from the server administration blocked the SSH port, which is 22, and blocked access ports from remote file access of 21. The only access you can get access to the files is from the local server or from the domain specified to the server. Other ports, which are used for external access, has also been blocked on my server so there's no way of pulling it from a remote source.

I may have gotten my control panel slowed down at certain times, but it's worth it if I want to be safe with my info.

Have y'all set the .htaccess file, and changed the server configuration? It would probably help most the time.

It makes no sense to block output ports, which is probably why your programs are lagging.

And SSH and FTP shouldn't be blocked, in or out.

[Neon]

Can someone anwser something for me?

Did something get hacked again? I'm confused as to what got hacked, and what is happening now besides the bickering on the last 3 pages that is hard to follow.

[Dave]

Can someone anwser something for me?

Did something get hacked again? I'm confused as to what got hacked, and what is happening now besides the bickering on the last 3 pages that is hard to follow.

A server wide "breach" happened causing all index pages to be re-written/changed.

[gambino]

It makes no sense to block output ports, which is probably why your programs are lagging.

And SSH and FTP shouldn't be blocked, in or out.

well, security is a number 1 priority for me. I used filezilla, but I can't use it anymore because someone hacked my friend using filezilla and using a secretly made program that works with filezilla to gain access using false positive. That is why port 21 is blocked on mine so there's no such thing as accessing through external source.

Edited November 28, 2011 by gambino
Insomnia.... couldn't spell right.

[Spudinski]

well, security is a number 1 priority for me. I used filezilla, but I can't use it anymore because someone hacked my friend using filezilla and using a secretly made program that works with filezilla to gain access using false positive. That is why port 21 is blocked on mine so there's no such thing as accessing through external source.

Yea, it's called a buffer overflow exploit. Most ftp severs have a long history of this.

It's very easy to reproduce, but very hard to actually find/create it.

Edited November 28, 2011 by Spudinski