Java-Gaming.org    
Featured games (81)
games approved by the League of Dukes
Games in Showcase (480)
Games in Android Showcase (110)
games submitted by our members
Games in WIP (547)
games currently in development
News: Read the Java Gaming Resources, or peek at the official Java tutorials
 
    Home     Help   Search   Login   Register   
Pages: [1] 2 3
  ignore  |  Print  
  A successful attack on SMF  (Read 16578 times)
0 Members and 1 Guest are viewing this topic.
Offline Riven
« League of Dukes »

JGO Overlord


Medals: 781
Projects: 4
Exp: 16 years


Hand over your head.


« Posted 2010-12-31 05:52:53 »

In an attempt to be as open about it as possible, I will tell you that JGO was compromised 2010/12/31 at 02:30 AM.

A successful attack on SMF has been made through a moderator account, of which the attacker knew the password. That moderator has been notified. Stupid as SMF is, it allows the Moderator account to change the password of an Admin, giving the hacker full access to SMF by logging in as that admin. Apparently this is a well known attack vector, as the attacker was an admin in roughly 5 seconds.

This was a very specific attack where the hacker tried to find out as much about this person as possible. Several seemingly innocent changes (yet obviously harmful as there is no other reason for these changes) to JGO have been made, which are getting restored right now.

Among other things, I am also doing a rollback to just before the infection. About two hours of messages are lost as a result of this rollback. No attempt will be made to retrieve these messages.

For the moment all moderators have lost their permissions, to prevent this from happening again.

Although the http-log (and the sum of tcp-traffic during the attack) strongly indicates there were no database dumps made, please consider your (salted hash) password and your emailaddress compromised.

Sorry guys.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline delt0r

JGO Knight


Medals: 27
Exp: 18 years


Computers can do that?


« Reply #1 - Posted 2010-12-31 07:16:36 »

Appreciate the openness. Its seems forum software across the board is pretty poor at security. I understand why GitHub forces ssh keys Wink


I have no special talents. I am only passionately curious.--Albert Einstein
Offline Nate

JGO Kernel


Medals: 145
Projects: 4
Exp: 14 years


Esoteric Software


« Reply #2 - Posted 2010-12-31 09:07:20 »

Ok, who was the moderator that got pwned? Let's all throw rocks at them!

As a side benefit, the thread title doesn't have a ridiculously long list of moderators in it anymore. Smiley Though I still have to see Riven's name on every thread. My god Riven, so vain! Wink Grin

Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline Matzon

JGO Knight


Medals: 19
Projects: 1


I'm gonna wring your pants!


« Reply #3 - Posted 2010-12-31 09:41:36 »

to be honest, this doesn't really come as a surprise.
JGO has been running on an OOLDD SMF installation for a long time. This installation was compromised before - and there is no telling what happened back then.

As a result, I have since then disabled JS from JGO.

As with this attack and others (gawker springs to mind) I really encourage everybody to use a per-site password. Yes, its a lot more cumbersome, but it does provide a *much* better security than using global username and password.

IMO, all accounts should be forced a reset. At the very least admin accounts.

Offline kappa
« League of Dukes »

JGO Kernel


Medals: 75
Projects: 15


★★★★★


« Reply #4 - Posted 2010-12-31 09:51:52 »

That really sucks, just when you thought SMF couldn't get any worse.
Offline Riven
« League of Dukes »

JGO Overlord


Medals: 781
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #5 - Posted 2010-12-31 10:32:37 »

to be honest, this doesn't really come as a surprise.
JGO has been running on an OOLDD SMF installation for a long time. This installation was compromised before - and there is no telling what happened back then.

As a result, I have since then disabled JS from JGO.
Too bad (the current integrated version of) the wiki requires javascript to be injected into an iframe.

IMO, all accounts should be forced a reset. At the very least admin accounts.

I removed all moderator roles from the members, and invalidated all passwords of the (three) admins. Further, I changed the passwords on the server and locked down some previously publicly available webservices. persecutioncomplex

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline Riven
« League of Dukes »

JGO Overlord


Medals: 781
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #6 - Posted 2010-12-31 10:37:29 »

The problem with SMF is that its themes are PHP functions, which are directly editable from within the admin interface. The attacker modified the theme (fact!) to (probably!) dump the variables that held the username/password to the database, as a few moments later he logged in. Right then and there SMF was wide open, as now he could execute any query on the SMF database, using the same theme 'templates' (php functions).

