?

Log in

No account? Create an account
Shit has, as they say, gotten meta. - Baxil [bakh-HEEL'], n. My Sites [Tomorrowlands] [The TTU Wiki] [Photos]
View My LJ [By Tag]


June 18th, 2011
09:24 pm
[User Picture]

[Link]

Previous Entry Share Next Entry
Shit has, as they say, gotten meta.
Hey, folks! Life goes on, and after a long week at work (and a scare with my car -- which was resolved by an unexpected act of generosity on my bosses' part), I'm trying to get back into the swing of things. And meanwhile, things have been more eventful than usual out in the land of:

[Ponies and Pegasi]


First of all, due to RL time concerns, bossgoji has withdrawn as player liaison/co-organizer for the D&D portion of the board. I would still like to make the Pony/D&D4e game occur, though; I've already ordered a 4th Edition PHB so I can chew through the rules conversion in my away-from-computer time (which will help a lot). I'll post a new timeline for game start on the board itself.

Assuming that the forum's not destroyed by a vengeful goddess in the meantime.

That sounds like a joke, I know. But I think the joke's on me.

I happened to have the OOC board index up today when my browser crashed. So I had to reopen the page, and I wasn't logged in when it did. A thread by "Princess Luna" appeared out of nowhere:



I didn't realize the significance of that right away. (My first reaction was, "Huh, who registered that? Everybody should be making original characters - we've discouraged direct use of show canon.")

But then I logged in to my account ... and the thread vanished again. I'm a board administrator. I should be seeing everything.

I took screenshots:

what everyone else sees | what I see


Check them out side by side. The more you look, the more disturbing it gets.

My immediate thought at that point was -- okay, as cool as this is (it's kind of a compliment for someone to go through so much effort for me, you know?), I've been hacked and I need to do damage control.

I started my info-gathering by cross-referencing the post date against the Apache logs, which is when I discovered: There are no HTTP requests corresponding to "Luna's" edits. Even my own board access shows up in the Apache logs, and to scrub them would require rooting the box. In layman's terms -- someone appears to have hacked our entire server, in a very precise and subtle way, just to register a forum account behind my back.

They've been remarkably thorough. Just for one example: I can't even see their user profile (and it appears to be encrypted in the database files). Can someone who has already registered a Pony4e account go to tomorrowlands.org/pony/YaBB.pl?action=viewprofile;username=luna and tell me what shows up? Be careful -- the profile data is small enough (<1kb) that I doubt there are any viruses, but I can't assume anything at this point.

At this point, I have no idea what "Luna" wants, and I'm kind of afraid to let them know that I've spotted them (hence only discussing it in my locked LJ post). Clearly they outclass me in the cracking department. This person's motives seem innocent so far, but if they get angry, they undoubtedly have the capability to take my whole website down -- and about 60 others with it.

For now, I think I need to play dumb and do some info-gathering. Any suggestions?

UPDATE, 2 a.m.: Tlands is currently down. OH GOD SHE'S HACKED IN HERE TOO. ... Except Inaki says it looks like an unrelated network issue (we've had a few in the last couple weeks), site should be fine, and is talking to the data center. In hindsight, I'm starting to wonder ...

(Update, 5/2012: Entry made public for posterity.)

Current Location: ~/Brainstorm
Current Mood: scaredscared
Current Music: The Infinity Project, "Stimuli"
Tags: , ,

(28 comments | Leave a comment)

Comments
 
[User Picture]
From:elynne
Date:June 19th, 2011 04:40 am (UTC)
(Link)
Holy crap. Uh... yeah, I can see the profile. Here's some copypasta:

Princess Luna
Shadow Admin
*****
Offline
Always in my sister's
shadow.

Posts:
2
0.00 Posts per day
Date Registered:
Dec 31st, 1999 at 11:59pm
4186 Days since joining
Location: Hacked into system

Bolded for emphasis. I'll take screenshots, let me know if you'd like me to email them to you. For someone that's blatantly hacked into your server, it's very much... completely in character. I have -no idea- how to do anything about this on a technical level, sorry. XD
[User Picture]
From:elynne
Date:June 19th, 2011 04:43 am (UTC)
(Link)
The "About Me" links to the Wikipedia article about Princess Luna.
[User Picture]
From:baxil
Date:June 19th, 2011 06:59 am (UTC)
(Link)
Thanks ... Nothing terribly sinister, then, beyond the open admission (some sort of dare?). The server admin doesn't see anything amiss yet, either. As I said, without knowing "Luna's" goal, it may be safest for me to wait and watch.
(Deleted comment)
[User Picture]
From:baxil
Date:June 19th, 2011 06:24 am (UTC)
(Link)
Here's where it gets even weirder/creepier: the board is YaBB, which has a PERL back-end and a flat file storage scheme. MySQL injection would have made a great deal of sense, but there is no database to access, not without shell access.

