Any Other Recent Attacks?

kq76 · 12-29-2009, 03:08 AM

The CBL has been attacked a couple times over the holidays. Have any other leagues? We do pretty much everything Andreas and others advised:

1) We have a separate ftp account just for exports and reports and we limit that account's access to just those folders (we could do separate for each I suppose, but I don't see how it would much matter as long as this account doesn't have access to our forum which is serious effort to redo while redoing the reports/exports folders aren't that much of a bother);

2) We don't make the location of our install files public (we do have it show for current members though and I suppose a gibberish named folder and file would be better as it'd probably be fairly easy as it is now to find with just guesses);

3) When we get attacked we change the ftp account and folder it accesses (this is a pain for our users because then they have to manually update which isn't so easy for everyone now that most of us normally update via the game);

4) We're actually pretty good about staying on top of forum software updates.

Come to think of it, I think I do like Alan T's advice of not using OOTP for uploading the reports at all and then separating it from the account that is needed for exports as then that might help narrow it down as to whether it's the exports or the reports that are vulnerable. I think we'll try that next as IIRC our commish doesn't use the game to upload reports anyway. I think we'll still keep it restricted though because I'm afraid they might somehow be getting in via the reports. There's no input field in them that I'm aware of, but maybe there's something that I'm missing like URL parameters.

Since only our reports are being compromised at the moment (thank heavens it's not our forums), that tells me it is likely something to do with the game. Either the ftp info is getting decrypted from the files or the reports are somehow vulnerable.

We do use Getch's, but it looks clean so far.

Only the commish had that ftp account's info and his computer is apparently clean.

I'm going to read some more, including Fidel's link from that other thread, but does anyone have any other ideas that we should try?

Alan T · 12-29-2009, 07:51 AM

The most important thing to do when you have been attacked is to verify where you are being attacked at. Look at your server logs at the time of the attack and verify who was attacking you (what IP address) and their method of attacking (did they use some http exploit of one of your applications, did they use the actual ftp username/password and if so which one, etc?)

Unless you really know how they are breaking in, it makes this process somewhat like trying to pick up fish with a string.

12-29-2009, 03:08 AM	#1 (permalink)
kq76 Global Moderator Join Date: Nov 2002 Location: Vancouver Posts: 7,623 Thanks: 282 Thanked 332x in 190 posts	Any Other Recent Attacks? The CBL has been attacked a couple times over the holidays. Have any other leagues? We do pretty much everything Andreas and others advised: 1) We have a separate ftp account just for exports and reports and we limit that account's access to just those folders (we could do separate for each I suppose, but I don't see how it would much matter as long as this account doesn't have access to our forum which is serious effort to redo while redoing the reports/exports folders aren't that much of a bother); 2) We don't make the location of our install files public (we do have it show for current members though and I suppose a gibberish named folder and file would be better as it'd probably be fairly easy as it is now to find with just guesses); 3) When we get attacked we change the ftp account and folder it accesses (this is a pain for our users because then they have to manually update which isn't so easy for everyone now that most of us normally update via the game); 4) We're actually pretty good about staying on top of forum software updates. Come to think of it, I think I do like Alan T's advice of not using OOTP for uploading the reports at all and then separating it from the account that is needed for exports as then that might help narrow it down as to whether it's the exports or the reports that are vulnerable. I think we'll try that next as IIRC our commish doesn't use the game to upload reports anyway. I think we'll still keep it restricted though because I'm afraid they might somehow be getting in via the reports. There's no input field in them that I'm aware of, but maybe there's something that I'm missing like URL parameters. Since only our reports are being compromised at the moment (thank heavens it's not our forums), that tells me it is likely something to do with the game. Either the ftp info is getting decrypted from the files or the reports are somehow vulnerable. We do use Getch's, but it looks clean so far. Only the commish had that ftp account's info and his computer is apparently clean. I'm going to read some more, including Fidel's link from that other thread, but does anyone have any other ideas that we should try? __________________ Useful Links: Manuals \| Downloads \| Newsletters \| Knowledge Base \| New Tech Support \| Updated Forum Rules Interactive Online League Directory - find or advertise a league today! Canadian Baseball League - uses OOTP11, running steadily since April 2002 Last edited by kq76; 12-29-2009 at 03:11 AM.

12-29-2009, 07:51 AM	#2 (permalink)
Alan T Moderator Join Date: Mar 2002 Location: Mass. Posts: 1,963 Thanks: 15 Thanked 136x in 94 posts	The most important thing to do when you have been attacked is to verify where you are being attacked at. Look at your server logs at the time of the attack and verify who was attacking you (what IP address) and their method of attacking (did they use some http exploit of one of your applications, did they use the actual ftp username/password and if so which one, etc?) Unless you really know how they are breaking in, it makes this process somewhat like trying to pick up fish with a string. __________________ - Front Office Offseason League. (Fast Paced OOTP-X and OOTP11 leagues, sims one season every week)

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode