| www.ClassicTW.com https://mail.black-squirrel.com/ |
|
| Attention Sysops hacker Alert!! https://mail.black-squirrel.com/viewtopic.php?f=1&t=19361 |
Page 1 of 2 |
| Author: | Zentock [ Fri May 25, 2007 10:13 am ] |
| Post subject: | |
Hello sysops, this is a warning to all sysops, I run zonealarm pro, i have a windows firewall up also. this morning i was working at keys and just b4 8 am, i noticed a unknown user log to my twgs, so i spyed on the node and almost instantly saw this unknown user enter the editor and start running active player info. i instantly banned this ip and rebooted the twgs system. this is the ip# if anyone has any information on this plz reaspond here asap.!!! IP was 216.12.58.147 |
|
| Author: | Runaway Proton [ Fri May 25, 2007 10:37 am ] |
| Post subject: | |
This is what I could dig up Zen... I don't have a record of this IP on my system. I wish there was a way to track IP's of thos logging in, without having to scan the logs, and write them down IP address: 216.12.58.147 Host name: 216-12-58-147.access.ntelos.net 216.12.58.147 is from United States(US) in region North America Retrieving DNS records for 216-12-58-147.access.ntelos.net... DNS servers ns1.ntelos.net [216.12.0.7] ns2.ntelos.net [209.145.84.130] Answer records 216-12-58-147.access.ntelos.net 1 A 216.12.58.147 86400s Authority records access.ntelos.net 1 NS ns2.ntelos.net 3600s access.ntelos.net 1 NS ns1.ntelos.net 3600s Additional records ns1.ntelos.net 1 A 216.12.0.7 3600s ns2.ntelos.net 1 A 209.145.84.130 3600s 216.12.58.147 is from United States(US) in region North America whois query for 216.12.58.147... Results returned from whois.arin.net: Ntelos Inc. NTELO-BLK-1 (NET-216-12-0-0-1) 216.12.0.0 - 216.12.127.255 CFW Network - Access c4s10-c5s CFW-216-12-58 (NET-216-12-58-0-1) 216.12.58.0 - 216.12.58.255 # ARIN WHOIS database, last updated 2007-05-24 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. Results returned from whois.arin.net: OrgName: CFW Network - Access c4s10-c5s OrgID: CNAC-9 Address: 401 Spring Lane City: Waynesboro StateProv: VA PostalCode: 22980 Country: US NetRange: 216.12.58.0 - 216.12.58.255 CIDR: 216.12.58.0/24 NetName: CFW-216-12-58 NetHandle: NET-216-12-58-0-1 Parent: NET-216-12-0-0-1 NetType: Reassigned NameServer: NS.CFW.COM NameServer: NS4.CFW.COM Comment: RegDate: 1999-12-23 Updated: 1999-12-23 RTechHandle: DNS56-ORG-ARIN RTechName: Domain Name Services RTechPhone: +1-540-946-2638 RTechEmail: ns@ntelos.net">dns@ntelos.net |
|
| Author: | Zentock [ Fri May 25, 2007 11:42 am ] |
| Post subject: | |
Good work RP! Also as a note to other sysops, whenever an upgrade is added to your twgs, the admin pw is reset to the default pw, this is how this user got access. additional if you look on the ip area of the configuration part of the twgs you can set admin access to local only, this is advised for all sysops who do not have any game ops telneting to there admin ports. The above information was supplied by Sage , Sysop of UltimateTW.com |
|
| Author: | River Rat [ Fri May 25, 2007 12:26 pm ] |
| Post subject: | |
THnaks Zen. I was just going to mention or ask that of RP as that had happened a couple years ago to me and i hadn't noticed that it changes to admin. What a mess i had. I will run a search on that IP when i get home tonight or tomorrow and see if i can come up with a match. Be nice to corner this person and tell he he is not wanted. We have just learned in the last few weeks what happens when something is hacked. |
|
| Author: | Aileron [ Fri May 25, 2007 12:47 pm ] |
| Post subject: | |
You might also want to edit your router setup. (if you have one) Don't allow access to the port you use to edit games with from the outside. Special ports like 2002 have to be specifically applied as TCP type settings users have access to from the outside. There are other advantages to using routers, one of which is another password they would have to crack to get into your board. They make routers with mega speed capabilities these days. Might be a good idea to set one up even if your server machine is the only one you have. |
|
| Author: | Oso [ Fri May 25, 2007 5:26 pm ] |
| Post subject: | |
Both are good suggestions. If you are going to have your admin port open, change it to something else and make sure the password is changed. It was a good catch you made Zentock! Also, Zen, I would let your players know that their passwords might be compromised. Some players use the same passwords for multiple TWGS, and if that person was fishing for usernames and passwords, they might be able to exploit that on another server. Good job being on the ball and catching this guy. RP, I'll chat with you later about digging through this guy's IP. |
|
| Author: | Zentock [ Fri May 25, 2007 8:10 pm ] |
| Post subject: | |
OK everyone, the user who "hacked" my twgs has fessed up, and been identified, however i am not going to publicly name the person, but i am going to post there reasoning for the "hack". This user decided to play on my twgs, but this user does the port 2003, and port 513, admin port, default admin pw check before joining the sites games to determine if the site is safe to play on. i didnt get the follow up report from this user till 5:30 pm today, and i have been discussing it with them via icq. i am satisfied that this was not a "hack" with the intent to do harm or cheat, that this was a security test that i failed . however i understand the users intention and i will now do the same thing myself before i join any new servers. however i will contact the sysop asap rather then wait 9 hrs. Which if i had been contacted then, this topic would have been alot different. Thank you to Runaway Proton, Aileron and to Sage for there prompt responses and the information supplied to assist with this issue. And thank you to Oso, the area moderator for his input also. : ) |