(And before you ask, my board password is different from any of my other passwords - email, lj, server, etc. And i recognize all of my logins in the system logs, unless "Luna" wiped those records too, which brings us back to the root problem...)
(Deleted comment)
[User Picture]
From:baxil
Date:June 19th, 2011 06:11 pm (UTC)
(Link)
SE, which is the most recent. But I looked through the files and a lot of changes have been made. At this point, I might as well be calling it "YaBB 2: Luna Edition."

(File modification time for those files is now displaying at 23:59:59 12/31/1969, and the file was modified by UID 65535.

... There's nothing in the passwd file for that user id, but there's an entry for it in the shadow file reading only "Yes". Our hacker has quite a sense of humor.)
(Deleted comment)
[User Picture]
From:baxil
Date:June 19th, 2011 07:49 pm (UTC)
(Link)
Could you drop me an e-mail with a link? baxildragon at gmail.
[User Picture]
From:baxil
Date:June 19th, 2011 10:03 pm (UTC)
(Link)
Okay, I took a look based on your e-mail. I covered most of what you said in my letter back, but I wanted to mention here:

That's one of the changed files, and "Luna" fixed the security hole. The board isn't vulnerable to it any more. I skimmed the code, and there are no obvious backdoors - the applied fix is not the same as the official patch, but it fixes it following the same principle.

I'm really not certain how to feel about this.
[User Picture]
From:gavinfox
Date:June 20th, 2011 12:59 am (UTC)
(Link)
Ah, a grey hat hacker?
[User Picture]
From:baxil
Date:June 20th, 2011 02:46 am (UTC)
(Link)
I'd say "greyflank," but if "Luna" saw that, she might take exception. ;)
[User Picture]
From:tracerj
Date:June 21st, 2011 01:45 am (UTC)
(Link)
You could ask her yourself, apparently....

Or, you know, someone who's channelling her very well. At this point, the difference is sort of academic.
[User Picture]
From:baxil
Date:June 21st, 2011 05:41 pm (UTC)
(Link)
I could -- though me doing the asking might awkward.

(LOLCAT DRAMATIZATION: "O HAI Luna, iz 'greyflank' Ceiling Cat word or Basement Cat word? obtw, invisible hacker iz rilly visible hacker. plz no delete server")

On the other hand, despite the fact she's deliberately hiding from me, I'm starting to think I have some leeway. All along, she's expressed intent to join the RP (er ... the Fillydelphia RP; she's already deep in the RP pool). If I don't threaten that, I don't think exposure will push her toward destruction.

But until my research with Inaki turns up something more concrete, I'm reluctant to give up the element of surprise ... it's one of my few advantages.

On the third hand ... her latest post sounds like a guarantee to stay IC. That, and the talk of privacy invocations, is giving me an idea. (A very bad idea ...)
[User Picture]
From:kevynjacobs
Date:June 19th, 2011 05:47 am (UTC)
(Link)
I've never seen anything like this before! Scary... but cool!
[User Picture]
From:balinares
Date:June 19th, 2011 09:21 am (UTC)
(Link)
... Ok, HTTP connections to tomorrowlands.org timeout, so I'm assuming you took the box offline. :/
[User Picture]
From:baxil
Date:June 19th, 2011 06:16 pm (UTC)
(Link)
See update to post. It wasn't anything we deliberately did. Inaki says it looks like something flipped out in the box's built-in firewall.

We're quietly investigating.
[User Picture]
From:balinares
Date:June 19th, 2011 07:26 pm (UTC)
(Link)
Oh, okay. Given the magnitude of the issue unearthed by mmsword, assuming complete compromise and taking the box offline for reinstall would make sense. Then again, you've got a sweet honeypot opportunity there, so, I guess, have fun, and post updates? :)
[User Picture]
From:baxil
Date:June 19th, 2011 07:53 pm (UTC)
(Link)
... Yeah, similar to what I was thinking. Repairing the damage is only effective if we can guarantee we've removed access. Since the hacker has done no visible harm outside of my forum code, and since they don't appear to be linking malware/spyware or spamming, I'm going to play along for a little while. At least until we can gather some information about where they're accessing the box from, and increase our chances of locking them out against whatever backdoors may have gone in in the meantime.

