About current front-page troubles on Irrlicht

Discuss about anything related to the Irrlicht Engine, or read announcements about any significant features or usage changes.

About current front-page troubles on Irrlicht

Postby CuteAlien » Thu Jan 12, 2017 3:54 pm

Hi,

I guess some of you noticed by now that http://irrlicht.sourceforge.net/ is currently looking very strange most days. Like new themes or a tiny/puny static website replacement.

Reason is that we got hacked. Are still hacked actually. And every time we enable wordpress (invisible) spam-links are re-introduced to our homepage within 1-2 days. This has been going on since around September, but I only noticed it very recently (I had been lazy and only checked for the same hack we got last time with 0px fonts to hide their links, so I didn't notice they used a new trick for invisible links this time).

Still working on this. Unfortunately takes some time as I'm not very familiar with Wordpress, PHP, SQL-Databases or web-security in general. So all experiments to get rid of hacker for last 2 weeks constantly failed.

Will give more info once I figure out some clue what's going on...
IRC: #irrlicht on irc.freenode.net
Code snippets, patches&stuff: http://www.michaelzeilfelder.de/irrlicht.htm
Free racer created with Irrlicht: http://www.irrgheist.com/hcraftsource.htm
User avatar
CuteAlien
Admin
 
Posts: 8363
Joined: Mon Mar 06, 2006 2:25 pm
Location: Tübingen, Germany

Re: About current front-page troubles on Irrlicht

Postby MartinVee » Thu Jan 12, 2017 4:47 pm

I had the same problem a while back, and it turned out it was the theme that had an obfuscated line of code that did the injection. Not all themes are created (or distributed) with good intentions.

At the time, I remember looking at Stack Exchange's WordPress community site, and I found a very helpful question. I can't remember if it was exactly this one, but it seems to have very good advices. Be sure to read both answers.

Good luck with that!
User avatar
MartinVee
 
Posts: 117
Joined: Tue Aug 02, 2016 3:38 pm
Location: Québec, Canada

Re: About current front-page troubles on Irrlicht

Postby CuteAlien » Thu Jan 12, 2017 5:31 pm

Thanks. I've seen that post on StackExchange actually :-) Unfortunately replacing theme (and re-installing wordpress) didn't solve it. My current suspicion is that the hack might already be stored inside the database and re-loaded from there.
IRC: #irrlicht on irc.freenode.net
Code snippets, patches&stuff: http://www.michaelzeilfelder.de/irrlicht.htm
Free racer created with Irrlicht: http://www.irrgheist.com/hcraftsource.htm
User avatar
CuteAlien
Admin
 
Posts: 8363
Joined: Mon Mar 06, 2006 2:25 pm
Location: Tübingen, Germany

Re: About current front-page troubles on Irrlicht

Postby MartinVee » Thu Jan 12, 2017 6:10 pm

In the dark like you, but did you try one of the tools from the second answer?
User avatar
MartinVee
 
Posts: 117
Joined: Tue Aug 02, 2016 3:38 pm
Location: Québec, Canada

Re: About current front-page troubles on Irrlicht

Postby CuteAlien » Thu Jan 12, 2017 6:21 pm

Not yet. Only tried the manual hunting.
IRC: #irrlicht on irc.freenode.net
Code snippets, patches&stuff: http://www.michaelzeilfelder.de/irrlicht.htm
Free racer created with Irrlicht: http://www.irrgheist.com/hcraftsource.htm
User avatar
CuteAlien
Admin
 
Posts: 8363
Joined: Mon Mar 06, 2006 2:25 pm
Location: Tübingen, Germany

Re: About current front-page troubles on Irrlicht

Postby Mel » Thu Jan 12, 2017 7:44 pm

Pfff.. hacks are a pain in the ass... Check every PHP file you can have access to, they might have an injector segment somewhere, in the begining, in the end... Check the image files, those might go inadvertent because you expect them to be an image and binary, but one of my sites once got hacked with a gif image that had some code in the end, it only had to call that image, as a file stored in the server and the whole effect reappeared. The database is unlikely though, as most files are stored as separate files outside the DB, but who knows... Check the boards as well, as many sites use PHPBB forums and Wordpress portals.

It is too bad that you can't update wordpress often, their devs address these vulnerabilities constantly, something you can't say from the PHPBB guys, but it is what we have... (if these boards could become SimpleMachinesForums boards, maybe things would improve, they keep constantly updated their forums engines as well) Good luck! :/
"There is nothing truly useless, it always serves as a bad example". Arthur A. Schmitt
User avatar
Mel
Competition winner
 
Posts: 2224
Joined: Wed May 07, 2008 11:40 am
Location: Granada, Spain

Re: About current front-page troubles on Irrlicht

Postby CuteAlien » Fri Jan 13, 2017 12:08 am

Yeah, forum is another potential candidate. Thought it should be separated somewhat from wordpress and there don't seem to be spam-links in the forum yet (unless I missed them). Update of forum also harder, but new phpBB just got releases last week - so might be a good time to update that as well anyway.