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline kappa
« League of Dukes »

JGO Kernel


Medals: 75
Projects: 15


★★★★★


« Reply #7 - Posted 2010-12-31 10:41:28 »

hmm, looks like a pretty organised and targeted attack, rather then your bog standard mass exploit script. If he was dumb enough to use his real ip, maybe report him, such hacking is illegal in most countries and hopefully he'll end up behind bars.

SMF 1.x has just been in bug fixing mode for the last 5 years so has fallen somewhat behind, SMF 2.0 does look a lot better, secure and has a lot more features to prevent this sort of stuff (also has much better features to prevent/control signature spam).
Offline Riven
« League of Dukes »

JGO Overlord


Medals: 781
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #8 - Posted 2010-12-31 12:21:18 »

SMF 2.0 is still in development, currently in the 'Release Candidate' phase and it is explicitly stated it must not be used in a production environment.

Too bad.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline appel

JGO Wizard


Medals: 50
Projects: 4


I always win!


« Reply #9 - Posted 2010-12-31 16:00:24 »

It was a UK based ip address. Who knows if that's a bounced ip address or not. Going after the person might result in nothing but bunch of trouble for anyone willing to pursue it. Why bother? And law enforcement isn't quite adept at dealing with these matters, nor care. Someone hacking a internet forum? They'll laugh at you.

Let's just hope this person gets burned by fireworks tonight, that's karma.

Check out the 4K competition @ www.java4k.com
Check out GAMADU (my own site) @ http://gamadu.com/
Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline ruben01

Senior Member


Medals: 4
Projects: 3



« Reply #10 - Posted 2010-12-31 17:22:16 »

Much better than a password per site, is trying to  get all sites to use an openid like solution.

The best implementation that I know of is the one in the stackoverflow/stackexchange sites.

Offline delt0r

JGO Knight


Medals: 27
Exp: 18 years


Computers can do that?


« Reply #11 - Posted 2010-12-31 17:29:19 »

Some of us won't touch openID with a barge pole. So no, moving over to only openID is not a good idea.

I want my logins separate.

I have no special talents. I am only passionately curious.--Albert Einstein
Offline appel

JGO Wizard


Medals: 50
Projects: 4


I always win!


« Reply #12 - Posted 2010-12-31 18:20:30 »

I don't get this open id stuff.

At this one site I had to log in with either my openid, yahoo, google or aol account or whatever.

Why the f. would I use my gmail account to login to some forum? SERIOUSLY. Who really thought this was a good idea? Just imagine the login thefts possible with all sorts of smoke and mirror phishing popups claiming to be google or whatever.

Every internet user has been taught not to give other websites their login. And now suddenly it becomes OK to give your account details to whatever popup that comes along?

So, what happens when your only account gets stolen? You're royally screwed.

Don't put all your eggs in one basket. Have multiple accounts with many distinct passwords. Use your gmail account to login to gmail, don't use it to log into newbiehax0rs.freeforums.info.

Gawwwddd... insanity I tell you. Common sense isn't that common after all.

Check out the 4K competition @ www.java4k.com
Check out GAMADU (my own site) @ http://gamadu.com/
Offline Eli Delventhal

JGO Kernel


Medals: 42
Projects: 11
Exp: 10 years


Game Engineer


« Reply #13 - Posted 2010-12-31 19:48:15 »

Well this is a bummer. Any idea how the hacker got that one password? Was it phishing or something else?

I'm personally not really worried - I already gave my JGO account its own password the last time the site was hacked.

See my work:
OTC Software
Offline ruben01

Senior Member


Medals: 4
Projects: 3



« Reply #14 - Posted 2010-12-31 19:49:32 »

I think http://xkcd.com/792/ explains the reality far better than I ever could.

People don´t use one password for each site, and there is a huge list of sites who have been compromised and the usernames and passwords where not stored safely (hashed and salted).

With the openid, google, facebook, etc solution, I don´t have to trust some random site to be secure, and even a site that is important and which I would trust with some of my secure passwords could be implemented by a moron who stores the passwords in an usafe way.

Using the openid solution, the only thing I have to do to make sure I am not getting screwed is checking the url bar, seeing that the domain is the one I think, and checking if the certificate is fine. I don´t depend on how well the forum/page/wiki etc was programmed.

