URBANZ Posted November 27, 2011 Share Posted November 27, 2011 the thing i laugh about him he says he is a cop ( bullshit) but if he was he would know the laws like copyright and ect and look at this http://www.gambino-army.com/test/ (SO CALLED GAME ENGINE THAT IS DEFO MCCODES) login: demo/demo i was having a look about and ffs mailbox looks the same uses same querys same as forum and for profiles he has just made them read usernames instead of ids i think he just needs to go live his pathetic life somewhere that dont bother anyone else Quote Link to comment Share on other sites More sharing options...
Ishraq Posted November 27, 2011 Share Posted November 27, 2011 LMFAO Laughing My FFing Ass Off........ Everything is the same. Even the shops. preferences. game stats. It's so obvious some files were deleted or renamed like mainmenu.php That's easy to rename. You can rename that to usermenu or menu. Etc. But for forums.php he got stuck there lol. OMG. for viewuser he changed it to profile. But that ?u= Is still used HAHA User Level: Administrator Signed up: August 22, 2010 8:21:54 am Last active: June 29, 2011 11:56:29 pm Last Action: 150 days ago Last Login: 150 days ago Status: Offline Age: 1 years, and 3 months old Gender: Male Typical viewuser details. lol so much more I can say....... Quote Link to comment Share on other sites More sharing options...
rulerofzu Posted November 27, 2011 Share Posted November 27, 2011 Regardless of Gambino whats funny is that you allowed your server to be compromised probably by sheer laziness. Quote Link to comment Share on other sites More sharing options...
Dave Posted November 27, 2011 Share Posted November 27, 2011 Regardless of Gambino whats funny is that you allowed your server to be compromised probably by sheer laziness. I wonder if they stole any user information? Thus making it a potential breach of the data protection act... I'm seriously interested in seeing what they've done to the server because I doubt they just defaced it. They're clearly not whitehat thus most likely using their compromised servers for some profit gain. Quote Link to comment Share on other sites More sharing options...
Spudinski Posted November 27, 2011 Share Posted November 27, 2011 (edited) No. 1 - If it was a DOS(since it was actually just one line) attack, it would've been easy to rescue if you actually attended to your damn sever. No. 2 - Rooted via web exploit? Apache should chroot'ed, that's just terrible that you were so loathsome. No. 3 - Turkey is easy to stop, ban their ipblock, allow home-orientated ISPs. All this could have been avoided by following the most basic of security procedures: updating software. Oh, ps: I'm positive that the attack was made through an hosted MCC version on the server, go figure. Edited November 27, 2011 by Spudinski Quote Link to comment Share on other sites More sharing options...
rulerofzu Posted November 27, 2011 Share Posted November 27, 2011 As the server was never actually offline. Just the index pages then Im assuming all they have done is replace the index files back to originals. So we are all discussing this on an exploited server. The server hard drive should be wiped and everything reinstalled obviously not bringing back the redux demo, monodistrict and any other mccodes demos and updating VB to the latest version. Really IF you cannot be bothered to do that then delete my account as I do not wish my details stolen and as David has stated your already in breach of the data protection act. Ive already had one spam msg from here from someone I dont know. Have never know.... Quote Link to comment Share on other sites More sharing options...
Spudinski Posted November 27, 2011 Share Posted November 27, 2011 (edited) As the server was never actually offline. Just the index pages then Im assuming all they have done is replace the index files back to originals. So we are all discussing this on an exploited server. The server hard drive should be wiped and everything reinstalled obviously not bringing back the redux demo, monodistrict and any other mccodes demos and updating VB to the latest version. Really IF you cannot be bothered to do that then delete my account as I do not wish my details stolen and as David has stated your already in breach of the data protection act. Ive already had one spam msg from here from someone I dont know. Have never know.... I agree. That is the normal practice if the machine has been compromised... Actually, steps from my manual. 1. Unplug network cable. 2. Wipe hd, DoD method or better. 3. Re-install software from sources. 4. Restore a safe backup. 5. Plug cable back in. 6. Optional forensics, in which case you would've needed to replace step 2 with another hd. As for the privacy laws and else, it don't think it counts for free message boards like this. Edited November 27, 2011 by Spudinski Quote Link to comment Share on other sites More sharing options...
