Suggestion

This is a suggestion for one of our games. You may comment on and rate the suggestion here.

The Suggestion...

By: steve on 10 Jun 2010
Rating: 0.00 in 0 votes
Status: rate
tmb_website | general | [Suggestion_6663]

What to do about getting hacked

If anyone has more information about this hack (replacing index.php and config.php and adding core1.php, core2.php etc etc) and what can be done about it please post it here.

One of my clients websites (a wordpress site) was hacked in a similar way, so it may not be a php scripting problem. I have also noticed many updates for Apache and MySQL coming down the pipe lately, maybe that has something to do with it.



Comments

10 Jun 2010 [comment_34398]
Super_merlin
Checking my update manager I see the MySQL fixes your talking about, so I'd guess that was it.

Here's decriptions for any intersted.

mysql-server-core-5.1

Version 5.1.41-3ubuntu12.3:

* SECURITY UPDATE: missing privilege check when uninstalling plugins
- debian/patches/55_CVE-2010-1621.dpatch: check access rights in
sql/sql_plugin.cc, added tests to mysql-test/*.
- CVE-2010-1621
* SECURITY UPDATE: privilege check bypass via crafted table name argument
to COM_FIELD_LIST
- debian/patches/58_CVE-2010-1848.dpatch: check for path chars in
sql/table.cc, sql/sql_yacc.yy, sql/sql_yacc.cc, sql/sql_table.cc,
sql/sql_parse.cc, sql/partition_info.cc, sql/mysql_priv.h. Add tests
to tests/mysql_client_test.c and mysql-test/*.
- CVE-2010-1848
* SECURITY UPDATE: denial of service via large packets
- debian/patches/57_CVE-2010-1849.dpatch: handle big packets in
sql/sql_connect.cc, include/mysql_com.h, sql/net_serv.cc.
- CVE-2010-1849
* SECURITY UPDATE: arbitrary code execution via crafted table name
argument to COM_FIELD_LIST
- debian/patches/56_CVE-2010-1850.dpatch: check table name length in
sql/sql_parse.cc.
- CVE-2010-1850
* SECURITY UPDATE: DROP TABLE privilege bypass via symlink attack
- debian/patches/59_CVE-2010-1626.dpatch: check for symlinks in
storage/myisam/mi_delete_table.c, add tests to mysql-test/*.
- CVE-2010-1626

mysql-common
* SECURITY UPDATE: missing privilege check when uninstalling plugins
- debian/patches/55_CVE-2010-1621.dpatch: check access rights in
sql/sql_plugin.cc, added tests to mysql-test/*.
- CVE-2010-1621
* SECURITY UPDATE: privilege check bypass via crafted table name argument
to COM_FIELD_LIST
- debian/patches/58_CVE-2010-1848.dpatch: check for path chars in
sql/table.cc, sql/sql_yacc.yy, sql/sql_yacc.cc, sql/sql_table.cc,
sql/sql_parse.cc, sql/partition_info.cc, sql/mysql_priv.h. Add tests
to tests/mysql_client_test.c and mysql-test/*.
- CVE-2010-1848
* SECURITY UPDATE: denial of service via large packets
- debian/patches/57_CVE-2010-1849.dpatch: handle big packets in
sql/sql_connect.cc, include/mysql_com.h, sql/net_serv.cc.
- CVE-2010-1849
* SECURITY UPDATE: arbitrary code execution via crafted table name
argument to COM_FIELD_LIST
- debian/patches/56_CVE-2010-1850.dpatch: check table name length in
sql/sql_parse.cc.
- CVE-2010-1850
* SECURITY UPDATE: DROP TABLE privilege bypass via symlink attack
- debian/patches/59_CVE-2010-1626.dpatch: check for symlinks in
storage/myisam/mi_delete_table.c, add tests to mysql-test/*.
- CVE-2010-1626


