Problems on Canonfire

Post/Author/DateTimePost
#1

zombiegleemax

May 12, 2004 12:07:31
Apparently some nimrod has decided to hack into Canonfire and mess with it. Just thought the rest of you would like to know so you can be just as ****** off as I am.
#2

zombiegleemax

May 12, 2004 13:07:36
We have identified the problem and partially have identified the hacker and are in the process of upgrading software and security.

Canonfire should be available and fully secure late tonight.
#3

zombiegleemax

May 12, 2004 13:21:21
Yup, I regret to inform everyone, looks like some kid or loser with nothing better to do, has hacked the site. This is the second time in a week, though this time it was more destructive.

to quote:

"I hacked your site 5 minutes ago.If you want your site back
come on
irc.bolchat.org channel #bugojno
and search for me
my nick is b_o_x_e_r and we will have a deal about your site ?
If you don't find me
i will erase your site.
So hurry find me !!!!!!!!!"

No doubt some lame attempt to extract some blackmail.

Alas, the site is down and will remain so, until we can figure something out. As Abyss has noted, we are working on some leads. We have a backup of the site as current as Sunday, so we haven't lost any significant content.

-G
[email]psmedger@canonfire.com[/email]
#4

zombiegleemax

May 12, 2004 13:44:48
We have a backup of the site as current as Sunday, so we haven't lost any significant content.

Well that's good news. I was p*ss*d but never worried. Any hacker worth his salt should know not to mess with D&D players we are the original computer nerds:D
#5

zombiegleemax

May 12, 2004 15:23:55
I hope you're able to track down the dofus who's doing this to the site! Maybe this idiot will try WotC next and get tossed in jail.

Or we can just make fun of him at GreyChat Thursday. :D
Good luck, Smedger!
-wn
#6

zombiegleemax

May 12, 2004 16:04:35
Originally posted by PSmedger
to quote:

"I hacked your site 5 minutes ago.If you want your site back
come on
irc.bolchat.org channel #bugojno
and search for me
my nick is b_o_x_e_r and we will have a deal about your site ?
If you don't find me
i will erase your site.
So hurry find me !!!!!!!!!"

Oh no! You better do what he says!

What a dork, he's probably some 40 year old guy who lives in his mom's basement eating chips all day and working on his Diablo character. Oh man, I really needed that laugh.
#7

zombiegleemax

May 12, 2004 17:45:02
he is what looks to be a 20 some year old

Bosnian in decent

From: Iz Podruma (?), London, Los Angeles (He claims all 3 in different, seperate instances)

email is [email]boxerr@hotmail.com[/email]

yahoo IM is b_o_x_e_rr

his favorite website is

http://www.bu.now.nu/

his other favorite website is

http://www.bolchat.org

another...

http://bolze.board.dk3.com/2/

and here is what he looks like! (copy/paste into browser)

http://fire.prohosting.com/boxerr/boxer5.jpg

and ofcourse you could always find him at irc.bolchat.org channel #bugojno as b_o_x_e_r

None of which helps. We need his IP adress and unfortunately all of the web he frequents are hacker and bosnian related or he runs himself, so it's doubtfully we'd receive any cooperation in securing an IP adress.
#8

Argon

May 12, 2004 19:01:02
A hacker that really sucks!

Good luck on getting the site fully operational. This guy is most likely in the USA I doubt he would be so bold as to have his real identity or anything else running around.
#9

zombiegleemax

May 12, 2004 19:49:18
Want us to flood his e-mail with hatemail?
#10

grodog

May 12, 2004 21:50:58
Originally posted by abysslin
http://www.bu.now.nu/

whois info for now.nu:

[Querying whois.nic.nu]
[whois.nic.nu]
------------------------------------------------------------------------
.NU Domain Ltd Whois service

Domain Name (ASCII): now.nu
Record ID: 72536

Record last updated on 30-Jan-2003.
Record expires on 08-Jan-2007.
Record created on 08-Jan-2000.
Record status: Active.

Domain servers in listed order:
ns.hostsac.com 64.191.40.221
ns2.hostsac.com 64.191.40.222

Copyright by .NU Domain Ltd - http://www.nunames.nu
------------------------------------------------------------------------
Database last updated: Wed May 12 22:31:48 2004
------------------------------------------------------------------------

his other favorite website is http://www.bolchat.org

whois info for bolchat.org:

Domain ID:D33648006-LROR
Domain Name:BOLCHAT.ORG
Created On:28-Aug-2000 14:59:42 UTC
Last Updated On:17-Mar-2004 02:55:15 UTC
Expiration Date:28-Aug-2004 14:59:42 UTC
Sponsoring Registrar:R48-LROR
Status:OK
Registrant ID:ODN-199658
Registrant Name:Salih Kulic
Registrant Street1:PO BOX M74
Registrant Street2:Manahan
Registrant City:Sydney
Registrant State/Province:NSW
Registrant Postal Code:2200
Registrant Country:AU
Registrant Phone:+61.424061167
Registrant Email:sk@BOLCHAT.NET
Admin ID:ODN-199658
Admin Name:Salih Kulic
Admin Street1:PO BOX M74
Admin Street2:Manahan
Admin City:Sydney
Admin State/Province:NSW
Admin Postal Code:2200
Admin Country:AU
Admin Phone:+61.424061167
Admin Email:sk@BOLCHAT.NET
Tech ID:ODN-199658
Tech Name:Salih Kulic
Tech Street1:PO BOX M74
Tech Street2:Manahan
Tech City:Sydney
Tech State/Province:NSW
Tech Postal Code:2200
Tech Country:AU
Tech Phone:+61.424061167
Tech Email:sk@BOLCHAT.NET
Name Server:NS1.ATHEOSONLINE.COM
Name Server:NS2.ATHEOSONLINE.COM

