ATTENTION - Security Breach here.

General Announcements about Unreal Tournament and UT99.org
Post Reply
User avatar
Dr.Flay
Godlike
Posts: 3347
Joined: Thu Aug 04, 2011 9:26 pm
Personal rank: Chaos Evangelist
Location: Kernow, UK
Contact:

ATTENTION - Security Breach here.

Post by Dr.Flay »

CHANGE YOUR PASSWORDS
It seems we have had an unwanted visitor using an admins password, so they could extract the user database.

I have temporarily disabled session logins, so you will have to keep giving your ID at login for the moment.
Cookies will now be using SSL once they are re-enabled, and I have upped the password requirement, so from now on you will need to include mixed case and numbers.

DO NOT REUSE PASSWORDS EVER
User avatar
papercoffee
Godlike
Posts: 10443
Joined: Wed Jul 15, 2009 11:36 am
Personal rank: coffee addicted !!!
Location: Cologne, the city with the big cathedral.
Contact:

Re: ATTENTION - Security Breach here.

Post by papercoffee »

Is it now safe to change the PW?
Higor
Godlike
Posts: 1866
Joined: Sun Mar 04, 2012 6:47 pm

Re: ATTENTION - Security Breach here.

Post by Higor »

I assume it's only the password hashes that were compromized right?
User avatar
Dr.Flay
Godlike
Posts: 3347
Joined: Thu Aug 04, 2011 9:26 pm
Personal rank: Chaos Evangelist
Location: Kernow, UK
Contact:

Re: ATTENTION - Security Breach here.

Post by Dr.Flay »

It is very unlikely that anything useful was taken, as the database is not directly accessible and the passwords are encrypted.

However unlike Companies that say "no! nothing wrong here" to keep people calm, I feel that until a full inspection is done we cannot know what has, or has not been achieved.
Waiting and not saying anything until later would be irresponsible of me.

They were logged in as admin for many hours and made changes to what can be downloaded from this site.
However, the database is not accessible via the admin panel and the passwords are encrypted.

Any data lifted via browsing around will be minimal because Admin don't get to see your passwords.

Our visitor claims that the shell upload did not go as planned.
Again, until we know the reality we take no chances that it is not a bluff.

The outlook is good, but don't take chances.
I change my passwords every month or 2 (as you should all learn to do), so for example each and every time Yahoo was hacked, my password had already been regularly changed.

I am re-enabling cookie sessions so we can go back to just walking in like normal, but they will now be using SSL so if you have any problems let us know.
User avatar
Barbie
Godlike
Posts: 2792
Joined: Fri Sep 25, 2015 9:01 pm
Location: moved without proper hashing

Re: ATTENTION - Security Breach here.

Post by Barbie »

Dr.Flay wrote:the passwords are encrypted.
I hope that the passwords are hashed and not encrypted... ;o) Even better with a bit of salt.
Anyway, for me it would not a big deal if my password gets known to third, because usually I use a PW manager and a different passwords for every service. So in worst case an attacker could write "Barbie is silly" with my account here. :lol:
Dr.Flay wrote:They [...] made changes to what can be downloaded from this site
That's worse at least for people who runs everything they downloaded, because the attacker could have infected the files. Maybe you should check the time stamp of the downloadable files or even better compare them to backup versions.
Dr.Flay wrote:Our visitor claims that the shell upload did not go as planned.
What is meant by this? :what:
"Multiple exclamation marks," he went on, shaking his head, "are a sure sign of a diseased mind." --Terry Pratchett
User avatar
Dr.Flay
Godlike
Posts: 3347
Joined: Thu Aug 04, 2011 9:26 pm
Personal rank: Chaos Evangelist
Location: Kernow, UK
Contact:

Re: ATTENTION - Security Breach here.

Post by Dr.Flay »

The claim is that the upload of a shell to make use of the changes did not finish.

Yes you are correct, I meant to say the database is encrypted and the passwords hashed. No idea if a pinch of salt is in the mix, SHADE can let us know tomorrow.
Right now he is in bed sleeping, but is aware of the situation.

looking at the admin logs, not much happened, but admin logs can be deleted.
No uploads are obvious at this point, and the new file extensions are not in use as far as I can see. I did find 1 that should not be allowed and removed it "js".
User avatar
sektor2111
Godlike
Posts: 6403
Joined: Sun May 09, 2010 6:15 pm
Location: On the roof.

Re: ATTENTION - Security Breach here.

Post by sektor2111 »

I'm not changing nothing until problem will be secured else the new password will not help...
User avatar
Carbon
Inhuman
Posts: 855
Joined: Thu Jan 17, 2013 1:52 pm
Personal rank: Hoarder.

Re: ATTENTION - Security Breach here.

Post by Carbon »

Use a password manager like Keepass and this breach means nothing. Already changed my password and can do so again without issue anytime. I strongly suggest that others use a manager as well with Keepass being the most secure as there is nothing stored online; your database is local, password generation ensures unique passwords every time and for every site.

Keep us posted admin and thanks for being prompt and forthright. :gj:
User avatar
Shade
Site Admin
Posts: 1480
Joined: Sun Jan 27, 2008 12:03 pm
Personal rank: Founder of UT99.org
Location: Germany
Contact:

Re: ATTENTION - Security Breach here.