Dave Posted November 27, 2011 Share Posted November 27, 2011 I agree. That is the normal practice if the machine has been compromised... Actually, steps from my manual. 1. Unplug network cable. 2. Wipe hd, DoD method or better. 3. Re-install software from sources. 4. Restore a safe backup. 5. Plug cable back in. 6. Optional forensics, in which case you would've needed to replace step 2 with another hd. As for the privacy laws and else, it don't think it counts for free message boards like this. I doubt McCodes will do this.. for obvious reasons. Hmm I'm not entirely sure.. but they do hold every users email address along with potential locations. Probably not much of an issue. Quote Link to comment Share on other sites More sharing options...
Spudinski Posted November 27, 2011 Share Posted November 27, 2011 I doubt McCodes will do this.. for obvious reasons. Hmm I'm not entirely sure.. but they do hold every users email address along with potential locations. Probably not much of an issue. I have a strong suspicious that they keep archived passwords as well, either from access logs or another form. See, my alias was hacked a day after this thread was made, and the only place who has held the credentials within the past two years is this site. It's weird actually, because my present password on MWG is a randomly generated one, and my password on my mail account would take longer than a day to successfully have been bruted. Quote Link to comment Share on other sites More sharing options...
Dave Posted November 27, 2011 Share Posted November 27, 2011 I have a strong suspicious that they keep archived passwords as well, either from access logs or another form. See, my alias was hacked a day after this thread was made, and the only place who has held the credentials within the past two years is this site. It's weird actually, because my present password on MWG is a randomly generated one, and my password on my mail account would take longer than a day to successfully have been bruted. Rather strange.. I wonder if McCode will follow the correct legal procedure when dealing with this mess. Will be a shock if they do. Quote Link to comment Share on other sites More sharing options...
chicka Posted November 28, 2011 Share Posted November 28, 2011 Rather strange.. I wonder if McCode will follow the correct legal procedure when dealing with this mess. Will be a shock if they do. Yea right. They don't take legal action against those running games with out a proper Mccodes license.. i'm sure nothing will be done, but who know's I could be wrong!!! Quote Link to comment Share on other sites More sharing options...
gambino Posted November 28, 2011 Share Posted November 28, 2011 I love you guys. Your just the best in the world. Thanks for leaving me those comments. That really makes me happy. I'll talk to you later. It was nice getting back on here. Quote Link to comment Share on other sites More sharing options...
ColdBlooded Posted November 28, 2011 Author Share Posted November 28, 2011 They didn't get into ssh protocol. That's well secured and only the datacenter IP, Dabomstew's and my IPs can access. They injected the index.php/html into the host dir overwriting old index. I think I may have figured how they did it but won't disclose until I'm 100% sure myself. Quote Link to comment Share on other sites More sharing options...
rulerofzu Posted November 28, 2011 Share Posted November 28, 2011 Sheesh you know less than I thought you did CB which is not a lot to begin with. Lets dumb it down a bit for you. A script is insecure on your server. They hack into the server through the script (see look still no mention of SSH) They then write onto the server itself and are now in control of your server. So unless you wipe the drive then your server is still compromised. Quote Link to comment Share on other sites More sharing options...
a_bertrand Posted November 28, 2011 Share Posted November 28, 2011 Well not true ruler. If a script is insecure, and your apache runs with let's say the user apache, you can write ONLY where the user apache has the right to write... which is normally not a lot. Now if you enable binary CGI then you could maybe face other kind of attacks as they could have entered with PHP and then switched to C/C++ and use one of the linux vulnerability to escalate the privileges. If this is the case then you are in big troubles but I highly doubt it. It look like (from a simple research of that kind of hackers and the effect I saw as user) simply a PHP attack and simply the index replacement nothing so bad in my opinion. Wiping the drive seems way useless for me, but well, hey, everyone is free to think differently. Quote Link to comment Share on other sites More sharing options...
Spudinski Posted November 28, 2011 Share Posted November 28, 2011 Well not true ruler. If a script is insecure, and your apache runs with let's say the user apache, you can write ONLY where the user apache has the right to write... which is normally not a lot. Now if you enable binary CGI then you could maybe face other kind of attacks as they could have entered with PHP and then switched to C/C++ and use one of the linux vulnerability to escalate the privileges. If this is the case then you are in big troubles but I highly doubt it. It look like (from a simple research of that kind of hackers and the effect I saw as user) simply a PHP attack and simply the index replacement nothing so bad in my opinion. Wiping the drive seems way useless for me, but well, hey, everyone is free to think differently. The fact is that someone was able to gain enough privileges to write somewhere(they already have read and execute privs), there's nothing that says they didn't use a vulnerable setuid program to gain access to other places. Quote Link to comment Share on other sites More sharing options...
