City of Heroes: Live Forum Archive

Titan Network: Need some assistance

Ad Astra

By Ad Astra,
Posted on: 2011-10-31 07:56 in CoH and CoV General Discussions

 

Posted

Another random person saying thanks for all you do on the site. Calling off work, well attempting to call off work, is going above and beyond the call.

/salute

 

Posted

Best of luck with it mate.

 

Posted

Bastards! I hate bloody hackers who do this. I hope they get thrice as bad as they give out.

Rabbits & Hares:Blue (Mind/Emp Controller)Maroon (Rad/Thermal Corruptor)and one of each AT all at 50
MA Arcs: Apples of Contention - 3184; Zen & Relaxation - 35392; Tears of Leviathan - 121733 | All posts are rated "R" for "R-r-rrrrr, baby!"|Now, and this is very important... do you want a hug? COH Faces @Blue Rabbit

 

Posted

Quote:
Originally Posted by CuppaManga View Post
Based on your analysis, TonyV, I sent you a PM that I hope will get you out of the woods.
Muchas gracias. I read it, and I'll process it as soon as I can. Sounds reasonable to me. I did check the cron jobs earlier and I don't see anything, but I still haven't finished a deep dive to find out what did make the changes. That's way up the priority chain on my list, after getting at least a maintenance page deployed.

We've been saving Paragon City for eight and a half years. It's time to do it one more time.
(If you love this game as much as I do, please read that post.)

 

Posted

You guys have done so much for the community, and here you are working your butts off again, this time because of the bad guys.

I don't know code, but this sounds pretty malicious. Good luck, guys.

Since you're stuck doing this, can we send you our Halloween salvage?

If we are to die, let us die like men. -- Patrick Cleburne
----------------------------------------------------------

The rule is that they must be loved. --Jayne Fynes-Clinton, Death of an Abandoned Dog

 

Posted

Quote:
Originally Posted by Sailboat View Post
You guys have done so much for the community, and here you are working your butts off again, this time because of the bad guys.

I don't know code, but this sounds pretty malicious. Good luck, guys.

Since you're stuck doing this, can we send you our Halloween salvage?
Couldn't agree more, and great idea.

I think it's time to make a donaton again.

 

Posted

Just saw this thread now...thanks for the update

Leader of The LEGION/Fallen LEGION on the Liberty server!
SSBB FC: 2062-8881-3944
MKW FC: 4167-4891-5991

 

Posted

Everyone at the Titan Network has my sympathies for this.



Triumph: White Succubus: 50 Ill/Emp/PF Snow Globe: 50 Ice/FF/Ice Strobe: 50 PB Shi Otomi: 50 Ninja/Ninjistu/GW Stalker My other characters

 

Posted

Tony, I just want to take this opportunity to send you massive thanks for all you do for the "City of" community. The sites are great and your committment to delivering them to us is amazing!

 

Posted

I guess *now* I can tell my TF teammates why I was running around like a chicken with my head cut off.

Sorry to hear about the hack. I use most of the things you guys run and I am certainly frustrated to see them under attack (and more frustrated that I can't help due to my lack of knowledge in this area). That said don't kill yourself trying to get it back up. I can only speak for myself but considering the tools y'all have taken time out of your lives to create which help the rest of us immensely... feel free to take your time. We won't die from having to *rough-it* for a few days.

Favorite Hero: Computer (Empathy/Energy Blast Defender)

Favorite Villain: Gimp Computer (Fire Control/Psionic Assault Dominator)

 

Posted

Quote:
Originally Posted by Blue Rabbit View Post
Bastards! I hate bloody hackers who do this. I hope they get thrice as bad as they give out.
This wasn't even a hacker. This was some ******* script kiddie, probably working a pre-assembled injection attack package.

That's probably why it was caught so quickly.


Clicking on the linked image above will take you off the City of Heroes site. However, the guides will be linked back here.

 

Posted

Don't forget that the Titan Network accepts donations via PayPal

Perhaps we can than Tony monetarily for his hard work.

Edit: although I might have to wait for the site to come back online before I can donate, not having a direct link.

 

Posted

Quote:
Originally Posted by Obsidius View Post
Don't forget that the Titan Network accepts donations via PayPal

Perhaps we can than Tony monetarily for his hard work.

