?

Log in

No account? Create an account
Shit has, as they say, gotten meta. - Baxil [bakh-HEEL'], n. My Sites [Tomorrowlands] [The TTU Wiki] [Photos]
View My LJ [By Tag]


June 18th, 2011
09:24 pm
[User Picture]

[Link]

Previous Entry Share Next Entry
Shit has, as they say, gotten meta.
Hey, folks! Life goes on, and after a long week at work (and a scare with my car -- which was resolved by an unexpected act of generosity on my bosses' part), I'm trying to get back into the swing of things. And meanwhile, things have been more eventful than usual out in the land of:

[Ponies and Pegasi]


First of all, due to RL time concerns, bossgoji has withdrawn as player liaison/co-organizer for the D&D portion of the board. I would still like to make the Pony/D&D4e game occur, though; I've already ordered a 4th Edition PHB so I can chew through the rules conversion in my away-from-computer time (which will help a lot). I'll post a new timeline for game start on the board itself.

Assuming that the forum's not destroyed by a vengeful goddess in the meantime.

That sounds like a joke, I know. But I think the joke's on me.

I happened to have the OOC board index up today when my browser crashed. So I had to reopen the page, and I wasn't logged in when it did. A thread by "Princess Luna" appeared out of nowhere:



I didn't realize the significance of that right away. (My first reaction was, "Huh, who registered that? Everybody should be making original characters - we've discouraged direct use of show canon.")

But then I logged in to my account ... and the thread vanished again. I'm a board administrator. I should be seeing everything.

I took screenshots:

what everyone else sees | what I see


Check them out side by side. The more you look, the more disturbing it gets.

My immediate thought at that point was -- okay, as cool as this is (it's kind of a compliment for someone to go through so much effort for me, you know?), I've been hacked and I need to do damage control.

I started my info-gathering by cross-referencing the post date against the Apache logs, which is when I discovered: There are no HTTP requests corresponding to "Luna's" edits. Even my own board access shows up in the Apache logs, and to scrub them would require rooting the box. In layman's terms -- someone appears to have hacked our entire server, in a very precise and subtle way, just to register a forum account behind my back.

They've been remarkably thorough. Just for one example: I can't even see their user profile (and it appears to be encrypted in the database files). Can someone who has already registered a Pony4e account go to tomorrowlands.org/pony/YaBB.pl?action=viewprofile;username=luna and tell me what shows up? Be careful -- the profile data is small enough (<1kb) that I doubt there are any viruses, but I can't assume anything at this point.

At this point, I have no idea what "Luna" wants, and I'm kind of afraid to let them know that I've spotted them (hence only discussing it in my locked LJ post). Clearly they outclass me in the cracking department. This person's motives seem innocent so far, but if they get angry, they undoubtedly have the capability to take my whole website down -- and about 60 others with it.

For now, I think I need to play dumb and do some info-gathering. Any suggestions?

UPDATE, 2 a.m.: Tlands is currently down. OH GOD SHE'S HACKED IN HERE TOO. ... Except Inaki says it looks like an unrelated network issue (we've had a few in the last couple weeks), site should be fine, and is talking to the data center. In hindsight, I'm starting to wonder ...

(Update, 5/2012: Entry made public for posterity.)

Current Location: ~/Brainstorm
Current Mood: scaredscared
Current Music: The Infinity Project, "Stimuli"
Tags: , ,

(31 comments | Leave a comment)

Comments
 
[User Picture]
From:elynne
Date:June 19th, 2011 04:40 am (UTC)
(Link)
Holy crap. Uh... yeah, I can see the profile. Here's some copypasta:

Princess Luna
Shadow Admin
*****
Offline
Always in my sister's
shadow.

Posts:
2
0.00 Posts per day
Date Registered:
Dec 31st, 1999 at 11:59pm
4186 Days since joining
Location: Hacked into system

Bolded for emphasis. I'll take screenshots, let me know if you'd like me to email them to you. For someone that's blatantly hacked into your server, it's very much... completely in character. I have -no idea- how to do anything about this on a technical level, sorry. XD
[User Picture]
From:elynne
Date:June 19th, 2011 04:43 am (UTC)
(Link)
The "About Me" links to the Wikipedia article about Princess Luna.
[User Picture]
From:baxil
Date:June 19th, 2011 06:59 am (UTC)
(Link)
Thanks ... Nothing terribly sinister, then, beyond the open admission (some sort of dare?). The server admin doesn't see anything amiss yet, either. As I said, without knowing "Luna's" goal, it may be safest for me to wait and watch.
(Deleted comment)
[User Picture]
From:baxil
Date:June 19th, 2011 06:24 am (UTC)
(Link)
Here's where it gets even weirder/creepier: the board is YaBB, which has a PERL back-end and a flat file storage scheme. MySQL injection would have made a great deal of sense, but there is no database to access, not without shell access.

