[Trivial Psychic]

Ah, don't look now, but it appears as though there is an unauthorized update to your website... from yesterday.

[Veers]

nullbyt3 was here.
>12/03/2011  |  IceFire

nullbyt3 was here. You website is vulnerable to multiple exploits. Please address these problems.

[email protected]

Development Team

    Bobboau - Chief model designer, MOD manager
    Kellan - Mission designer and story creator (absent)
    ShadowWolf - Mission designer
    Alikchi - Mission designer
    nullbyt3 - New Team leader

http://www.safe-mail.net/

Safe-mail is the most secure, easy to use communication system. It includes encrypted mail system with collaboration features and document storage functions. Always accessible at any time from anywhere!
3 Mb space is free. More space and functionality is supplied under Premium Packages. There are no advertisements, downloads or cookies. Safe-mail supports most hardware platforms and any operating system. Includes file storage, spam filters and anti virus protection. Full compatibility with most browsers, email clients and all relevant protocols including POP, SMTP, IMAP, S/MIME and PKI.

??? I sure hope nothing else was done.

[Nyctaeus]

My avast found a virus in your gallery section! o__O

[Dragon]

Pehaps he's a guy from that safe-mail trying to convince you to improve your security (by using their E-mail system and paying for premium packgages, of course).
Or maybe somebody who wanted a challenge and once he was done, just wanted to be helpfull.
Anyway, updates on BWO site are always welcome, though unfortunately, there's no info on progress in there. 

[Nyctaeus]

Yeah, I know you have amazing assets but you showed only old outdated screenshots and low poly models . We want more !

[Fury]

Hacked again? Seriously. Whoever is doing your websites should probably learn something about security.

[nullbyt3]

nullbyt3 here.


Just letting you know that, no I didn't add any malicious content to your site, nor did I modify content in a malicious manner.. Thats not my thing.  I was simply showing you how easy it is to get Administrator access on\f your site and if I can do it a skid won't be far behind trying to upload his index.

I left the email in the event you wanted advice on how to secure your site. Obviously whoever is doing it is doing a bad job.  As far as how I got in? I don't remember exactly? I break a lot of sites security to leave messages like that to help Web Administrators like yourselves, but in the past few days I have used SQL injection(Full Blind, Double Query, and basic), Symlink attacks, XSS, and one unpublished php code injection(via Perl) attack. 

I don't deface or ruin sites because I'm not a script kiddie. I left the email for you to contact me in the event you actually "want" to find out the problem and need a fix that will work. Safe-mail is just an email provider that encrypts emails between safe-mail users.

 If you email me the site link I will give you more input on how I got in and how to stop the next guy from getting in. Oh, and as far as Avast detecting a virus, Avast has probably flagged some php code in an image or a php shell as a virus. There was NO malicious content that could infect users visiting your site. 

[Luis Dias]

So.... what are you selling, and for how much?

[Snail]

Hey, cool! An internet vigilante! Can I have your autograph, sir?

[TopAce]

nullbyt3 here.


Just letting you know that, no I didn't add any malicious content to your site, nor did I modify content in a malicious manner.. Thats not my thing.  I was simply showing you how easy it is to get Administrator access on\f your site and if I can do it a skid won't be far behind trying to upload his index.

I left the email in the event you wanted advice on how to secure your site. Obviously whoever is doing it is doing a bad job.  As far as how I got in? I don't remember exactly? I break a lot of sites security to leave messages like that to help Web Administrators like yourselves, but in the past few days I have used SQL injection(Full Blind, Double Query, and basic), Symlink attacks, XSS, and one unpublished php code injection(via Perl) attack. 

I don't deface or ruin sites because I'm not a script kiddie. I left the email for you to contact me in the event you actually "want" to find out the problem and need a fix that will work. Safe-mail is just an email provider that encrypts emails between safe-mail users.

 If you email me the site link I will give you more input on how I got in and how to stop the next guy from getting in. Oh, and as far as Avast detecting a virus, Avast has probably flagged some php code in an image or a php shell as a virus. There was NO malicious content that could infect users visiting your site.

But then why hack the site instead of posting about it here?

[MatthTheGeek]

Cause it would have made his point so much less viable !

[nullbyt3]

Cause it would have made his point so much less viable !

^^Exactly!

 That , and its more the fact that I didn't know that this community existed until I read the above posts yesterday. I didn't deface it or delete anything so the site itself is fine, but I hope the owner takes the time to secure it before some kids come along and ruin it just for fun. Again, if you need any help securing your DB/Website you have my safe-mail addy. 

And no, I'm not trying to sell anything. I have ethics. Peace and Good luck.

[Mobius]

Does this mean that the other projects' websites are equally vulnerable?

[Droid803]

Mmmm yeah.
I think we should do something about our security.
I mean, its not the first time its been hacked either

[Raven2001]

A hacker with morals!

Unusual, but quite welcome

[Mobius]

Mmmm yeah.
I think we should do something about our security.
I mean, its not the first time its been hacked either

What can we do about it?

[Goober5000]

You, nothing.  The admins are looking into it.

[Fury]

That is incorrect. Admins cannot do anything about hosted project sites that have security issues. Unless of course, you want to examine and fix hosted project sites security yourself. Unlikely to happen, isn't it?

The more complex a site is, the more likely is it that you may have security problem or few. The BWO/CE website uses php and mysql, making it far more vulnerable to exploits than standard basic html. But it is possible to have exploits even in basic html, though these are rare.

What admins have control over is server-wide security, namely that of apache, php and mysql. Security updates to any and all packages are handled automatically. While I can never be 100% sure, I'm quite confident settings of apache, php and mysql are secure enough without compromising php compatibility. Improvements can be done via 3rd party tools, such as mod_security. Last time mod_security was installed it caused problems with SMF though.

Case in point, if the server had exploitable security holes, I'm pretty sure the mainpage, forums or wiki would have been victimized many times already instead of some random hosted project site that's obscure even among hosted projects. Still, it doesn't hurt to contact this guy and confirm what security exploit was used, if nothing else at least that gives yet another lesson of security to whoever is coding BWO website.

[Goober5000]

Well, I meant "you" as in Mobius specifically, but reading his question again that wasn't quite fair to him because he did ask the question using "we".

Anyway, we are in contact with nullbyt3 and he has given us some useful information about how the site is vulnerable.  We will shortly be in contact with the BWO staff.

(Incidentally, who is in charge of website design on the BWO site, and why hasn't he posted on this thread yet?)

[Snail]

(Incidentally, who is in charge of website design on the BWO site, and why hasn't he posted on this thread yet?)

Given the age of the CE website maybe they've left.