# The Great Breach Has Been Repelled!



## Kaodi (Dec 7, 2012)

Good to have EN World back at last! Thank you to Morrus and everyone else who made it happen,  !

As I mentioned to PirateCat, in the tradition of "The Great Crash of 2002" I would like to nominate "The Great Breach of 2012" as the name forthwith for this ordeal,  .


----------



## Alzrius (Dec 7, 2012)

So far so good; EN World has been successfully resurrected. 

Now we just need to find a way to get some restorations to get rid of the resulting negative levels, and things will be back to normal.


----------



## Jemal (Dec 7, 2012)

Obadei Valdou ALCAT!
well that's one neg lvl taken care of.  Anybody else?


----------



## Roland55 (Dec 7, 2012)

Alzrius said:


> So far so good; EN World has been successfully resurrected.
> 
> Now we just need to find a way to get some restorations to get rid of the resulting negative levels, and things will be back to normal.




I fear these negative levels will prove difficult to shed.

Still, I'm not going anywhere ... I like this place.


----------



## Scott DeWar (Dec 8, 2012)

oh wah-taaGoo- psaiyahm!

that would be a second neg level!


----------



## Lwaxy (Dec 8, 2012)

Mania Shadegaa Seh! 

How many negative levels did we get?


----------



## Liquidsabre (Dec 8, 2012)

Woot! Welcome back ENWorld. The absence was surely felt! On another note:

ENWorld front page is hastily thrown up = likes front page layout better...


----------



## stonegod (Dec 8, 2012)

Can we get a list of what was lost specifically (dice roller seems a big one at I know cost money). And what, if anything, was "taken" in the hack (email? Passwords?)


----------



## Morrus (Dec 8, 2012)

We still have to do a full stock take, but the following things are *definitely* gone for now: dice roller, campaign manager, gamers seeking gamers, wiki, OGRE, a slew of news features, and a handful of miscellaneous bits and pieces like our XP system and things like that. Plus some behind the scenes stuff like mod and admin tools and other backend things.


----------



## VariSami (Dec 8, 2012)

So, with the Campaign Manager gone... Does it mean that my campaign notes were obliterated? I had saved around 30 hours worth of work in there. Or does there exist a chance of salvaging old campaigns along with the campaign manager at some point?


----------



## Morrus (Dec 8, 2012)

VariSami said:


> So, with the Campaign Manager gone... Does it mean that my campaign notes were obliterated? I had saved around 30 hours worth of work in there. Or does there exist a chance of salvaging old campaigns along with the campaign manager at some point?



  The good news is that our *database* is intact. So we haven't lost any data; just the code and files which displays the data.  If we can get those things rewritten, the data will appear again.


----------



## plancktum (Dec 8, 2012)

Morrus said:


> The good news is that our *database* is intact. So we haven't lost any data; just the code and files which displays the data.  If we can get those things rewritten, the data will appear again.




Just for curiosity: Don't you have any backups? Or what happend to them? No version control? No Backups on other computers? I don't understand the problem at the moment.
Could you maybe explain, what exactly happened?

But for now I will subscribe to help you


----------



## Morrus (Dec 8, 2012)

plancktum said:


> Just for curiosity: Don't you have any backups? Or what happend to them? No version control? No Backups on other computers? I don't understand the problem at the moment.



Of course we have; but we don't know when we were compromised and would never know whether we'd found everything.  So we can't even trust the backups.  Plus all that custom code was for an older version of the software we use, and the prudent thing was to upgrade to a version with better security, rendering much of the code incompatible even IF we felt we could trust it.  Some of the newer stuff will be easier - we just ask those who developed it to update it for vBulletin 4 and we can install it (the wiki and OGRE I'm anticipating as being fairly easy).


----------



## iwarrior-poet (Dec 8, 2012)

Good to see you guys up and running. Your absence has reminded me how much I look forward to visiting your page. I haven't been able to actively game for three years now, so your site is my lifeline. Promptly popped for a gold subscription. Hope it helps. Any other way to make a contribution?