If the compromise becomes malicious, all bets are off.
(Deleted comment)
[User Picture]
From:siege
Date:June 19th, 2011 03:13 pm (UTC)
(Link)
Huh.
[User Picture]
From:rax
Date:June 19th, 2011 03:14 pm (UTC)
(Link)
I kind of want to berate this person and then hire them.
[User Picture]
From:baxil
Date:June 19th, 2011 10:04 pm (UTC)
(Link)
Can I borrow that line? Because, seriously.
[User Picture]
From:rax
Date:June 20th, 2011 12:09 am (UTC)
(Link)
Sure!
[User Picture]
From:delcan
Date:June 20th, 2011 04:41 am (UTC)
(Link)
Holy crap.

This is a situation where I'd want to consider the motive of the person doing this. If their motive was malicious, I can't help but think that they wouldn't bother with the software patching or even the admin-creation stuff - they'd just get whatever information they'd want from the thing itself and never ever show themselves at all. The things they've done (that you know about) are:

1. Basically gaining root access to the server. This is the scary part, frankly.
2. Creating a "shadow admin" account, with which they have the ability to change the board to their desires at will. Scary, but given 1. above, probably irrelevant.
3. Making a profile, and interacting in a meta-OOC way with board members, both in character. The post itself is "Luna" trying in some small way to add to the narrative, rather than subtract from it or troll it. This is... unusual.

I can't see a malicious hacker doing 3. along with everything else; it's a non sequitur. Now, granted, that idea is not something that justifies a laissez-faire attitude towards someone that did 1, but it's an ingredient that's hard to fit into a black-hat operation.

But truth be told, the visible results of this person's work so far (big, big emphasis on so far) seem to be positive. If anything, the whole situation has given the RP, and the board, a very mysterious aspect.

I wholeheartedly hope that this hacker is performing this action as a glamourbomb, to add to this creation in a way that no normal player, game master, or admin could. Their actions so far support this hypothesis.

It's a little as if someone snuck into your house with a skeleton key and put a bouquet of flowers on your table. Kinda neat and all, but still very freaky and paranoia-inducing.
[User Picture]
From:baxil
Date:June 20th, 2011 07:43 pm (UTC)
(Link)
I agree with your entire summary, basically point by point.

Though:

> I wholeheartedly hope that this hacker is performing this action as a glamourbomb, to add to this creation in a way that no normal player, game master, or admin could. Their actions so far support this hypothesis.

I did wonder whether this might have been some sort of massively overblown attempt at a player application? Maybe they figured "Hey, I want to be Princess Luna" wasn't going to cut it, given she's both a canon figure and a goddess?

If so, um ... I kind of want to berate this person and then hire them.
[User Picture]
From:delcan
Date:June 21st, 2011 04:57 am (UTC)
(Link)
It strikes me a little less like a player application, and more like... it's hard for me to find words that really fit well with the idea, but it's like they want to add something to the game that they wouldn't be able to add simply by applying, or by asking you nicely. In a way, by doing this massively overblown thing, they're able to add an air of mystery and wonder to the situation, which fits quite perfectly what they're doing - interacting almost directly with the players as a character from inside the world.

Also, easier to get forgiveness than permission, after all.
[User Picture]
From:baxil
Date:June 21st, 2011 05:48 pm (UTC)
(Link)
Point taken.

(BTW, any plans to return to the freeform RP? I know it can be tough working a new character in, and the hooks I dangled in "Hull Breaches" didn't quite catch the way I intended. I'd be happy to plot something with you, publically or privately, if you want to make Rainy more integral to a story arc.)
[User Picture]
From:delcan
Date:June 21st, 2011 08:38 pm (UTC)
(Link)
I didn't fall off due to lack of plot or lack of engagement with characters - it's just been lack of ability to post regularly. I got a bit overwhelmed by stuff recently - college classes, a few money issues, a few family issues - and haven't been able to do much posting online... I'm gonna try to join back in soon, though. I don't think I'm going to be able to play in the actual D&D game, but I'd definitely like to keep playing Rainy in the freeform.
[User Picture]
From:blossomforth
Date:June 22nd, 2011 10:19 pm (UTC)
(Link)
Goodness! I had wondered what exactly was the deal with the Luna thing, but I had been distracted so I didn't look too much into it. That's kinda funny!
Tomorrowlands Powered by LiveJournal.com