a_bertrand Posted November 28, 2011 Share Posted November 28, 2011 No need of "execute" priv as PHP doesn't need to be run from the OS and is not normally as it is run through the Apache PHP module. But yes, that doesn't mean they don't have a bigger breach... simply I doubt they did a lot. Quote Link to comment Share on other sites More sharing options...
gambino Posted November 28, 2011 Share Posted November 28, 2011 well, if you said you (I think it was you) and someone elses IP address has access to the server, could it be that the hackers gained access using a proxy IP set up to look like your IP address? Also, my server has been set up where no one externally has access to the server through a different server or domain that isn't set up on the main server. But can only gain access to the control panel. I tried doing another means to access the server like using dreamweaver, but I get an error "Can not access server" so it's a fact that no one can gain access through an external source. Quote Link to comment Share on other sites More sharing options...
Spudinski Posted November 28, 2011 Share Posted November 28, 2011 well, if you said you (I think it was you) and someone elses IP address has access to the server, could it be that the hackers gained access using a proxy IP set up to look like your IP address? Also, my server has been set up where no one externally has access to the server through a different server or domain that isn't set up on the main server. But can only gain access to the control panel. I tried doing another means to access the server like using dreamweaver, but I get an error "Can not access server" so it's a fact that no one can gain access through an external source. The term for it is called spoofing, but it's rather easy to setup a firewall rule to check for it. In addition, OpenSSHd would not be able to be configured without a password/key. And what I think you're talking about is discarding echo icmp packets, which would result in remote places not being able to tell if you're online by using the traditional ping. Quote Link to comment Share on other sites More sharing options...
gambino Posted November 28, 2011 Share Posted November 28, 2011 well, with the server configurations that was given to my from the server administration blocked the SSH port, which is 22, and blocked access ports from remote file access of 21. The only access you can get access to the files is from the local server or from the domain specified to the server. Other ports, which are used for external access, has also been blocked on my server so there's no way of pulling it from a remote source. I may have gotten my control panel slowed down at certain times, but it's worth it if I want to be safe with my info. Have y'all set the .htaccess file, and changed the server configuration? It would probably help most the time. Quote Link to comment Share on other sites More sharing options...
Spudinski Posted November 28, 2011 Share Posted November 28, 2011 well, with the server configurations that was given to my from the server administration blocked the SSH port, which is 22, and blocked access ports from remote file access of 21. The only access you can get access to the files is from the local server or from the domain specified to the server. Other ports, which are used for external access, has also been blocked on my server so there's no way of pulling it from a remote source. I may have gotten my control panel slowed down at certain times, but it's worth it if I want to be safe with my info. Have y'all set the .htaccess file, and changed the server configuration? It would probably help most the time. It makes no sense to block output ports, which is probably why your programs are lagging. And SSH and FTP shouldn't be blocked, in or out. Quote Link to comment Share on other sites More sharing options...
Neon Posted November 28, 2011 Share Posted November 28, 2011 Can someone anwser something for me? Did something get hacked again? I'm confused as to what got hacked, and what is happening now besides the bickering on the last 3 pages that is hard to follow. Quote Link to comment Share on other sites More sharing options...
Dave Posted November 28, 2011 Share Posted November 28, 2011 Can someone anwser something for me? Did something get hacked again? I'm confused as to what got hacked, and what is happening now besides the bickering on the last 3 pages that is hard to follow. A server wide "breach" happened causing all index pages to be re-written/changed. Quote Link to comment Share on other sites More sharing options...
gambino Posted November 28, 2011 Share Posted November 28, 2011 (edited) It makes no sense to block output ports, which is probably why your programs are lagging. And SSH and FTP shouldn't be blocked, in or out. well, security is a number 1 priority for me. I used filezilla, but I can't use it anymore because someone hacked my friend using filezilla and using a secretly made program that works with filezilla to gain access using false positive. That is why port 21 is blocked on mine so there's no such thing as accessing through external source. Edited November 28, 2011 by gambino Insomnia.... couldn't spell right. Quote Link to comment Share on other sites More sharing options...
Spudinski Posted November 28, 2011 Share Posted November 28, 2011 (edited) well, security is a number 1 priority for me. I used filezilla, but I can't use it anymore because someone hacked my friend using filezilla and using a secretly made program that works with filezilla to gain access using false positive. That is why port 21 is blocked on mine so there's no such thing as accessing through external source. Yea, it's called a buffer overflow exploit. Most ftp severs have a long history of this. It's very easy to reproduce, but very hard to actually find/create it. Edited November 28, 2011 by Spudinski Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.