The only way to have custom not easy to guess passwords for every site is using some digital wallet, something like keypass, but that is a hassle very few people are willing to have.

As long as sites feel they have the right to ask the users to generate some user/pass to access their site, things like the  Gawker compromised accounts will keep happening.

some extra info: http://www.codinghorror.com/blog/2010/12/the-dirty-truth-about-web-passwords.html

Offline Orangy Tang

JGO Kernel


Medals: 56
Projects: 11


Monkey for a head


« Reply #15 - Posted 2011-01-01 01:58:22 »

As much as I agree with you and that article, I find the advice at the end somewhat impractical:

Quote
Demand that they allow you to use your internet driver's license -- that is, your existing Twitter, Facebook, Google, or OpenID credentials -- to log into their website.

Previously I wrote something that needed log-in, and since it was built on top of google-app-engine, it was trivial to let users log in with google credentials (or anything google accept as a google id). However this is worse than asking people to make a new username and password. Ie. directly contradicting the codinghorror advice. The simple fact is that users (even dumb users) are very reluctant to enter one set of login details for an entirely unrelated site. Even from a tech-savvy person's point of view, it looks like a bad phishing attempt.

All attempts to use a common login fail like this - google id, openid and even Verified By Visa (which is a whole catalogue of fail on it's own) all look, feel and smell like a bad phishing attempt. I'd be extremely uncomfortable trying to distinguish a genuine google/openid redirection login from a spoofed one, so goat knows how likely J Random User is going to do it.

[ TriangularPixels.com - Play Growth Spurt, Rescue Squad and Snowman Village ] [ Rebirth - game resource library ]
Offline Riven
« League of Dukes »

JGO Overlord


Medals: 781
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #16 - Posted 2011-01-01 21:27:15 »

Banhammers have (almost all of) their powers back!

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline kappa
« League of Dukes »

JGO Kernel


Medals: 75
Projects: 15


★★★★★


« Reply #17 - Posted 2011-01-01 21:47:50 »

yay.

The new jgo activation page is super effective, not a single spam account created since it was added, only two new accounts and both look genuine.

Click to Play


Offline bobjob

JGO Knight


Medals: 10
Projects: 4


David Aaron Muhar


« Reply #18 - Posted 2011-01-01 22:47:34 »

As the IP address was from the UK, is the admin user also from the UK. If so it might be possible that he auto-saved his login details in a browser, in which case any person could come along and log into the site via any computer he visited.

My Projects
Games, Webcam chat, Video screencast, PDF tools.

Javagaming.org with chat room
Offline Riven
« League of Dukes »

JGO Overlord


Medals: 781
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #19 - Posted 2011-01-01 22:50:51 »

The person that was infected has reset his password, just like the admins.

Oh, and I deleted all sessions.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline Riven
« League of Dukes »

JGO Overlord


Medals: 781
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #20 - Posted 2011-01-02 01:58:16 »

As a side benefit, the thread title doesn't have a ridiculously long list of moderators in it anymore. Smiley Though I still have to see Riven's name on every thread. My god Riven, so vain! Wink Grin
Got rid of that one too!

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline appel

JGO Wizard


Medals: 50
Projects: 4


I always win!


« Reply #21 - Posted 2011-01-02 02:52:24 »

It's a takeover by Riven!!  Shocked

First he comes to power, next he creates a "crisis", followed by emergency rule, and then he gets rid of all his political opponents, and only reappoints those willing to commit to his rule!!  Grin

Check out the 4K competition @ www.java4k.com
Check out GAMADU (my own site) @ http://gamadu.com/
Offline Riven
« League of Dukes »

JGO Overlord


Medals: 781
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #22 - Posted 2011-01-02 03:22:15 »

It's a genius intervention by Riven!!  Shocked

He got where he is by his endless effort, suddenly he encounters a "crisis", quickly resolved by emergency action, and then he kindly requests all of his pals to take a step back to secure the site, and invites those willing to share his passion!! Grin
Thanks for the kind words!

Every great dictator thinks what he does is best for the greater good initially. Then he discovers his powers and falls into temptation.

