Titan Network: Need some assistance


Ad Astra

 

Posted

Quote:
Originally Posted by QuarriosSoul View Post
The paragonwiki.com link isn't working but the wiki.cohtitan.com one is.
It's DNS propagation. We changed the IP address of the server, so until your DNS server updates with the new address, you'll still be hitting against the old server that's not servicing requests. The TTL is a day, but really, it shouldn't take that long. I noticed around 15 minutes ago that it had just hit Google's public DNS servers, so it is getting out there.


We've been saving Paragon City for eight and a half years. It's time to do it one more time.
(If you love this game as much as I do, please read that post.)

 

Posted

Quote:
Originally Posted by TonyV View Post
Absolutely. Anyone with NoScript installed is literally at zero risk of being affected by this. (Unless you've whitelisted the malware domain, which I really hope you haven't. ) Whitelisting the cohtitan.com sites is fine, also, the payload was delivered by a remote server, not the Titan server.
Excellent news, and that's exactly why I use Noscript. Best plugin ever.

Also, kudos on getting the wiki back up.


 

Posted

Sucks about the site, but you guys are having better luck with it (from the sounds of it) than me and my laptop issue. I was Going to suggest a race to see who's up fully first, but I'm quite sure you're going to win. >.<


 

Posted

While i don't use the titan network all that much, I still want to say thank you for the effort you put in to fix it


 

Posted

Thanks for the hard work and for keeping us informed !!


 

Posted

Quote:
Originally Posted by Supernumiphone View Post
I had a similar experience with a smaller site I've done development for. The index.php files were modified in such a way that it appeared to have been done automatically, by a bot of some sort. That site doesn't run its own server, but uses a hosting company. When the owner of the site contacted the hosting company about the intrusion, he was told that the modifications were done by someone using a valid username/password, and that by far the greatest likelihood was that one of the site admins had his local machine compromised by malware of some sort that had captured the login credendials when he accessed the site.

A scan of the systems of anyone with admin rights on the site did turn up a few minor infections. Those were cleaned and the problem has not recurred since.

My guess as to how it works is that it's probably all automated. Malware is loaded by visiting an infected web site or something similar. That monitors the users system for access to web sites. When it captures login credentials for a site, it automatically scans and infects that site, and the process repeats itself.

So anyway, the short version is, I'd make sure anyone who had access to the titan network scan their system very thoroughly.
This is my experience as well. I had a PHP site with a few extra FTP accounts, and one of those accounts (managed by a friend of mine) had access to a folder within the website. Then the files inside that folder got infected, and they made it so that I couldn't edit the files back and remove the code from the beginning of the files (it was a small site that I could clean things manually). I then asked the hosting company to remove all extra FTP accounts and also change the owner of the infected files so I could clean them. No one had access to the main FTP account other than me, and seeing how the main site didn't get infected, we guessed that the problem originated from an infected machine that had credentials stolen, just like the situation above.


 

Posted

add to my voice among those who thank you and appreciate your work.


 

Posted

Quote:
Originally Posted by Keen Stronghold View Post
This is my experience as well. I had a PHP site with a few extra FTP accounts, and one of those accounts (managed by a friend of mine) had access to a folder within the website. Then the files inside that folder got infected, and they made it so that I couldn't edit the files back and remove the code from the beginning of the files (it was a small site that I could clean things manually). I then asked the hosting company to remove all extra FTP accounts and also change the owner of the infected files so I could clean them. No one had access to the main FTP account other than me, and seeing how the main site didn't get infected, we guessed that the problem originated from an infected machine that had credentials stolen, just like the situation above.
It is, interestingly, why the argument that "My Computer/Email/Website isn't important/popular/valuable enough for hackers to bother with" no longer has *any* validity; the vast majority of malware these days is entirely automated and the operators don't care who or what they manage to infect - although as we've seen here they do sometimes exclude or include specific IP ranges when serving the payloads, partly to avoid serving the malware to security/AV firms but also in cases where they're after something that's specific to a particular country or region (there's no point trying to get NHS numbers from Americans, for example).