Edit: although I might have to wait for the site to come back online before I can donate, not having a direct link.
donations@cohtitan.com is the address that I had in past emails, though I don't know if there was anything special that needed to be done for donation.

[url="http://wiki.cohtitan.com/wiki/User:SaintNicster"]ParagonWiki User Page[/url]

[url="http://cit.cohtitan.com/profile/214#list"]City Info Tracker[/url]

 

Posted

I visit the Paragon Wiki absolutely every day, but I did not receive a threat alert at all. That said, I'm going to run both full MalwareBytes and AVG scans and will report back whether they find anything or not. Hopefully not everyone who visited was compromised (although I do also use NoScript on my browser, so that may be related to me never getting an alert).

Edit: And, of course, thank you for all your hard work and dedication, both specifically in this instance and generally for running the Titan Network as a whole.

Edit2: Totally clean, nothing found. This either proves that Tony's right on the money about NoScript, that some visitors didn't get infected, or both.

@Draeth Darkstar
Virtue [Heroes, Roleplay], Freedom [Villains], Exalted [All Sides, Roleplay]
Code:
I24 Proc Chance = (Enhanced Recharge + Activation Time) * (Current PPM * 1.25) / 60*(1 + .75*(.15*Radius - 0.011*Radius*(360-Arc)/30))
Single Target Radius = 0. AoE Non-Cone Arc = 360.

 

Posted

I had a similar experience with a smaller site I've done development for. The index.php files were modified in such a way that it appeared to have been done automatically, by a bot of some sort. That site doesn't run its own server, but uses a hosting company. When the owner of the site contacted the hosting company about the intrusion, he was told that the modifications were done by someone using a valid username/password, and that by far the greatest likelihood was that one of the site admins had his local machine compromised by malware of some sort that had captured the login credendials when he accessed the site.

A scan of the systems of anyone with admin rights on the site did turn up a few minor infections. Those were cleaned and the problem has not recurred since.

My guess as to how it works is that it's probably all automated. Malware is loaded by visiting an infected web site or something similar. That monitors the users system for access to web sites. When it captures login credentials for a site, it automatically scans and infects that site, and the process repeats itself.

So anyway, the short version is, I'd make sure anyone who had access to the titan network scan their system very thoroughly.

 

Posted

Quote:
Originally Posted by TonyV View Post
The nuts and bolts of it is that something has rewritten a whole bunch of index.php files, including most that run the core functionality of all of our sites, to include the following line at the top:
echo (base64_decode('ZXJy[bunches more gibberish]0KfQ=='));

When you decode that, you get a Php function that:

- Turns off error reporting,
- Fetches the IP address of who's accessing the page,
- Fetches the user agent (UA) of who's accessing the page and compares it against a list of known security sites and webcrawlers,
- If it's not in the list of UAs, it does a cURL fetch of a javascript payload from a remote distribution site. The URL is defined as:
'http://[scum domain omitted]/index.php?go=1&ip='.$ip

So it's sending the user who is accessing the page's IP address. Depending on that IP address, they payload may or may not be delivered. When I put my own address in, it's not. When I poked around a little bit, I was able to find an IP that did deliver the payload, which I copied for further analysis as soon as I get a chance.
I take it from your description that a browser plugin like Noscript would block the javascript payload from running, even if the plugin allows scripts from the cohtitan.com domain to execute, correct?

 

Posted

Quote:
Originally Posted by Intrinsic View Post
I take it from your description that a browser plugin like Noscript would block the javascript payload from running, even if the plugin allows scripts from the cohtitan.com domain to execute, correct?
Absolutely. Anyone with NoScript installed is literally at zero risk of being affected by this. (Unless you've whitelisted the malware domain, which I really hope you haven't. ) Whitelisting the cohtitan.com sites is fine, also, the payload was delivered by a remote server, not the Titan server.

We've been saving Paragon City for eight and a half years. It's time to do it one more time.
(If you love this game as much as I do, please read that post.)

 

Posted

Looks like Paragonwiki is back up and running normally.

 

Posted

The paragonwiki.com link isn't working but the wiki.cohtitan.com one is.

 

Posted

Quote:
Originally Posted by QuarriosSoul View Post
The paragonwiki.com link isn't working but the wiki.cohtitan.com one is.
Yeah. paragonwiki.com 404s.