# Just a friendly notice to you peepz who visit Rage3D



## Flyordie (Mar 12, 2010)

This is why security should be first and foremost on all websites.  W1zz, you are pretty good with security it would seem, maybe you could help em' out?



> Rage3D.com is currently down for evaluation
> 
> On the evening of Thurs. March 11,  Rage3D.com was compromised by an outside attacker.  The intruder was
> able to access the website and the forums for a period of up to a few hours though it may have functionally been less.
> ...


----------



## Lupine (Mar 13, 2010)

Flyordie said:


> This is why security should be first and foremost on all websites.  W1zz, you are pretty good with security it would seem, maybe you could help em' out?


Security should certainly be a primary concern for every person participating online, and certainly when running a website where the stakes are higher.  Up there as well is having a solid disaster recovery plan, should the worst case scenario happen.

Rage3D is doing pretty well on both fronts, but we certainly learned some hard lessons over the past 24hrs.  We hope to be back up and running this weekend, but our primary objective is to ensure that the site is secure.


----------



## Steevo (Mar 13, 2010)

What was the method of attack? Brute force DDOS? DPC? Exploit?


I know W1zz has posted a few threads about security and ideas, he is one of the few web masters that actually listen and put it out there for the general population. I have been online and had to take down a server once due to a breach. It was kinda hairy, the Admin/owner had to create a account and send me a PM as his account was cracked and the person was deleting content and damaging the forums. Fortunately I was able to take the site down and he got a hold of the host before unrecoverable damage was done.


----------



## Lupine (Mar 13, 2010)

Well, it started with me.

The account I use to communicate via MSN IM was cracked somehow (not sure how yet, strong pwd etc implemented).  From there, the individual(s) msg'd people on my contact list trying to get info out of them.  One of the staffers "did me a favor" by changing the forum linked email address to the compromised MSN address, so that got them in the front door.  Another staffer gave out the admin control panel keys and that finished the job.

Because we didn't have protocols in place for responding to info requests like that, that bypass the normal processes, they worked us pretty good.


----------



## jellyrole (Mar 13, 2010)

I also run a website, don't mean to go off topic, but what more can I do to make the backends more secure?


----------



## pantherx12 (Mar 13, 2010)

Lupine said:


> Well, it started with me.
> 
> The account I use to communicate via MSN IM was cracked somehow (not sure how yet, strong pwd etc implemented).  From there, the individual(s) msg'd people on my contact list trying to get info out of them.  One of the staffers "did me a favor" by changing the forum linked email address to the compromised MSN address, so that got them in the front door.  Another staffer gave out the admin control panel keys and that finished the job.
> 
> Because we didn't have protocols in place for responding to info requests like that, that bypass the normal processes, they worked us pretty good.




Hope you get things up and running again soon 


Also in regards to msn its pretty hard to actually hack into the system and get access to an account ( Been a few years but I used to be big on the more mischievous sort of hacking)

I can only guess at some point you got phished by someone who created a URL with only a one character difference to a website you may use, so even an on the ball person can sometimes get phished that way.

If there's any websites you manually put your data in rather then let your browser remember the info it would of been one them since I'm guessing you'd of noticed that all of a sudden a website was not remembering your data.

I've recently come accross some more intelligent hackbots on msn although I'd of imagined yours was a real person, probably another member of your staff perhaps. These new hackbots react differently got added by a random person but I accept fairly often just incase its someone I know with a new address but I always say "Hackbot?" since a human would be like " waaa?" or " no of course not man, its me!" where as the bots say " Hi I'm new in town and saw your picture" and other stupid shite, and also can't answer questions to well.

I came across a hackbot the other day that when I done my usual "hackbot?" it replied " WTF?" 

So just keep your eyes pealed !


----------



## W1zzard (Mar 13, 2010)

social engineering works wonders  nothing you can do against it than having protocols in place that people need to listen to

lupine, do an ls -lR on the server and sort by modification time, do the same sorted by access time to spot possible backdoor installations


----------



## caveman-jim (Mar 13, 2010)

W1zzard said:


> social engineering works wonders  nothing you can do against it than having protocols in place that people need to listen to
> 
> lupine, do an ls -lR on the server and sort by modification time, do the same sorted by access time to spot possible backdoor installations



 unfortunately that won't work on Rage3D, as it's a Windows 08 box. 

A DIR /OD ought to do it similarly. Probably better to use the Windows Explorer to search the drive for files modified after thursday afternoon.


----------



## W1zzard (Mar 13, 2010)

yep, same thing


----------



## Polaris573 (Mar 13, 2010)

That's a shame.  Good luck with the recovery guys.


----------



## Kreij (Mar 13, 2010)

Panther said:
			
		

> Your own staff did that?
> What fucks! I hate people like that.



Sounds like they were duped into revealing the information due to the compromised account, and not acting maliciously.


----------



## Bo$$ (Mar 13, 2010)

good luck guys, i know how hard it is when crap like this happens


----------



## Apocalypsee (Mar 13, 2010)

Damn, no wonder I can't browse Rage3D. I miss the site....


----------



## jimmt (Mar 13, 2010)

Jim and Lup if you need any help let me know.


----------



## Clockwork (Mar 13, 2010)

Clever. Very clever.