Omnes relinquite spes, o vos intrantes

My Characters
CoX Chatlog Parser
Last.fm Feed

 

Posted

Here's how these hacks work: You see at the bottom of the page here where it says "Powered by vBulletin"? Every time one of this board's pages turn up in Google search, that text is visible.

These bots similar to search engines look for pages like that, and they look for things like file attachment forms, avatar upload forms, pretty much anything that will store a file on the server - and attempts to upload a Perl (.pl) or PHP (.php) script. If it's successful, it calls that script from its URL (same as if you view a picture that's attached to a post).

If that fails, it tries guessing admin passwords for both the message board and for FTP, also with the same goal of uploading and then calling a script.

The script that's called checks for writable PHP and Perl files in the server's web space and alters them. Then you're infected.

FYI, this is the biggest reason why the CoH message boards don't allow any file attachments and require you to host your avatar elsewhere.


Manga @ Triumph
"Meanwhile In The Halls Of Titan"...Titan Network Working To Save City Of Heroes
Save Paragon City! Efforts Coordination

 

Posted

Additionally, a *lot* of sites don't keep their software up to date, especially forums, *especially* phpBB for some reason (Wordpress is pretty bad too) and as a result they're vulnerable to exploits that have been found and subsequently patched by the developers. Some of these are as simple as sending a malformed URL allowing you to execute code on the hosting server, others are more convoluted but can easily be automated.


Omnes relinquite spes, o vos intrantes

My Characters
CoX Chatlog Parser
Last.fm Feed

 

Posted

Quote:
Originally Posted by The_Spad_EU View Post
Additionally, a *lot* of sites don't keep their software up to date, especially forums, *especially* phpBB for some reason (Wordpress is pretty bad too) and as a result they're vulnerable to exploits that have been found and subsequently patched by the developers. Some of these are as simple as sending a malformed URL allowing you to execute code on the hosting server, others are more convoluted but can easily be automated.
Yeah, I'm guessing that it was probably something with the copy of SMF. Last I saw, it was running 1.1.10, though there may have been more components that were up-to-date.

Titan ran (runs?) a few modifications that were(are?) directly embedded into the php pages to display the various Titan links on the profile page, the custom images for the subforums, along with the code to hook into the Titan Auth table. It was a bit of legacy code that wasn't ever fixed (at least before I left), but we tried upgrading what pieces we could when possible.

We were also waiting for SMF to release version 2, as it was a significant update to the software, but the official release kept being delayed for whatever internal SMF reasons.


[url="http://wiki.cohtitan.com/wiki/User:SaintNicster"]ParagonWiki User Page[/url]

[url="http://cit.cohtitan.com/profile/214#list"]City Info Tracker[/url]

 

Posted

Just adding my thanks also to Tony and the Titan team for their concern and hard work



"You got to dig it to dig it, you dig?"
Thelonious Monk

 

Posted

Everyone...and I mean everyone...who runs a website, game, or any other shared service can learn from the way Tony V and the rest of the CoHTitan crew have handled this: immediate response upon being informed of the problem, frequent detailed updates, explanations that everyone can understand. You guys do it right.


Skip
My Char. List and Market Transactions
HeroStats Developer
Legion of Valor
Iron Eagles

 

Posted

Quote:
Originally Posted by SaintNicster View Post
donations@cohtitan.com is the address that I had in past emails, though I don't know if there was anything special that needed to be done for donation.
Using this address at PayPal.com seems to do the trick and will send a donation to the Titan Network


 

Posted

To TonyV and the rest of the Titan Network:

Thanks so much for all you do. Your dedication and work ethic is appreciated.


50s: Inv/SS PB Emp/Dark Grav/FF DM/Regen TA/A Sonic/Elec MA/Regen Fire/Kin Sonic/Rad Ice/Kin Crab Fire/Cold NW Merc/Dark Emp/Sonic Rad/Psy Emp/Ice WP/DB FA/SM

Overlord of Dream Team and Nightmare Squad

 

Posted

Thank you for this info. I was wondering why the Paragonwiki site seemed to be acting up and running so slowly yesterday.