There shouldn't be any php file left which wasn't replaced already (new Wordpress install and new theme, but maybe I'm missing stuff as I don't really know exactly how wordpress works yet). Also did all the usual stuff like replacing all passwords. Got the idea with the database from someone who's a little more familiar with that stuff than me. Got also a few more hints, so guess I can still try a few things on the weekend. If all fails - I learned by now it's possible to create static pages from wordpress which would be sufficient for us (would lose "search" feature of old website, not much else probably). Thought that would basically mean ignoring the hack and not fixing the real problem - so not my favorite solution.
IRC: #irrlicht on irc.freenode.net
Code snippets, patches&stuff: http://www.michaelzeilfelder.de/irrlicht.htm
Free racer created with Irrlicht: http://www.irrgheist.com/hcraftsource.htm
User avatar
CuteAlien
Admin
 
Posts: 8363
Joined: Mon Mar 06, 2006 2:25 pm
Location: Tübingen, Germany

Re: About current front-page troubles on Irrlicht

Postby Vectrotek » Sun Jan 15, 2017 2:13 pm

The Saints are sorting it..
User avatar
Vectrotek
Competition winner
 
Posts: 1056
Joined: Sat May 02, 2015 5:05 pm
Location: South Africa

Re: About current front-page troubles on Irrlicht

Postby REDDemon » Tue Jan 17, 2017 3:15 pm

Got the idea with the database from someone who's a little more familiar with that stuff than me


Try a query to search for something that look like links/ HTML/ PHP/JS code in all the tables. Probably better dumping the DB as SQL dump and then use a text editor with advanced search functionality. Usually the hack begins where there is something that isn't escaped properly or if there's a SQL injection... It could be possible that
actually the hack is inside the forum and loaded only to word press from there (I don't know if you are actually using 2 different WWW folders or not, if not, phpBB should be checked too.
Junior Irrlicht Developer.
Real value in social networks is not about "increasing" number of followers, but about getting in touch with Amazing people.
- by Me
User avatar
REDDemon
Developer
 
Posts: 1044
Joined: Tue Aug 31, 2010 8:06 pm
Location: Genova (Italy)

Re: About current front-page troubles on Irrlicht

Postby CuteAlien » Wed Jan 18, 2017 11:35 am

@REDDemon: Yeah, I dumped DB as XML to make searching easier. But... turned out the DB is pretty huge. I tried a few simply searches (mainly with grep), but found nothing obvious. And if the hack is slightly encoded it is pretty impossible to find by hand that way.

But did change some other stuff, like new wordpress just came out last week, so I installed that. So far spam-links not yet back. Not sure if spammer just becomes lazy or if I maybe blocked his access.
IRC: #irrlicht on irc.freenode.net
Code snippets, patches&stuff: http://www.michaelzeilfelder.de/irrlicht.htm
Free racer created with Irrlicht: http://www.irrgheist.com/hcraftsource.htm
User avatar
CuteAlien
Admin
 
Posts: 8363
Joined: Mon Mar 06, 2006 2:25 pm
Location: Tübingen, Germany

Re: About current front-page troubles on Irrlicht

Postby devsh » Tue Feb 28, 2017 7:35 pm

There is no HTTPS /SSL on the forum, if you use the same user and password for the page administration..... passwords go over without strong encryption....

Also Cloudflare had a massive heartbleed-like bug, I dont know if sourceforge sits behind cloudflare but anything over the past few years could have gotten leaked :(
We chose to stream mesh data from Multiple OpenGL Contexts in many threads and do the other things, not because they are easy, but because they are hard! - JFK
User avatar
devsh
Competition winner
 
Posts: 1768
Joined: Tue Dec 09, 2008 6:00 pm
Location: UK

Re: About current front-page troubles on Irrlicht

Postby CuteAlien » Tue Feb 28, 2017 7:54 pm

I never use same password for different services. But since we updated to newer wordpress hacks seem to have stopped.
IRC: #irrlicht on irc.freenode.net
Code snippets, patches&stuff: http://www.michaelzeilfelder.de/irrlicht.htm
Free racer created with Irrlicht: http://www.irrgheist.com/hcraftsource.htm
User avatar
CuteAlien
Admin
 
Posts: 8363
Joined: Mon Mar 06, 2006 2:25 pm
Location: Tübingen, Germany

Re: About current front-page troubles on Irrlicht

Postby Cube_ » Thu Mar 02, 2017 12:43 am

how outdated was the old version? I have a cron job to auto-update wordpress with new patches and my website hasn't been hacked (but then again my website is extremely low traffic and for all intents and purposes dead)
"this is not the bottleneck you are looking for"
User avatar
Cube_
 
Posts: 1011
Joined: Mon Oct 24, 2011 10:03 pm
Location: 0x45 61 72 74 68 2c 20 69 6e 20 74 68 65 20 73 6f 6c 20 73 79 73 74 65 6d

Re: About current front-page troubles on Irrlicht

Postby CuteAlien » Thu Mar 02, 2017 12:52 am

At one point we were actually up-to-date with Wordpress versions and still hacked. But a few weeks ago a new Wordpress version came out and after updating to that one it stopped. Thought I changed also a bunch of other stuff additionally.
IRC: #irrlicht on irc.freenode.net
Code snippets, patches&stuff: http://www.michaelzeilfelder.de/irrlicht.htm
Free racer created with Irrlicht: http://www.irrgheist.com/hcraftsource.htm
User avatar
CuteAlien
Admin
 
Posts: 8363
Joined: Mon Mar 06, 2006 2:25 pm
Location: Tübingen, Germany

Re: About current front-page troubles on Irrlicht

Postby Cube_ » Thu Mar 02, 2017 12:55 am

hmm, if you were up to date it probably wasn't a security hole with the install itself - maybe some addon or theme or whatnot.
Oh well, since you're no longer hacked that's a good start.
"this is not the bottleneck you are looking for"
User avatar
Cube_
 
Posts: 1011
Joined: Mon Oct 24, 2011 10:03 pm
Location: 0x45 61 72 74 68 2c 20 69 6e 20 74 68 65 20 73 6f 6c 20 73 79 73 74 65 6d


Return to Open Discussion and Dev Announcements

Who is online

Users browsing this forum: Exabot [Bot] and 1 guest