----------



## plancktum (Dec 8, 2012)

Morrus said:


> Of course we have; but we don't know when we were compromised and would never know whether we'd found everything.  So we can't even trust the backups.  Plus all that custom code was for an older version of the software we use, and the prudent thing was to upgrade to a version with better security, rendering much of the code incompatible even IF we felt we could trust it.  Some of the newer stuff will be easier - we just ask those who developed it to update it for vBulletin 4 and we can install it (the wiki and OGRE I'm anticipating as being fairly easy).




Yeah. That sounds reasonable. Thanks for your answer  I hope the community support will help you to get everything to work.


----------



## freyar (Dec 8, 2012)

Seems like google is still listing EN World as an attack page for some people (I got the warning on my other computer around 8AM Central (North American) time today 8 Dec, and a friend of mine in the UK mentioned it in email around the same time).  Does it just take a while for google to clear the site after you've told them it's clean now?  Anyway, no real problem on my end, just wanted to make sure you know.

And very glad it's back up!


----------



## darjr (Dec 9, 2012)

freyar said:


> Seems like google is still listing EN World as an attack page for some people (I got the warning on my other computer around 8AM Central (North American) time today 8 Dec, and a friend of mine in the UK mentioned it in email around the same time).  Does it just take a while for google to clear the site after you've told them it's clean now?  Anyway, no real problem on my end, just wanted to make sure you know.
> 
> And very glad it's back up!




I would dearly appreciate a post of the urls that generated the warnings. We had a few of them related to a similar issue with High Moon media and a signature, removed offending signature and the warnings stopped, just fyi. Note that I don't believe that ENWorld's breach and High Moon Media's were directly related.


----------



## Cleon (Dec 9, 2012)

darjr said:


> I would dearly appreciate a post of the urls that generated the warnings. We had a few of them related to a similar issue with High Moon media and a signature, removed offending signature and the warnings stopped, just fyi. Note that I don't believe that ENWorld's breach and High Moon Media's were directly related.




The friend in the UK would be me.

I was getting attack-page warnings from Google this morning (Sunday 9th December) but I've been able to access Enworld without problem since about 1500 GMT.

I'll send you an email with the URLs that I tried Darjr - or at least those I can remember!


----------



## Cleon (Dec 9, 2012)

darjr said:


> I would dearly appreciate a post of the urls that generated the warnings. We had a few of them related to a similar issue with High Moon media and a signature, removed offending signature and the warnings stopped, just fyi. Note that I don't believe that ENWorld's breach and High Moon Media's were directly related.




I sent you an email and then noticed you asked for a post of the URLs, so I might as well repeat them here.

I'd been getting warnings on:

http://www.enworld.org/
http://www.enworld.org/forum/general-monster-talk/
http://creaturecatalog.enworld.org/cc/index.php
*SNIP*
http://www.enworld.org/forum/genera...ures-awaiting-upload-current-conversions.html

All the above are now working without Attack Warnings.

I do get a "page isn't redirecting properly" error if I try to open the "awaiting-upload-current-conversions" URL, since the new forum uses different URLs for the pages - that page is at http://www.enworld.org/forum/showth...-Conversions&p=5967484&viewfull=1#post5967484 now.

I was also getting an Attack Warning when I tried to open the Creature  Catalog Admin page, but I've got access to that now as well. I fiddled  around Editing my Test Creature at  http://creaturecatalog.enworld.org/cc/converted/view_c.php?CreatureID=1920  and it seems to work fine.


----------



## Scott DeWar (Dec 9, 2012)

Morrus said:


> The good news is that our *database* is intact. So we haven't lost any data; just the code and files which displays the data.  If we can get those things rewritten, the data will appear again.




yahooo!!!

**happy dance**


----------



## Quickleaf (Dec 9, 2012)

Morrus said:


> We still have to do a full stock take, but the following things are *definitely* gone for now: dice roller, campaign manager, gamers seeking gamers, wiki, OGRE, a slew of news features, and a handful of miscellaneous bits and pieces like our XP system and things like that. Plus some behind the scenes stuff like mod and admin tools and other backend things.