----------



## Lupine (Mar 13, 2010)

W1zzard said:


> social engineering works wonders  nothing you can do against it than having protocols in place that people need to listen to
> 
> lupine, do an ls -lR on the server and sort by modification time, do the same sorted by access time to spot possible backdoor installations


Thanks - we did the former Thursday night, but I haven't sorted by access time yet but possible Ichy has.  I'll add that to the to-do list.



Kreij said:


> Sounds like they were duped into revealing the information due to the compromised account, and not acting maliciously.


Exactly.  They figured I was being my normal dufus self and made a few changes to let me back into the site.  Not sure what exactly was said, but it was convincing enough that they thought it was me.  Not their fault at all - they thought they were being helpful. We will certainly implement additional protocols to make sure this type of thing doesn't repeat.


----------



## Deleted member 24505 (Mar 13, 2010)

Just give all staff a password or something that they must quote to other staff to verify id.Even if its on msn or whatever,no pass no talky.

I feel for the staffers who got duped,they must feel like turkeys.Its not their faults


----------



## Lupine (Mar 13, 2010)

pantherx12 said:


> Your own staff did that?
> 
> What fucks! I hate people like that.
> 
> ...


Thanks for that.  I don't remember adding anyone new, though I did have a couple requests that I denied.  I don't click links in emails, but that doesn't mean I didn't get fooled somewhere else.  I'm trying to retrace my steps, but so far nothing makes much sense.  I have a little bit of concern about the security of the Hi MSN app on my droid, since I used it the prior evening for quite awhile, but not finding anything to support those conclusions.

Probably the most frustrating thing is that they were able to get into one of my gmail accounts via the MSN account, using pwd reset.  While Microsoft got the MSN account back under my control fairly quickly, Google has been zero help w/ the gmail account.  Considering all the additional apps that you tend to use with Google ... its a very big concern.  One stop personal information shopping center as it were (Google Checkout, Calendar, Picasa, Apps, etc etc).


----------



## copenhagen69 (Mar 13, 2010)

Lupine said:


> Thanks - we did the former Thursday night, but I haven't sorted by access time yet but possible Ichy has.  I'll add that to the to-do list.
> 
> 
> Exactly.  They figured I was being my normal dufus self and made a few changes to let me back into the site.  Not sure what exactly was said, but it was convincing enough that they thought it was me.  Not their fault at all - they thought they were being helpful. We will certainly implement additional protocols to make sure this type of thing doesn't repeat.



i got your protocol ...
when major crap needs to be changed ... call the person 

that way you know its them


----------



## pantherx12 (Mar 13, 2010)

Have you ever used the wifi on your phone to connect to anything that requires a password using public wifi?

Very very easy to intercept data like that if you did.

Other then those two suggestions I'm stumped!

Also I retract my statement about your staff being fucks, I misread and thought they done it maliciously.


----------



## Lunar Aura (Mar 13, 2010)

Good luck, guys. I'm sure you'll all be back with a vengeance and with new ironclad security protocols.


----------



## wabbitslayer (Mar 13, 2010)

Hunt the perp down.....


and kill them slowly


----------



## LAN_deRf_HA (Mar 13, 2010)

@Lupine

Do you use the same password for either myspace/facebook as you do msn? Aside from cases where employees of those sites used their privileges abusively, there's also been cases where social engineering has been used to gain access to admin accounts on those sites, where in the case of myspace people's passwords were stored in plain text. That's how a few celebrity emails have been "hacked". A site like that will not come forward and admit they had someone come in and grab a bunch of insecurely stored passwords. They'd rather let you suffer the consequences than have bad press.


----------



## Lupine (Mar 13, 2010)

LAN_deRf_HA said:


> @Lupine
> 
> Do you use the same password for either myspace/facebook as you do msn? Aside from cases where employees of those sites used their privileges abusively, there's also been cases where social engineering has been used to gain access to admin accounts on those sites, where in the case of myspace people's passwords were stored in plain text. That's how a few celebrity emails have been "hacked". A site like that will not come forward and admit they had someone come in and grab a bunch of insecurely stored passwords. They'd rather let you suffer the consequences than have bad press.


No, I don't duplicate passwords, and I can't think of any accounts that had any semblance to the pwd used on the msn account.  I'd changed that one a few months ago, after a bunch of MSN accounts were compromised.

That doesn't mean pwd patterns can't emerge.  I'm certainly reviewing all aspects, and will change some of my methods to ensure that security is increased.


----------



## Flyordie (Mar 13, 2010)

I just hope lupine doesn't get mad and hurt me for posting this once Rage3D is back up. :-(

I was just being helpful Lupine, sorry.

Btw Lup, did you call your ISP and report this?


----------



## caveman-jim (Mar 14, 2010)

jimmt said:


> Jim and Lup if you need any help let me know.



Thanks Bro.


----------



## honestjohn_ (Mar 14, 2010)

caveman-jim said:


> unfortunately that won't work on Rage3D, as it's a Windows 08 box.
> 
> A DIR /OD ought to do it similarly. Probably better to use the Windows Explorer to search the drive for files modified after thursday afternoon.



Man this blows, good luck CJ and Lup getting the site back-up and running. I need to get my Rage back! 

If anything else, it's going to be a great learning experience for all .....see you soon.


----------



## caveman-jim (Mar 15, 2010)

Thanks HJ :up:

To be honest I'm not involved with the site restore. Though this does give me some ideas for an article, how to take steps to protect yourself and mitigate your data vulnerabilities.


----------



## Lupine (Mar 15, 2010)

The Rage3D Hamster Squad is back up and running.  Thanks everyone.


----------

