simple machines forum

Please login or register.

Login with username, password and session length
 

News:

Remember to make your own backup of posts before submitting.

 
 

Author Topic: EXIT: Intruder alert!  (Read 5168 times)

Holey Moley

  • Website System
  • Administrator
  • *****
  • Offline Offline
    • MaleView Profile
    • twitter.com/m__7761
look out honey, 'cause I'm using technology
Holey Moley says,
« on: July 05, 2020, 04:30:17 PM »

So, it turns out when I migrated the site to a new host a while ago I didn’t know that the authz_svn_module module had to be configured to get vanilla protection of the Subversion files containing the Sword of Moonlight downloads, so it turns out somebody or something was making revisions to the files, so I’m scrambling to try to restore it.

If you had the misfortune of downloading these files, the first ones are listed on the full page of this post (go through the “Continued” link) so you can see if you have these among your personal files. If you do I recommend deleting your installation and go back through the download and install process.

I’ve ripped out all of the changes since I migrated. I’m going to put them back in as soon as possible, but in the meantime they’re missing. They’re listed below if you want to try to recover them, except for source code changes. I think this shouldn’t have happened if the Apache and Subversion teams were more humanistic in their software design practices. Something you often run into with open-source projects is a callous disregard for basic use cases.

Right now I can’t seem to synchronize my personal files with the hosted files because I had to rip the offending files out of the database, and unfortunately Subversion doesn’t provide a tool for this. I don’t know if it will work from a fresh download or not. My files think they’re out ahead of the real files which is a scenario TortoiseSVN doesn’t want to account for. If I had a back up handy I’d just restore it to the state before migration and start over, which is what I’m trying to do ASAP. That revision number is 361 and as soon as I get things back in order there will probably be a revision 362 with the files I had to remove yesterday.

(On the bright side, I guess our “intruders” can be credited with helping to highlight the hole in our defenses. A lot of the files were Windows style DLL files, so be careful in case any of them are malware.)

The list below is legit changes that are temporarily missing.

372
/data/menu/NWSE.bmp
/data/menu/NWSE.txr
/data/menu/NWSE1.mdo
/data/my/prof/Ex.ini
371
/data/my/prof/Ex.ini
370
/tool/SomEx.csv
369
/data/map/mhm/yk4220.mhm
/data/map/parts/0096.prt
/data/map/parts/0224.prt
/data/map/parts/0352.prt
/data/map/parts/0480.prt
/data/map/parts/0608.prt
368
/data/obj/prof/0012.prf
/data/obj/prof/0013.prf
/data/obj/prof/0014.prf
/data/obj/prof/0015.prf
/data/obj/prof/0174.prf
/data/obj/prof/0175.prf
/data/obj/prof/0222.prf
/data/obj/prof/0287.prf
/tool/SomEx.csv

This list is a subset of the offending files that you can use to determine if you have a compromised set of files. Really I suppose I could just list one of these, but it’s just a copy/paste job of the first revision with bad files. Some of these look like someone might have made a mistake, not knowing how to use SVN or something, however one (assuming they’re from the same party) modified SomEx.dll and some other executables and some of the language pack files, including adding some of the translation files to the versioned files that aren’t supposed to be. So you could be running these files unfortunately.

/HEAD
/config
/description
/hooks
/hooks/applypatch-msg.sample
/hooks/commit-msg.sample
/hooks/fsmonitor-watchman.sample
/hooks/post-update.sample
/hooks/pre-applypatch.sample
/hooks/pre-commit.sample
/hooks/pre-merge-commit.sample
/hooks/pre-push.sample
/hooks/pre-rebase.sample
/hooks/pre-receive.sample
/hooks/prepare-commit-msg.sample
/hooks/update.sample
/info
/info/exclude
/objects
/objects/info
/objects/pack
/refs
/refs/heads
/refs/tags
/svn
/svn/.metadata
/svn/refs
/svn/refs/remotes
/svn/refs/remotes/origin
/svn/refs/remotes/origin/git-svn
/svn/refs/remotes/origin/trunk
/svn/refs/remotes/origin/trunk/.rev_map.908064de-85fe-4402-a909-d45d0ebbf1e1

As of this time I haven't been able to overwrite the files with the ones from before I migrated the site. I will update when I do so. Just in case you want copies of the new files that I've taken down I've attached them to this post, although you'll have to sort them into their respective directories.
« Last Edit: July 19, 2020, 09:08:08 PM by Holy Diver »
Formerly "Holy Diver" ("Holy") [Holy will be back as soon as I'm back to full form]

Holey Moley has 2730 posts

Holey Moley

  • Website System
  • Administrator
  • *****
  • Offline Offline
    • MaleView Profile
    • twitter.com/m__7761
look out honey, 'cause I'm using technology
Holey Moley says,
« Reply #1 on: July 09, 2020, 07:00:15 AM »

Okay, should be fixed now. I removed the attachment since the files can be downloaded anew :zahn:
« Last Edit: July 19, 2020, 09:07:57 PM by Holy Diver »
Formerly "Holy Diver" ("Holy") [Holy will be back as soon as I'm back to full form]

Holey Moley has 2730 posts