Wow, it was bad... All things considered you got the site back up and running in record time! And with an autosave feature to the forums, not bad 

Bad news is I may have run across another feature that was lost: Managing Attachments.

When I attempt to add an upload from my computer (a 1.8 mb PDF), I receive an error: 



> 413 [IOErrorEvent type="ioError" bubbles-false cancelable-false eventPhase=2 text="Error #2038"]


----------



## jeffh (Dec 10, 2012)

One thing I haven't found a way to do that I don't see mentioned above is download the subscriber content (e.g. the Zeitgeist adventures).


----------



## Morrus (Dec 10, 2012)

jeffh said:


> One thing I haven't found a way to do that I don't see mentioned above is download the subscriber content (e.g. the Zeitgeist adventures).




Hey Jeff - I'm a bit confused by the question. That's one thing that hasn't been broken (thank goodness!) so it hasn't changed. Are you experiencing problems?


----------



## freyar (Dec 10, 2012)

darjr said:


> I would dearly appreciate a post of the urls that generated the warnings. We had a few of them related to a similar issue with High Moon media and a signature, removed offending signature and the warnings stopped, just fyi. Note that I don't believe that ENWorld's breach and High Moon Media's were directly related.




I'm actually still getting the attack warning page on my home computer as of now (9PM CST 9 Dec) for http://www.enworld.org (not any pages there once I ignore the warning), http://creaturecatalog.enworld.org/, and the CC admin page as well.  I don't believe my work computer was getting those as of 8 Dec.  Both are running firefox 17.0.1.


----------



## darjr (Dec 10, 2012)

Google has the enworld clear as of now. I'm not sure the cc was ever marked but it might have been blowback for the whole domain. I suggest first trying to dump cache and also check with another browser. If that doesn't clear it up I'll take a closer look. Let me know.


----------



## freyar (Dec 10, 2012)

darjr said:


> Google has the enworld clear as of now. I'm not sure the cc was ever marked but it might have been blowback for the whole domain. I suggest first trying to dump cache and also check with another browser. If that doesn't clear it up I'll take a closer look. Let me know.




Sorry for the bother: I'm still (as of now) getting the warning page for EN World, the CC, and the CC admin page.  I've cleared my cache, offline website data, cookies, history, and active logins, and I've also tried turning "block attack pages" off and then on again.  No help.  The only other browser (epiphany 3.4.1) I have on this computer does not get the warning, but I'm honestly not sure if it has the capability to get the google warnings in the first place.  I will try all this again from work.

Just for more information, the warning I get on www.enworld.org is


> What is the current listing status for www.enworld.org?
> 
> This site is not currently listed as suspicious.
> 
> ...




and on creaturecatalog.enworld.org is


> What is the current listing status for creaturecatalog.enworld.org?
> 
> This site is not currently listed as suspicious.
> 
> ...




This is really more of an annoyance than anything (since I can just click through), but I figure it's good for you to know about it.  If you have more suggestions for my end, I'm happy to give them a try.


----------



## Alzrius (Dec 10, 2012)

I realize this may be a naive question, and likely an impossible one to answer...but why would someone (that is, these hackers) do this? What's their motivation?

Is their some sort of profit in it for them? Or do they just find fun in tearing something down? For that matter, do they actively try and breach sites like this, or do they have programs that locate vulnerable sites for them and then they go after them?

The whole thing just seems so...pointless, unless they have something to gain in destroying databases.


----------



## SkidAce (Dec 10, 2012)

Sometimes it's as simple as bragging rights or establishing "street cred".

Sadly.


----------



## Michael Morris (Dec 10, 2012)

Alzrius said:


> I realize this may be a naive question, and likely an impossible one to answer...but why would someone (that is, these hackers) do this? What's their motivation?