(And before you ask, my board password is different from any of my other passwords - email, lj, server, etc. And i recognize all of my logins in the system logs, unless "Luna" wiped those records too, which brings us back to the root problem...)
(Deleted comment)
(Deleted comment)
[User Picture]
From:kevynjacobs
Date:June 19th, 2011 05:47 am (UTC)
(Link)
I've never seen anything like this before! Scary... but cool!
[User Picture]
From:balinares
Date:June 19th, 2011 09:21 am (UTC)
(Link)
... Ok, HTTP connections to tomorrowlands.org timeout, so I'm assuming you took the box offline. :/
[User Picture]
From:baxil
Date:June 19th, 2011 06:16 pm (UTC)
(Link)
See update to post. It wasn't anything we deliberately did. Inaki says it looks like something flipped out in the box's built-in firewall.

We're quietly investigating.
[User Picture]
From:inaki
Date:June 19th, 2011 09:29 am (UTC)
(Link)
The box is back up!
[User Picture]
From:siege
Date:June 19th, 2011 03:13 pm (UTC)
(Link)
Huh.
[User Picture]
From:rax
Date:June 19th, 2011 03:14 pm (UTC)
(Link)
I kind of want to berate this person and then hire them.
[User Picture]
From:baxil
Date:June 19th, 2011 10:04 pm (UTC)
(Link)
Can I borrow that line? Because, seriously.
[User Picture]
From:delcan
Date:June 20th, 2011 04:41 am (UTC)
(Link)
Holy crap.

This is a situation where I'd want to consider the motive of the person doing this. If their motive was malicious, I can't help but think that they wouldn't bother with the software patching or even the admin-creation stuff - they'd just get whatever information they'd want from the thing itself and never ever show themselves at all. The things they've done (that you know about) are:

1. Basically gaining root access to the server. This is the scary part, frankly.
2. Creating a "shadow admin" account, with which they have the ability to change the board to their desires at will. Scary, but given 1. above, probably irrelevant.
3. Making a profile, and interacting in a meta-OOC way with board members, both in character. The post itself is "Luna" trying in some small way to add to the narrative, rather than subtract from it or troll it. This is... unusual.

I can't see a malicious hacker doing 3. along with everything else; it's a non sequitur. Now, granted, that idea is not something that justifies a laissez-faire attitude towards someone that did 1, but it's an ingredient that's hard to fit into a black-hat operation.

But truth be told, the visible results of this person's work so far (big, big emphasis on so far) seem to be positive. If anything, the whole situation has given the RP, and the board, a very mysterious aspect.

I wholeheartedly hope that this hacker is performing this action as a glamourbomb, to add to this creation in a way that no normal player, game master, or admin could. Their actions so far support this hypothesis.

It's a little as if someone snuck into your house with a skeleton key and put a bouquet of flowers on your table. Kinda neat and all, but still very freaky and paranoia-inducing.
[User Picture]
From:baxil
Date:June 20th, 2011 07:43 pm (UTC)
(Link)
I agree with your entire summary, basically point by point.

Though:

> I wholeheartedly hope that this hacker is performing this action as a glamourbomb, to add to this creation in a way that no normal player, game master, or admin could. Their actions so far support this hypothesis.

I did wonder whether this might have been some sort of massively overblown attempt at a player application? Maybe they figured "Hey, I want to be Princess Luna" wasn't going to cut it, given she's both a canon figure and a goddess?

If so, um ... I kind of want to berate this person and then hire them.
[User Picture]
From:blossomforth
Date:June 22nd, 2011 10:19 pm (UTC)
(Link)
Goodness! I had wondered what exactly was the deal with the Luna thing, but I had been distracted so I didn't look too much into it. That's kinda funny!
Tomorrowlands Powered by LiveJournal.com