WorldScape Blitz

Banned for keeping track of time!  ;D

To add on to what Kevin said... We believe he went on through a proxy Ryan was running (proxy.allgofree.org) and proceeded to use an SQL Injection to gain administrative access to the site and database. Being that he was on Ryan's proxy, the server recognized him as 127.0.0.1 (basically thought he was Ryan), and that's why his attacks went relatively unnoticed. Alternatively, he could also have exploited the actual Linux computer used to host the proxy and forum. That would explain why he maintained privileges for an extended period of time. After using DROP to delete the tables and effectively delete player stats, he proceeded to create more Admin accounts for himself to use. At this point the AllGoFree staff caught on to what he was doing, and began to secure the forums. This was the end of the road for Aaron. For his last stunt, he messed around with Kevin's profile and tried to demote legitimate Admins. The AllGoFree team was quick to respond, with Ryan revoking MYSQL privileges that weren't needed and restoring from a backup. I only jumped on the team about a day after the initial attack, so I defiantly have to give a lot of credit to the Admins, Mods, and Players that helped to get WorldScape up and running again. The server and IP logs AllGoFree had were an essential part to figuring out who was behind the attack. Matching the server logs with the IP's of players who logged in lead us to believe it was Aaron (Program) and Luke (Mute).

Quoteay  5 15:04:46 debiang5 afpd[21872]: done
May  5 15:05:15 debiang5 suhosin[22004]: ALERT - configured GET variable value length limit exceeded - dropped variable 'sql_tbl_insert_q' (attacker '75.152.105.45', file '/mnt/zsites/allgofree/blitz/smf/Themes/The_Killing_SMF2/scripts/theme.php')
May  5 15:06:01 debiang5 /USR/SBIN/CRON[22070]: (ry60003333) CMD (java -jar /home/ry60003333/ServerStatus/ServerStatusJob.jar)
May  5 15:06:46 debiang5 suhosin[22104]: ALERT - configured GET variable value length limit exceeded - dropped variable 'sql_query' (attacker '75.152.105.45', file '/mnt/zsites/allgofree/blitz/smf/Themes/The_Killing_SMF2/scripts/theme.php')
May  5 15:06:50 debiang5 suhosin[22104]: ALERT - configured GET variable value length limit exceeded - dropped variable 'sql_tbl_insert_q' (attacker '75.152.105.45', file '/mnt/zsites/allgofree/blitz/smf/Themes/The_Killing_SMF2/scripts/theme.php')
May  5 15:08:08 debiang5 suhosin[22100]: ALERT - configured request variable name length limit exceeded - dropped variable 'COOKIE%3Bpma_collation_connection%3B%2F%3Bphpmyadmin_allgofree_org' (attacker '75.152.105.45', file '/mnt/zsites/Sites/proxy/index.php')

After directly asking the two through Skype, they admitted to hacking WorldScape!

Quote[5/5/12 3:55:39 PM] Aaron: It wasn't me, so you should double check whatever proof you think you have.
[5/5/12 3:55:44 PM] Ryan : http://www.allgofree.org/pics/evidence/
[5/5/12 3:55:48 PM] Ryan : http://www.allgofree.org/pics/evidence/evidence_1.png
[5/5/12 3:55:50 PM] Ryan : Hacker account.
[5/5/12 3:55:59 PM] Kevin added Seva to this chat
[5/5/12 3:56:01 PM] Ryan : Hid the IP
[5/5/12 3:56:05 PM] Ryan : logged into game
[5/5/12 3:56:05 PM] Ryan : http://www.allgofree.org/pics/evidence/evidence_2.png
[5/5/12 3:56:07 PM] Ryan : Real IP
[5/5/12 3:56:12 PM] Ryan : IP Lookup
[5/5/12 3:56:12 PM] Ryan : http://www.allgofree.org/pics/evidence/evidence_3.png
[5/5/12 3:56:13 PM] Ryan : ding ding ding
[5/5/12 3:56:17 PM] Ryan : so thats magic right?
[5/5/12 3:56:24 PM] Aaron: Hey!
[5/5/12 3:56:29 PM] Aaron: You're smarter than I thought!
[5/5/12 3:56:36 PM] Kevin: You're dumber then I thought
[5/5/12 3:57:14 PM] Luke: Sooooooo....
[5/5/12 3:57:31 PM] Aaron: It's not like I broke anything anyway. Backups ftw xD
[5/5/12 3:57:43 PM] Aaron: You're just mad that someone got through your security.
[5/5/12 3:57:53 PM] Luke: http://t3.gstatic.com/images?q=tbn:ANd9GcRYWv309EKaK_s-Jk8VVVYquZrG5OXz3ZtpNXtnYDT41cwfh8Wgpg
[5/5/12 3:58:15 PM] Ryan : No
[5/5/12 3:58:18 PM] Ryan : I'm mad
[5/5/12 3:58:19 PM] Ryan : because
[5/5/12 3:58:20 PM] Ryan : you messed
[5/5/12 3:58:22 PM] Ryan : with my
[5/5/12 3:58:24 PM] Ryan : website
[5/5/12 3:58:25 PM] Ryan : :)

So that should wrap up the whole ordeal. Hopefully we can just leave this in the past and move on with our lives. The proper actions have been taken against both Aaron and Luke. They have both been banned, Aaron's parents were contacted to make sure they knew what he had done, and a formal investigation was started by his ISP (Telus). Understanding that Luke acted as nothing more than a "cheerleader", his account was permanently banned from WorldScape.

No passwords or user information was compromised as a result of this attack. I hope that answers some questions you might have had.

- Seva

Thanks everyone! Appreciate the warm welcome.  ;D

Quote from: nate on May 07, 2012, 09:21:51 PM
wouldnt that be the first thing to change if you were going to hack this website?

You would think, right? We can't go too in-depth with the details at this current point in time, but in the near future we will have a full report of the breach. I will say though, the evidence is plentiful.

Sorry, I never formally introduced myself. Indeed, I am Seva. Currently I'm here because of the recent security breach, trying to clean things up and make sure Worldscape is more secure for all the players. I usually hang around RuneRebels and Worldscape, but most of my work here is done behind the scenes. If you have any questions or concerns, feel free to leave a response or message me.

Thanks :D