[Alan T]

Quote:

Originally Posted by Getch

There's a 20-char limit on the passwords.

What exactly happened? Did the entire site get hacked, or just the league HTML files? I could see how possibly you could use my utils to modify the league HTML files if someone got access as an admin.

Getech, I haven't had a site get attacked but from what people say, it sounds like a standard ****** insertion. What is happening is the league's main page I assume is being modified with a small line of html code added to insert an ****** pointing at a specific offsite URL. That is all that is being done in this attack.

[Getch]

Heh, just because you haven't been infected doesn't mean it isn't my utilities. However, if files beyond the league HTML files are infected, that would rule out one idea I had.

If it happens again, I would look at the timestamps of the files in the OOTPOU directory and subdirectories. With the exception of logging in, anything inputted or done within OOTPOU is written to a file, which would have its timestamp updated.

[Alan T]

Quote:

Originally Posted by Getch

Heh, just because you haven't been infected doesn't mean it isn't my utilities. However, if files beyond the league HTML files are infected, that would rule out one idea I had.

If it happens again, I would look at the timestamps of the files in the OOTPOU directory and subdirectories. With the exception of logging in, anything inputted or done within OOTPOU is written to a file, which would have its timestamp updated.

I actually don't use your utilities. I just am trying to help people find out what is causing their problem. I had given the same suggestion that you just did. (except I suggested looking through the http and ftp logs on the server. I am unaware of what logging your utility also does).

[f.montoya]

Quote:

Originally Posted by Getch

Heh, just because you haven't been infected doesn't mean it isn't my utilities. However, if files beyond the league HTML files are infected, that would rule out one idea I had.

If it happens again, I would look at the timestamps of the files in the OOTPOU directory and subdirectories. With the exception of logging in, anything inputted or done within OOTPOU is written to a file, which would have its timestamp updated.

Actually, the activity of the login form is where we need to monitor.

[satchel]

The JL and the NPBL both use SMF forums software, and we both got spammed over the past week. We both updated to the new version, and haven't seen anything since, but this is either a coincidence, or it's connected somehow to the php hacks on the other leagues' sites.

[fhomess]

I don't really know much more about this hacking thing with regards to the OOTPOU than Getch does, but I did think of one thing. A potential problem with the OOTPOU is that the passwords are stored unencrypted, so if your commish is using the same ID/password combo for the utils that he's using for the website, you'd be compromising your security.

[Getch]

Quote:

Originally Posted by fhomess

I don't really know much more about this hacking thing with regards to the OOTPOU than Getch does, but I did think of one thing. A potential problem with the OOTPOU is that the passwords are stored unencrypted, so if your commish is using the same ID/password combo for the utils that he's using for the website, you'd be compromising your security.

Yep. That plus I am sure many owners (or ex owners) never changed their password, so logging in to a user generally is not hard (I've done it many times on sites that needed help with something. Just try some users until 'baseball' let me in).

I really feel that if my utils had a security breach, it'd be somewhere as a user logged in. However, where is up in the air. Simply getting the server logs, as well as looking at the timestamps of files that changed at the time of the hack, will go a long way to solving this issue, rather than guessing at what it might be.

[Getch]

Hey guys,

I found a way to be able to edit files on the server from OOTPOU. It doesn't require being logged in either. I will patch it up as well as try to find other similar ways of doing it.

Of course, this might not be how he pulled it off. You'd only figure it out by staring at my code until you saw how you could hack the URL to do it. But, I was able to create a file on the file system, so it should be fixed.

[f.montoya]

Quote:

Originally Posted by Getch

Hey guys,

I found a way to be able to edit files on the server from OOTPOU. It doesn't require being logged in either. I will patch it up as well as try to find other similar ways of doing it.

Of course, this might not be how he pulled it off. You'd only figure it out by staring at my code until you saw how you could hack the URL to do it. But, I was able to create a file on the file system, so it should be fixed.

