Wrongplanet.net has been hacked

Page 1 of 1 [ 14 posts ]

Joined: 15 May 2005
Gender: Male
Posts: 626
Location: BANNED FOR DISCUSSING RECENT BANNINGS!

04 Jun 2005, 4:44 am

At first I thought I was either more tired than I knew, or mozilla was turning into a script kiddie, but it soon dawned on me that I was only getting the message "Th3_analyz3r - Unknown_3rr0r" in the title bar with wrong planet. Visiting 'home' confirmed that someone had compromised the site. Although it's not my job to admin the site, I'd like to say to NOBODYCODER; thanks for (I hope) not deleting anything and generally leaving things intact.

To everyone else, or NOBODYCODER if they care to tell us; how was wrongplanet hacked and how can it be secured? It's not a subject I know much about.

_________________
Banned for discussing the recent spate of bannings.

PeterMacKenzie
Veteran
Veteran

Joined: 15 May 2005
Gender: Male
Posts: 626
Location: BANNED FOR DISCUSSING RECENT BANNINGS!

04 Jun 2005, 5:15 am

Maybe this should be in 'bug reports and ideas'.

_________________
Banned for discussing the recent spate of bannings.

Prometheus
Veteran
Veteran

Joined: 5 May 2005
Gender: Male
Posts: 1,506
Location: Through the plexiglass

04 Jun 2005, 8:56 am

looks like alex has been cleaning up as of late

_________________
All your bass are belong to us.

Mashi
Developer

Joined: 19 May 2005
Gender: Male
Posts: 48

04 Jun 2005, 9:20 am

I fixed it.

Prometheus
Veteran
Veteran

Joined: 5 May 2005
Gender: Male
Posts: 1,506
Location: Through the plexiglass

04 Jun 2005, 9:54 am

are you alex? Or a friend of his?

In any case, thank you!

_________________
All your bass are belong to us.

alex
Developer

Joined: 13 Jun 2004
Age: 38
Gender: Male
Posts: 10,216
Location: Beverly Hills, CA

04 Jun 2005, 6:32 pm

WrongPlanet.net was compromised through a phpnuke security hole that Mashi, thankfully, patched. The attacker got in through a mysql injection that he was able to execute because of a bug in the input validation for the URL. The line that read

Code:

if (preg_match("/\?admin/", "$checkurl")

checks to see if the person is not an admin. If the person isn't an admin, the script won't let the person access the database. If the person is an admin, the user can access the database. The url validation was buggy, however, and didn't truly prevent nonadmins from executing an sql injection, because while someone couldn't write:

Code:

http://wrongplanet.net/admin.php?admin=alex

Someone could write

Code:

http://wrongplanet.net/admin.php?thisTextIs=notimportant&admin=alex

without the mentioned regex actually catching the input as being invalid. By changing the conditional to this:

Code:

if (preg_match("/\?admin/", "$checkurl") || preg_match("/\&admin/", "$checkurl"))

we are able to make the regex register a url as invalid when something precedes the "admin=" portion of the url. Thats the only thing that needed to be changed to have prevented the attacker from gaining access.

_________________
I'm Alex Plank, the founder of Wrong Planet. Follow me (Alex Plank) on Blue Sky: https://bsky.app/profile/alexplank.bsky.social

Sean
Veteran
Veteran

Joined: 3 Apr 2005
Gender: Male
Posts: 3,505

04 Jun 2005, 7:35 pm

Alex,
Were there any other changes to the site's code or was there any information compromised?

alex
Developer

Joined: 13 Jun 2004
Age: 38
Gender: Male
Posts: 10,216
Location: Beverly Hills, CA

04 Jun 2005, 7:42 pm

Sean wrote:

Alex,
Were there any other changes to the site's code or was there any information compromised?

No, they only had access to the site through the admin control panel so they couldn't change any code.

_________________
I'm Alex Plank, the founder of Wrong Planet. Follow me (Alex Plank) on Blue Sky: https://bsky.app/profile/alexplank.bsky.social

hale_bopp
Veteran
Veteran

Joined: 2 Nov 2004
Gender: Female
Posts: 17,054
Location: None

04 Jun 2005, 8:15 pm

Why are you telling people how it was hacked? Don't give them ideas..

It totally freaked me out when I saw it last night. No-one had posted anything about it so I thought it might have just been me.. or it was some kind of joke.

alex
Developer

Joined: 13 Jun 2004
Age: 38
Gender: Male
Posts: 10,216
Location: Beverly Hills, CA

04 Jun 2005, 9:15 pm

hale_bopp wrote:

Well, we fixed the problem and trying to base a security plan on not giving people ideas is security through obscurity which really sucks on the internet at least.

_________________
I'm Alex Plank, the founder of Wrong Planet. Follow me (Alex Plank) on Blue Sky: https://bsky.app/profile/alexplank.bsky.social

Sean
Veteran
Veteran

Joined: 3 Apr 2005
Gender: Male
Posts: 3,505

04 Jun 2005, 10:35 pm

Security through obscurity is largely why M$ has so many problems. It underestimates a hacker's intelligence and overestimates their common sense.

Blue_Moon
Tufted Titmouse

Joined: 3 Jun 2005
Gender: Female
Posts: 31

06 Jun 2005, 5:26 pm

creepy. Glad the hacker didn't permanatly hurt anything.

Blue_Moon
Tufted Titmouse

Joined: 3 Jun 2005
Gender: Female
Posts: 31

06 Jun 2005, 5:27 pm

Why does it say butterfly? This is a Luna Moth!

ljbouchard
Veteran
Veteran

Joined: 4 Mar 2005
Gender: Male
Posts: 1,278
Location: Rochester Minnesota

06 Jun 2005, 5:28 pm

Butterfly is the level you are at based on the number of posts you have made.

_________________
Louis J Bouchard
Rochester Minnesota

"Only when all those who surround you are different, do you truly belong."
---------------------------------------------------
Fred Tate Little Man Tate

Page 1 of 1 [ 14 posts ]

Jump to:

Wrongplanet.net has been hacked Post Reply New Topic

Wrongplanet.net has been hacked