In other news: the new anti-spammer protection works so well that you guys might soon get your 'signature' back. Don't you love it? First I take away your freedom of expression and then I give it back partially: everybody happy with their new found freedom.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline pjt33
« Reply #23 - Posted 2011-01-02 09:42:54 »

It's a takeover by Riven!!  Shocked

First he comes to power, next he creates a "crisis", followed by emergency rule, and then he gets rid of all his political opponents, and only reappoints those willing to commit to his rule!!  Grin
I'm waiting for the Wikileaks exposé which uncovers the corruption funding his regime.
Offline SimonH
« Reply #24 - Posted 2011-01-02 14:09:42 »

In other news: the new anti-spammer protection works so well that you guys might soon get your 'signature' back.
Cool - to misquote the old adage: "Keep in the pink with siggies and drink!"

People make games and games make people
Offline Morre

JGO Knight


Medals: 2
Projects: 10


I'm Dragonene on IRC.


« Reply #25 - Posted 2011-01-04 08:37:33 »

Thanks for keeping us updated.

It's unfortunate that this would happen, but not terribly unexpected - as has already been pointed out, it seems forum security is often not too great.

Offline Kiddo

Senior Newbie





« Reply #26 - Posted 2011-01-06 15:29:30 »

Wow, that's horrible  Undecided
Offline OverKill

Junior Member




Java games rock!


« Reply #27 - Posted 2011-01-07 15:06:49 »

Thanks for the update.
It would also explain the unsuccessful email login attempts.

While I do not go as far as to give each site a new and distinct password, I do have sets.
Only the top layer, high risk things have unique passwords (+ user names).
But good luck in trying to hack those.
Offline Riven
« League of Dukes »

JGO Overlord


Medals: 781
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #28 - Posted 2011-01-15 01:00:48 »

Today my smf-password was changed again... so I went to the http-log and couldn't find any trace.

In short: the server is basically fully compromised. I noticed how the SSH fingerprint had changed, so that pretty much says root-access. For anybody interested, it's c99sh.

I had so many plans with JGO, but these security issues really feel like a burden, allowing me little or no time for the features I had planned. If I am going to continue hosting this steaming pile, I will be forced to host it on a seperate VPS. It will probably take a lot of time, effort and money to get things straight on my *current* server, which is pretty much f**ked up. A second VPS with an isolated SMF installation would probably have to be closely monitored and reinstalled every few months or so.

There is no way to have a secure server and running SMF on it, its developers should be shamed.



Its sad that one hacked banhammer account resulted in this ugly situation, allowing any Moderator to become an Administrator (which can execute PHP code in the smf-admin-interface) is really SMFs fault, but here we are, browsing a comprimised website.

Oh yes, and DISABLE ALL JAVASCRIPT ON JGO for or own sake.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline CommanderKeith
« Reply #29 - Posted 2011-01-15 03:38:02 »

Can we pool money and fund a  separate private server?

Fantastic work with all the changes/improvements so far.

Pages: [1] 2 3
  ignore  |  Print  
 
 
You cannot reply to this message, because it is very, very old.

 

Add your game by posting it in the WIP section,
or publish it in Showcase.

The first screenshot will be displayed as a thumbnail.

atombrot (23 views)
2014-08-19 09:29:53

Tekkerue (22 views)
2014-08-16 06:45:27

Tekkerue (21 views)
2014-08-16 06:22:17

Tekkerue (12 views)
2014-08-16 06:20:21

Tekkerue (19 views)
2014-08-16 06:12:11

Rayexar (57 views)
2014-08-11 02:49:23

BurntPizza (37 views)
2014-08-09 21:09:32

BurntPizza (29 views)
2014-08-08 02:01:56

Norakomi (36 views)
2014-08-06 19:49:38

BurntPizza (66 views)
2014-08-03 02:57:17
List of Learning Resources
by Longor1996
2014-08-16 10:40:00

List of Learning Resources
by SilverTiger
2014-08-05 19:33:27

Resources for WIP games
by CogWheelz
2014-08-01 16:20:17

Resources for WIP games
by CogWheelz
2014-08-01 16:19:50

List of Learning Resources
by SilverTiger
2014-07-31 16:29:50

List of Learning Resources
by SilverTiger
2014-07-31 16:26:06

List of Learning Resources
by SilverTiger
2014-07-31 11:54:12

HotSpot Options
by dleskov
2014-07-08 01:59:08
java-gaming.org is not responsible for the content posted by its members, including references to external websites, and other references that may or may not have a relation with our primarily gaming and game production oriented community. inquiries and complaints can be sent via email to the info‑account of the company managing the website of java‑gaming.org
Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines | Managed by Enhanced Four Valid XHTML 1.0! Valid CSS!