|
| Author: | Vulcan [ Fri May 25, 2007 9:52 pm ] |
| Post subject: | |
Good going all, and hope things finally get the way we all want TW to be, good work all on it all, and glad to hear it was not a serious transgression. But still I would let others know their passwords may have been compromised, just in case. |
|
| Author: | Admin 1 [ Fri May 25, 2007 10:33 pm ] |
| Post subject: | |
Zentock wrote: OK everyone, the user who "hacked" my twgs has fessed up, and been identified, however i am not going to publicly name the person, but i am going to post there reasoning for the "hack". This user decided to play on my twgs, but this user does the port 2003, and port 513, admin port, default admin pw check before joining the sites games to determine if the site is safe to play on. i didnt get the follow up report from this user till 5:30 pm today, and i have been discussing it with them via icq. i am satisfied that this was not a "hack" with the intent to do harm or cheat, that this was a security test that i failed . however i understand the users intention and i will now do the same thing myself before i join any new servers. however i will contact the sysop asap rather then wait 9 hrs. Which if i had been contacted then, this topic would have been alot different. Thank you to Runaway Proton, Aileron and to Sage for there prompt responses and the information supplied to assist with this issue. And thank you to Oso, the area moderator for his input also. : ) Ok i can understand checking the admin port (i guess) ( kinda like A Bank Robber getting caught and saying he wanted to see how secure his money was before he deposited it) However you stated " I noticed a unknown user log to my twgs, so i spyed on the node and almost instantly saw this unknown user enter the editor and start running active player info. i instantly banned this user " So i guess if he was just checking to see if it was secure WHY pray tell, Would he be running active player info??? there is NO excuse for that is there? Please id this guy to the rest of the sysops and game ops. |
|
| Author: | Big D [ Sat May 26, 2007 11:20 am ] |
| Post subject: | |
Space Ghost wrote: Zentock wrote: OK everyone, the user who "hacked" my twgs has fessed up, and been identified, however i am not going to publicly name the person, but i am going to post there reasoning for the "hack". This user decided to play on my twgs, but this user does the port 2003, and port 513, admin port, default admin pw check before joining the sites games to determine if the site is safe to play on. i didnt get the follow up report from this user till 5:30 pm today, and i have been discussing it with them via icq. i am satisfied that this was not a "hack" with the intent to do harm or cheat, that this was a security test that i failed . however i understand the users intention and i will now do the same thing myself before i join any new servers. however i will contact the sysop asap rather then wait 9 hrs. Which if i had been contacted then, this topic would have been alot different. Thank you to Runaway Proton, Aileron and to Sage for there prompt responses and the information supplied to assist with this issue. And thank you to Oso, the area moderator for his input also. : ) Ok i can understand checking the admin port (i guess) ( kinda like A Bank Robber getting caught and saying he wanted to see how secure his money was before he deposited it) However you stated " I noticed a unknown user log to my twgs, so i spyed on the node and almost instantly saw this unknown user enter the editor and start running active player info. i instantly banned this user " So i guess if he was just checking to see if it was secure WHY pray tell, Would he be running active player info??? there is NO excuse for that is there? Please id this guy to the rest of the sysops and game ops. That's what I was thinking. He either accessed tedit or he didn't. If he actually accessed tedit and there was a password set, then that by definition is a hack, and he was probably up to no good. |
|
| Author: | River Rat [ Wed May 30, 2007 3:02 pm ] |
| Post subject: | |
Well i noticed this person also tried to log into my admin port. I really don't trust anyone that does that. I do know his game name but not familiar with it. He goes but "ac" least on my server. |
|
| Author: | Cerne [ Wed May 30, 2007 3:22 pm ] |
| Post subject: | |
Zentock wrote: however i understand the users intention and i will now do the same thing myself before i join any new servers. Any one who tries to access the admin port on my server gets banned permanently. That should let them know my twgs is secure, then they can tell their friends. The days of passing off hack attempts as security checks are just lame excuses for when they get caught and went out with main frames. Cerne |
|
| Author: | Singularity [ Wed May 30, 2007 4:33 pm ] |
| Post subject: | |
Laff, of course it's easy to mistype port numbers... I've done it more than once. So paranoia is one thing, but senseless paranoia... |
|
| Author: | Oso [ Wed May 30, 2007 6:14 pm ] |
| Post subject: | |
While it is easy to mistype a port number, it is harder to mistype your way into TEDIT... I want to know who it was too. |
|
| Author: | Cerne [ Wed May 30, 2007 7:13 pm ] |
| Post subject: | |
Singularity wrote: Laff, of course it's easy to mistype port numbers... I've done it more than once. So paranoia is one thing, but senseless paranoia... I use 513, not 2003. |
|
| Page 1 of 2 | All times are UTC - 5 hours |
| Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/ |
|