http://bolze.board.dk3.com/2/

[Querying whois.internic.net]
[Redirected to whois.opensrs.net]
[Querying whois.opensrs.net]
[whois.opensrs.net]
Registrant:
Servage ApS
Oestergade 22
Vejen, 6600
DK

Domain name: DK3.COM

Administrative Contact:
Fallesen, Steffan [email]ssf@servage.com[/email]
Oestergade 22
Vejen, 6600
DK
+45 75367921 Fax: +45 75366924

Technical Contact:
(Network Operations Center), NOC [email]noc@servage.com[/email]
Oestergade 22
Vejen, DK 6600
DK
+45 75367921 Fax: +45 75366924



Registration Service Provider:
Servage.net Hosting, [email]support@servage.net[/email]
+49 46116098359 (fax)
http://www.servage.net/
This company may be contacted for domain login/passwords,
DNS/Nameserver changes, and general domain support questions.


Registrar of Record: TUCOWS, INC.
Record last updated on 04-Feb-2004.
Record expires on 05-Mar-2005.
Record created on 05-Mar-1999.

Domain servers in listed order:
NS1.SERVAGE.NET 62.214.98.76
NS2.SERVAGE.NET 62.214.98.80
NS4.SERVAGE.NET 62.214.98.71
NS3.SERVAGE.NET 62.214.98.77
NS5.SERVAGE.NET 62.214.98.77
NS6.SERVAGE.NET 62.214.98.77

and here is what he looks like! (copy/paste into browser)

http://fire.prohosting.com/boxerr/boxer5.jpg

Oh, he's quite the intelligent-looking guy-with-a-real-future :rolleyes

We need his IP adress and unfortunately all of the web he frequents are hacker and bosnian related or he runs himself, so it's doubtfully we'd receive any cooperation in securing an IP adress.

I don't know if the whois info will prove to be helpful or not; it's likely forged. I do know that the FBI has a taskforce who track down domestic and international hackers, so we could always call them, too.
#11

zombiegleemax

May 13, 2004 11:27:46
Ok, we have successfully tracked down his IP and have blocked all IPs from his ISP.

195.222.41.192 - 195.222.41.255 (BIHNET-TZ4-POOL-GW) Dial-up and Gateways pool; AS3-1; Srebrenik; BA

EDIT: Added more out of Sarajevo, apparently he gets around.

195.222.35.0 - 195.222.35.63 (BIHNET-MA-POOL) Dial-up pool; Malta; Sarajevo; BA

If you live in Bosnia, using the BIHNET ISP, I'm sorry, but you will no longer be able to access Canonfire.
#12

eric_anondson

May 13, 2004 13:35:07
I assume that the vulnerability that was exploited has been discovered and filled? If it has been patched over, would you care to explain just what the nimrod did?


Regards,
Eric Anondson
#13

zombiegleemax

May 13, 2004 13:52:24
We use to run Canonfire on an older version of php and have since updated to a newer, more secure version, as well as took addtional security steps such as IP blocks, and adding steps to admin authentication.

Basically, he tricked the database into allowing him to all the admin user names and passwords, proceeded to log-in as the master admin, delete the other admins, create a new master admin and deface the site, attempting to hold it ransom.

We are 100% sure that we can not be hacked again in this manner. However, that doesn't mean there aren't alternate ways avialable to the modern day hacker that would breach our security measures.

We would have never though a lowly fansite would require such security.
#14

zombiegleemax

May 13, 2004 14:13:13
Yeah, it was pretty lame to hack a Greyhawk/D&D fansite...
#15

zombiegleemax

May 13, 2004 14:30:17
Hi all!

Right, after doing a bit of research, here's what I found out ...

@abysslin:
'iz podruma' is Bosnian/Croatian/Serbian for 'from the cellar'.
'#bugojno' : Bugojno is a district in south-west Bosnia, ca. 80km northwest from Sarajevo, mostly Bosnian-muslims, a few Croatians.

He's one of the moderators of the http://www.bu.now.nu/ site, I can't log on since registration is required. (I wonder what kind of info we'd get from reading the boards there ...)
If he really uses bihnet, the most likely address to report abuse is
[email]abuse@bih.net.ba[/email]

I guess they'd take the incident seriously, if there's enough people reporting it.

Regards,
Glorfinden

PS: Learning languages does pay off!

PPS:
http://fire.prohosting.com/boxerr/Biceps.jpg
(copy and paste into browser)
Apparently he's male ... ROFL
#16

zombiegleemax

May 13, 2004 15:41:58


Great picture there Glorfinden.
#17

zombiegleemax

May 13, 2004 16:11:29
Just to disclaim, it is entirely possible that this "b_o_x_e_r" hacker guy is setting up the real "b_o_x_e_r"