Is their some sort of profit in it for them? Or do they just find fun in tearing something down? For that matter, do they actively try and breach sites like this, or do they have programs that locate vulnerable sites for them and then they go after them?

The whole thing just seems so...pointless, unless they have something to gain in destroying databases.[/QUOTE]

The motives of the people who write worms and XSS attacks are usually monetary. Most of the scams center around increasing page rank for sites.  It rarely works for very long if it works at all.  It isn't a personal direct attack.


----------



## Morrus (Dec 10, 2012)

Alzrius said:


> I realize this may be a naive question, and likely an impossible one to answer...but why would someone (that is, these hackers) do this? What's their motivation?
> 
> Is their some sort of profit in it for them? Or do they just find fun in tearing something down? For that matter, do they actively try and breach sites like this, or do they have programs that locate vulnerable sites for them and then they go after them?
> 
> The whole thing just seems so...pointless, unless they have something to gain in destroying databases.




Depends who they are.  Sometimes it's organized botnets for use in spreading spam and malware.  Sometimes it's script-kiddies doing it for entertainment.  In this case, we think it was both - because some of our code was replaced with ASCI images and a signature by someone who calls himself "Dan LOL".


----------



## Jupp (Dec 10, 2012)

Nowadays usually there are two main reasons for this:

1. The did it because they can (makes no sense to those not involved but it happens all the time)
2. They did it because someone bought/paid them to do it
      2a. Because someone wants a site going out of business, at least for some time, better forever
      2b. Someone is so pissed off with the site or the owner that they bought the hack due to personal reasons
2c. Information theft (our account details are worth quite a bit actually)

There's a very real cyberwar going out there in the interwebs, and its a pretty nasty thing. Because the main reason is, like real wars are mostly fought over, money. You would be surprised how much money is involved in this.


----------



## jimmifett (Dec 10, 2012)

Has the attack vector been identified?

More importantly, is the code going forward going to to be security conscious?
I remember the holes in the Conquest code when I looked at it.

I'd be willing to volunteer some of my efforts to help secure the code since it's what I do.


----------



## Quartz (Dec 10, 2012)

Might it be worth taking a step back and looking at alternative, hopefully stronger platforms? I'm thinking in particular of Xenforo.


----------



## weem (Dec 10, 2012)

Very glad to see EN World up and running again


----------



## jeffh (Dec 11, 2012)

Morrus said:


> Hey Jeff - I'm a bit confused by the question. That's one thing that hasn't been broken (thank goodness!) so it hasn't changed. Are you experiencing problems?




At the time, first of all the subscriber's content was under "Reviews", which it wasn't, so I couldn't even *find *the section.

Even when I eventually did, I could only see the most recent Zeitgeist adventure, Admiral o' the High Seas, and the portrait package. That seems to be partially fixed in that I can now see all the Zeitgeist related stuff I should be able to see, but I _still_ can't figure out where I would go to download any non-Zeitgeist-related subscriber content.

It was a total dog's breakfast before, too, in desperate need of reorganization, but at least it was a dog's breakfast I was familiar with.


----------



## jeffh (Dec 12, 2012)

Okay, I FINALLY found it. If I may make a suggestion, perhaps the whacking great heading at the top that says Subscribers Content should lead to _all_, not just 10% or so, of the subscribers content. The only way to find the majority of that content is currently in the forums, and I don't know how I was supposed to know to even look there.


----------



## Morrus (Dec 12, 2012)

jeffh said:


> Okay, I FINALLY found it. If I may make a suggestion, perhaps the whacking great heading at the top that says Subscribers Content should lead to _all_, not just 10% or so, of the subscribers content. The only way to find the majority of that content is currently in the forums, and I don't know how I was supposed to know to even look there.



It will when I've finished moving it all over; I started to change the system over on your suggestion.  I have to do them one at a time. (I also have to move all the reviews over one at a time.... uggh).


----------



## jeffh (Dec 12, 2012)

Uggh is right... didn't realize it was so laborious. I'd have hoped there'd be a way to automate the process, but if there was you'd surely be using it.


----------