mysql-client-core-5.1
* SECURITY UPDATE: missing privilege check when uninstalling plugins
- debian/patches/55_CVE-2010-1621.dpatch: check access rights in
sql/sql_plugin.cc, added tests to mysql-test/*.
- CVE-2010-1621
* SECURITY UPDATE: privilege check bypass via crafted table name argument
to COM_FIELD_LIST
- debian/patches/58_CVE-2010-1848.dpatch: check for path chars in
sql/table.cc, sql/sql_yacc.yy, sql/sql_yacc.cc, sql/sql_table.cc,
sql/sql_parse.cc, sql/partition_info.cc, sql/mysql_priv.h. Add tests
to tests/mysql_client_test.c and mysql-test/*.
- CVE-2010-1848
* SECURITY UPDATE: denial of service via large packets
- debian/patches/57_CVE-2010-1849.dpatch: handle big packets in
sql/sql_connect.cc, include/mysql_com.h, sql/net_serv.cc.
- CVE-2010-1849
* SECURITY UPDATE: arbitrary code execution via crafted table name
argument to COM_FIELD_LIST
- debian/patches/56_CVE-2010-1850.dpatch: check table name length in
sql/sql_parse.cc.
- CVE-2010-1850
* SECURITY UPDATE: DROP TABLE privilege bypass via symlink attack
- debian/patches/59_CVE-2010-1626.dpatch: check for symlinks in
storage/myisam/mi_delete_table.c, add tests to mysql-test/*.
- CVE-2010-1626

libmysqlclient16

* SECURITY UPDATE: missing privilege check when uninstalling plugins
- debian/patches/55_CVE-2010-1621.dpatch: check access rights in
sql/sql_plugin.cc, added tests to mysql-test/*.
- CVE-2010-1621
* SECURITY UPDATE: privilege check bypass via crafted table name argument
to COM_FIELD_LIST
- debian/patches/58_CVE-2010-1848.dpatch: check for path chars in
sql/table.cc, sql/sql_yacc.yy, sql/sql_yacc.cc, sql/sql_table.cc,
sql/sql_parse.cc, sql/partition_info.cc, sql/mysql_priv.h. Add tests
to tests/mysql_client_test.c and mysql-test/*.
- CVE-2010-1848
* SECURITY UPDATE: denial of service via large packets
- debian/patches/57_CVE-2010-1849.dpatch: handle big packets in
sql/sql_connect.cc, include/mysql_com.h, sql/net_serv.cc.
- CVE-2010-1849
* SECURITY UPDATE: arbitrary code execution via crafted table name
argument to COM_FIELD_LIST
- debian/patches/56_CVE-2010-1850.dpatch: check table name length in
sql/sql_parse.cc.
- CVE-2010-1850
* SECURITY UPDATE: DROP TABLE privilege bypass via symlink attack
- debian/patches/59_CVE-2010-1626.dpatch: check for symlinks in
storage/myisam/mi_delete_table.c, add tests to mysql-test/*.
- CVE-2010-1626






So, as you can see, something security things have been updated. Just hope that's what it was. So, maybe some bad sql stuff? I'm not much of a web guy, but given the updates, that is possible.


10 Jun 2010 [comment_34399]
Erik Rodriguez
wow who would do such a thing,i just went here 1 day and it siad there was a error DX its like a whole week it was down!


10 Jun 2010 [comment_34404]
megaman4ever
It was, in fact, five days.


11 Jun 2010 [comment_34427]
Erik Rodriguez
oh....you counted it?


11 Jun 2010 [comment_34428]
Super_merlin
Or he just remembered.


11 Jun 2010 [comment_34433]
Erik Rodriguez
Probably XD


12 Jun 2010 [comment_34435]
megaman4ever
Yes, I did, in fact, count it instead of just remembering.

I was quite bored without TMB - it is my vacation after all, and I have no plans for it=O


12 Jun 2010 [comment_34438]
Super_merlin
Same here.

It forced me to work on my Cast Editor though.


12 Jun 2010 [comment_34447]
megaman4ever
Haha, I mostly was really bored, since I don't have GC controllers for my Wii anymore(therefore only a small amount of games are cool on it, who could resist the almighty seven button, two stick and one dpad goodness?(also, I suck playing with just a wiimote.. Games like Tatsunoko vs Capcom are broken with it))(new ones on order from dealextreme(all hail cheap prices and free shipping!)), my internet is down most of the time AND most of my friends are away... Not much to do, really. I think I drifted time playing some random games I found from my hard drive and trying out to make Epic MR further(the project is not dead yet, lol).