Post by Shade »

Dr.Flay wrote:They were logged in as admin for many hours and made changes to what can be downloaded from this site.
To be more precise: As far as the logs tell us, he changed the allowed file extensions for attachments (he added asp, cgi, dhtm, dhtml, htm, html, jar, js, pl, sh, shtm, shtml). So for example he added *.html, which theoretically allowed him to upload html-files as attachments. It is not possible to open and run these files directly from the directory on the server, where all attachments are saved. Also, all uploaded files have encrypted file names on the server.

PS: Passwords on the database are hashed (MD5).
UT99.org Discord Server: https://discord.gg/6CP2UjZ
UT Server Browser: https://ut99.org/servers
User avatar
Gustavo6046
Godlike
Posts: 1462
Joined: Mon Jun 01, 2015 7:08 pm
Personal rank: Resident Wallaby
Location: Porto Alegre, Brazil
Contact:

Re: ATTENTION - Security Breach here.

Post by Gustavo6046 »

Shade wrote:(MD5).
lmao, MD5. It has been decades! I suggest to change to something like Twofish and let the users store the encryption keys in either cookies or otherwise locally. I will ask the Valoran team for any correction I must do for this to work.
"Everyone is an idea man. Everybody thinks they have a revolutionary new game concept that no one else has ever thought of. Having cool ideas will rarely get you anywhere in the games industry. You have to be able to implement your ideas or provide some useful skill. Never join a project whose idea man or leader has no obvious development skills. Never join a project that only has a web designer. You have your own ideas. Focus on them carefully and in small chunks and you will be able to develop cool projects."

Weapon of Destruction
User avatar
Chamberly
Godlike
Posts: 1963
Joined: Sat Sep 17, 2011 4:32 pm
Personal rank: Dame. Vandora
Location: TN, USA
Contact:

Re: ATTENTION - Security Breach here.

Post by Chamberly »

Gustavo6046 wrote:lmao, MD5. It has been decades! I suggest to change to something like Twofish and let the users store the encryption keys in either cookie or otherwise locally.
Meh, the cookies have been hacked as well from other using it to compromise Yahoo! accounts for example.
Image
Image
Image Edit: Why does my sig not work anymore?
User avatar
EvilGrins
Godlike
Posts: 9668
Joined: Thu Jun 30, 2011 8:12 pm
Personal rank: God of Fudge
Location: Palo Alto, CA
Contact:

Re: ATTENTION - Security Breach here.

Post by EvilGrins »

Well, poop.
:pfff:
http://unreal-games.livejournal.com/
Image
medor wrote:Replace Skaarj with EvilGrins :mrgreen:
Smilies · viewtopic.php?f=8&t=13758
User avatar
sektor2111
Godlike
Posts: 6403
Joined: Sun May 09, 2010 6:15 pm
Location: On the roof.

Re: ATTENTION - Security Breach here.

Post by sektor2111 »

If you are hosting any sort keys they can be hooked - probably a "spyware" means nothing for a "programmer"...
Else, what did I say a few previous posts ago ? Let me recall. When you have connected the Internet to your machine, security will be a cheap fake story which nobody with a sane mind will never believe.

Note: two dudes here were chatting about newer database software from M$. Well... after 2015 - 2016 they are not only expensive but are just utter craps. One of them works there, no worries, he knows some "policies". So the chaos is closer with each day passing, these "teams" are about to lose track about what they do. Security will suffer here... :sleep:

Fact:
In some passed year, whatever dude hacked my E-mail account (more time after a so called infection which did not exist before). Let me see damage taken at this point, not that much, but I have figured advantages coming later. Poor "Yoohoo" suddenly decided to take measures according to accounts and they have improved e-mail management. I was wondering why they did not take those measures before. Probably they could see people retiring away from them which was not a good thing about their "image" aka reputation. So... time will solve problems or will make them worst...
Rixuel
Novice
Posts: 6
Joined: Fri Mar 17, 2017 3:29 am
Contact:

Re: ATTENTION - Security Breach here.

Post by Rixuel »

Why would anyone try to hack a community that play a 17-18 years old game? (dont get me wrong, ut99 is still awesome) They gain nothing :/
█████████ Loading Hax 99%
User avatar
Barbie
Godlike
Posts: 2792
Joined: Fri Sep 25, 2015 9:01 pm
Location: moved without proper hashing

Re: ATTENTION - Security Breach here.

Post by Barbie »

Rixuel wrote:They gain nothing :/
As I wrote above: if an attacker gets your user name and password, he can login here and write silly things. But that's probably not the aim of an attacker: because a lot of people use same username/password combination for several online services, an attacker can try if this combination also works for Paypal or Amazon or other services where money is involved. And of course that username/password combination is added to hacker's password dictionary so that these tests can be done automatically and periodically (by attackers bot net, not by his own machine^^).
Gustavo6046 wrote:lmao, MD5. It has been decades!
Yes, it it proven that you can find a token that generates the same MD5 sum as the original password. But what does the attacker win? He can login here and only at other services that also has this username/password combination stored as MD5 hash.
"Multiple exclamation marks," he went on, shaking his head, "are a sure sign of a diseased mind." --Terry Pratchett
Post Reply