Nice going Getch!! Usually a hack job like this past week is just someone who doesn't stare at code(even though it's available if he really wanted to find it) but just throws out a bunch of things until something works, or until all attempts fail, and then he moves on. He obviously knows the file hierarchy within forum software and never directly attacks his doorway.

As an update, it turns out that the 5th league that uses OOTPOU, that didn't get hit, was hiding all links to the utility from the public. Login and account verification via Mambo was necessary before the links, including login, were shown. Although the url's themselves were public, at first glance, the hacker intent on using OOTPOU may have thought it didn't exist and moved on.

Anyway Getch, a quick Google on iframes and other injection methods could give you the same kind of list that the bad guy is using. That may also help.

Thanks again! We certainly appreciate your looking into this.

[gollum65]

I certainly hope it wasn't OOTPU that was exploited and I've never stated I thought it was. I appreciate Getch being proactive and taking steps to make his utilities more secure.

[molarmite]

Ever since Fidel switching forums and we started over with a new database, no more problems so thanks for that Fidel.

[yajeflow]

for the record, the rude island baseball congregation loves us some fidel montoya.

[f.montoya]

Quote:

Originally Posted by yajeflow

for the record, the rude island baseball congregation loves us some fidel montoya.

[gollum65]

Ok guys. My site was attacked twice more since I made my last post in this thread. This morning was the 2nd time, and this time they edited every single index.php file on my website. I lost count after 17. I have time stamps on all these files. I have the site saving logs for each day. The only thing I don't know is how to find out how the files were accessed. If anyone can tell me what log to look in and how to tell what was used to edit the files, please do so. commish(at)ashmaplebaseball.info is my email.

[Corsairs]

Quote:

Originally Posted by gollum65

Ok guys. My site was attacked twice more since I made my last post in this thread. This morning was the 2nd time, and this time they edited every single index.php file on my website. I lost count after 17. I have time stamps on all these files. I have the site saving logs for each day. The only thing I don't know is how to find out how the files were accessed. If anyone can tell me what log to look in and how to tell what was used to edit the files, please do so. commish(at)ashmaplebaseball.info is my email.

Are you still using Getch's utilities?

[Tony M]

Just been chatting to gollum about this.

I raised an issue with Andreas a couple of days after this thread started about a potential problem and was promised an emergency patch the following day which hasn't materialised.

I don't know if this is how the hacker(s) have been compromising sites, but I was able to find the IP address of gollum's hacker within a couple of minutes of downloading his league and logging in to his ftp site and reading the log files. I could have quite easily at that point done all sorts of things to his site.

Until the emergency patch comes out there's nothing that can be done to prevent this potential way in, unless you are able to set up a separate FTP user that only has access to the OOTP directories and no access to forums, etc.

I'm not going to give the details of how this is done (for the obvious reasons that a searchable and indexed forum would put it into the public domain)

*waits for the proverbial to hit the fan now*

[gollum65]

When Tony says "within a couple of minutes", he's being modest. We had been trading PMs about this, and while he was writing one, he went from "can I look at the logs" to "here's the hacker's information and what files he hacked".

Needless to say I'm STUNNED and very angry that an apparent exploit exists in OOTP9 that was known about by the developers and nothing has been done to correct it yet. This needs to be resolved NOW! Every OOTP Online League site is at risk until it is!

The good news is, this appears to get Getch off the hook, or at least in these cases.

[Tony M]

Until this patch comes out there are two things that can be done to remove this potential exploit.

1) Create an FTP user that only can access the exports and reports directory and use that in the Online League options
2) Remove any public link to the league file. If you have a new GM, give them a link in email. If the league can't be downloaded then you can't get the details you need to log-in

[Tony M]

Of course, it could be that it is still another way that is being exploited to perform these hacks, but hopefully that's something we can find out soon.

[f.montoya]

Guys, this is scary. I have some 50+ online leagues that I host. I didn't even need to know how it was done to figure out how to do it(I got into my own site in 15 minutes)

The bad guy can easily plop in a piece of code and he can pretty much overwrite any index file he knows of(and that's a lot if you are using popular CMS's and community forum software).

PLEASE get this patched Andreas and Markus!!!