13 Jun 2010 [comment_34454]
The master of wizards
lol I thought the site was closing down but I just figured steve screwed up with some application again. XD


13 Jun 2010 [comment_34465]
I thought the power had gone out or surged, and the server was being annoying to get back up and running.


14 Jun 2010 [comment_34504]
crazymerlinman321
So that is why I couldn't go on the site. I thought it was just a computer problem.
So we got hacked??? Wow.


16 Jun 2010 [comment_34637]
steve
Yeah, the only reason it was down for so long was because it took me that long to notice. I was incredibly busy that week and didn't even have time to check my emails.

One of my clients sites (a wordpress site) got hacked in a similar manner a few days before which makes think it could be a more widespread problem.


16 Jun 2010 [comment_34638]
crazymerlinman321
Ya I thought I could never go on the site again so I was very scared but now it is cool.


17 Jun 2010 [comment_34679]
By then way, the collaboration bit is also down.


17 Jun 2010 [comment_34680]
crazymerlinman321
Oh that sucks. So we are trying to fix it right or are we just going to wait?


17 Jun 2010 [comment_34703]
steve
Hmmm the bugs database is also down.

This really sucks.

I don't have an easy offline backup to restore from so it will have to wait I'm afraid.


17 Jun 2010 [comment_34704]
The master of wizards
were you able to trace the signal from the hacker to his location and/or current internet service provider


17 Jun 2010 [comment_34710]
megaman4ever
Hackers who actually know anything about what they are doing often know also how to give fake info on those, or just simply how to delete the logs.


17 Jun 2010 [comment_34714]
however, they still, most times, need to leave some sort of trace. They can fill that with noise though, to hide themselves.


18 Jun 2010 [comment_34719]
crazymerlinman321
It is like a murder. A murderer has to make a plan before he strikes. Like how to not leave any tracks or evidence. Then he goes for the kill. Same thing with this hacking, he probably thought it out but of course, the hacker could be an idiot.


25 Jun 2010 [comment_35159]
steve
The hosting company were not very helpful about this. They gave me a stock reply saying that getting hacked is 'very serious' and advising me to change my passwords.

They haven't given me any information at all about what happened.


25 Jun 2010 [comment_35163]
Super_merlin
Anything in the logs?


26 Jun 2010 [comment_35181]
steve
I don't have direct access to the logs. I can only tell you what they tell me. I'll get on to them more about it when I have more time.


26 Jun 2010 [comment_35204]
crazymerlinman321
So they just told you what to do next time and they didn't tell you what happened. Those little...eh you know. ;)


30 Jun 2010 [comment_35451]
steve
I get the feeling they don't know themselves. Which I wouldn't blame them for.


30 Jun 2010 [comment_35472]
crazymerlinman321
Probably just a few kids messing with the system. Probably don't know what they are doing and don't know the consequences.


30 Jun 2010 [comment_35483]
megaman4ever
I doubt it's 'just a few kids messing with the system'. I also doubt too many kids know how to hack that well - atleast well enough that the service provider doesn't know much about what happened and how.


30 Jun 2010 [comment_35489]
crazymerlinman321
Well not kids but they probably don't know what they are doing.


30 Jun 2010 [comment_35494]
I would also disagree, if they didn't know what they were doing, they wouldn't have been such a hassel. It seems like more of a grey hat hack rather than a black one though, at least on this site... I guessing that others hosted by them also got hacked?


1 Jul 2010 [comment_35501]
crazymerlinman321
So only the collaboration bit and the bug database is the only things that are down.


1 Jul 2010 [comment_35504]
Super_merlin
Just So everyone knows, a:

Black Hat: A hacker who intentially hacks
For money, threats, other.
White Hat: A Hacker who is hired to fin security flaws.
Gray Hat: A hacker who doesn't really mean to cause havoc, but might be curious or
JUst might be wanting attention or something. Their main goal is not to cause damage.


1 Jul 2010 [comment_35525]
crazymerlinman321
So which hat would this hacker possibly be?


1 Jul 2010 [comment_35529]
megaman4ever
Note just said his opinion...
"It seems like more of a grey hat hack rather than a black one though, at least on this site..."

And it's pretty much the same opinion as mine.


1 Jul 2010 [comment_35536]
crazymerlinman321
Well I guess so. It makes sense for it to be a grey hat hacker.


You must be logged in to add a comment.