I'm going to guess that the highest risk was to those that actually log into the Titan Network sister sites? My password and login for the Titan pass thing seems to no longer work, so I haven't logged into any of the sites for several years.

I run NoScript with FF and Ad-block Plus, but I always give Paragonwiki full script access each time I visit.

I ran a couple of scans and found nothing on my computer, so that's a relief.


 

Posted

Thank you for your prompt action on this issue. AVG says my system is clean.

In addition to antivirus and everything else i have on my system, I also use SandBoxIE. (Just a fast plug...)

www.sandboxie.com


"C'mon! We can take 'em! There's only 947 of them!"
"I have an excuse for dying a lot... I'm trying to get my Exalted Badge!"

 

Posted

Tony, I want to add my voice to the chorus of appreciation for all your hard work (and the hard work of everyone else) to get Titan Network back up and running. I'm really dependent on Paragon Wiki and Red Tomax in particular, and I can't thank you all enough for all you have done in making these great resources available and safe for us to use.

(Seriously jonesing for the power quantification info in City of Data, btw! )


 

Posted

To TonyV and any other Wiki Wonder Workers:

Thank you very much for all of your efforts in maintaining and improving your site. I've used it almost daily for years. It truly is one of the best CoH support sites out there. I enjoy almost all of the rest of the Titan Network as well.

Thanks again for providing a safe, clean and efficient site!


 

Posted

Quote:
Originally Posted by SaintNicster View Post
donations@cohtitan.com is the address that I had in past emails, though I don't know if there was anything special that needed to be done for donation.
The donation link at the Wiki is working perfectly fine. I just tested it this morning! Keep up the good work!


Speeding Through New DA Repeatables || Spreadsheet o' Enhancements || Zombie Skins: better skins for these forums || Guide to Guides

 

Posted

Just adding another "Thank You!" to the chorus.


Altoholic - but a Blaster at Heart!

Originally Posted by SpyralPegacyon

"You gave us a world where we could fly. I can't thank you enough for that."

 

Posted

First of all, I have to say a HUGE "Thank you!" to everyone expressing support. As I've said before, it really does mean a lot. These things are very NOT fun to deal with, and I appreciate everyone bearing with us and sending good vibes our way as we not only restore service, but actually make things better. Some folks have even been sending donations, which I really appreciate, since we're double-dipping on a second VPS this month to have the ability to move audited stuff over as it gets cleaned and verified instead of trying to move everything at once and clean-as-we-go. I've also been getting some PMs from folks, and I will reply, I promise, as soon as the sites are back up and I can take some time to do it right.

Second of all, as posted in the update in the OP, we got the Titan Forums updated and restored. There are still some login/password issues so you might not have full access just yet, but when we get the main site back up (expected sometime tomorrow night Eastern time), you'll be able to reset your Titan Key to sync everything up and regain access. I'll post more details as I get them.

Quote:
Originally Posted by SaintNicster View Post
Yeah, I'm guessing that it was probably something with the copy of SMF. Last I saw, it was running 1.1.10, though there may have been more components that were up-to-date.
I'm almost certain this is what bit us. I'm not 100% sure, and I'm still looking for the "smoking gun" on the server to definitively say, "Yup, that's it!" (Which will really have to wait at least another day or two until I get everything moved over, configured, and up and running.) But of what research I've been able to do, this is by far the most likely candidate vector of attack. It's also why I put such heavy emphasis on getting the old forums upgraded first, even at the expense of losing some of the customization.


We've been saving Paragon City for eight and a half years. It's time to do it one more time.
(If you love this game as much as I do, please read that post.)

 

Posted

Just out of curiosity. While the site(s) are down, is there a mirror to the latest version of Mids anywhere out there?


 

Posted

I'd love to see people who get PAID to do this sort of thing do a better job than TonyV has. Keep up the good work Tony!


@Demobot

Also on Steam