Announcement

**JohnRocker** · 11-04-2009, 07:30 AM

Kimp.

**Panix** · 11-04-2009, 07:56 AM

I talked with Chase after work about this. If you haven't talked to him, give 'em a call up.

**Mindf!3ldzX** · 11-04-2009, 12:24 PM

HA. lol, thats really funny.

fucking karma 1
drama crowd 0

**vis** · 11-04-2009, 03:14 PM

why is that funny to you Chris?

**cd57** · 11-04-2009, 07:34 PM

Right when I read this post the first thing that came into my mind was posted. Congrats Rocker, great minds think alike.

I busted up laughing right when I saw it. Then my girlfriend asked to see what I was laughing at, I told her there's no way she'd understand. I wish everyone could take the same enjoyment out of kimp that I do.

Vis, I think it's safe to say you got KIMP'd.

**JohnRocker** · 11-04-2009, 08:19 PM

Oh I'm learning how much fun kimp is.. Especially all the people he claims he was in the past.. Lol.. Guy is fucked..
Btw.. Vis, mindz thinks it's funny because he's being a shithead. Probably grumpy cuz hdz unbanned me no matter what any admins had to say.. I'm sure there is more drama behind it but I'm sure that's part of it.. What happened to the bot anyways?
Kimp.

**vis** · 11-05-2009, 12:42 PM

i really do not know who kimp is... ive seen this guy around recently, but not sure what other aliases he has used in the past. i've heard rumors that phocus was involved, but i don't know anything for sure. This whole ordeal isn't really affecting me that much (since I do not even play anymore), but more on Avalanche. He has been paying for a server and providing services to the quake1 community for free for many years... it's sad that one person can ruin that for everyone. Whoever did it... expect to get the wrath of Avalanche. He is determined to find out who it is... which I think he will.

Again, if you have real facts on what happened, that would be appreciated, but I don't expect anyone to give up those details...

**cd57** · 11-05-2009, 07:56 PM

Vis, could you explain what happened exactly?

**Panix** · 11-05-2009, 08:39 PM

Just FYI: Zone-H.org - Unrestricted information | Defacements archive

This wasn't done by someone in the community. I'd bet the farm.

**vis** · 11-07-2009, 05:46 PM

Panix,

Can you explain to me where you found that site or that information?

Thanks,
Brian

**Avalanche** · 11-08-2009, 07:40 AM

clanhdz.com server intrusion

This has been a good experience I suppose, as it finally got me to take the time to do what I should have done a long time ago. This took me a few days; the server is now Fort Knox. I only regret that it took so much time away from my other obligations this week.

These are the steps that I've taken:

The server now has a firewall.
All traffic is denied except for what I explicitly enable.
All ICMP and other traffic is dropped except for a very select few, limited, secret IP ranges, thus allowing both myself and the datacenter to continue to do remote server monitoring. (Revealing what the ranges are, would in itself, open up the server to spoofed-packet DDoS attacks.)
A rule was created that tells the firewall to drop all traffic to any service that suddenly experiences abnormally high traffic, thus allowing the server and all other services to continue to function normally.
The datacenter has what is approaching 1 Tbps of total bandwidth. (FYI, 1 Tbps is approaching the bandwidth that entire continents are connected at.) If a DDoS attack does occur, traffic is further blocked at the datacenter's core distribution layer before it even gets close to the server's 1 Gbps connection.
I've had constant problems with Microsoft RDP and RPC vulnerabilities, which is how I suspect that this one may have occurred, but haven't yet verified it. This isn't the first. I've learned my lesson about laziness now. Because of this, access to the machine must now be done through a the server's backend network, using PPTP VPN tunneling, and encrypted using a VeriSign SSL authentication certificate.
I updated the server with all the related above critical security patches.
Furthermore, since I'm now able to access the server perfectly fine from the private backend, I can still login and make any necessary rule changes, were a DDoS attack to occur.
The Quake servers now run in their own self-contained virtual machine "bubble"--any code that might be run by a malicious moder will now be limited, at best. This is an overt security hole that I've been well aware of for a long time (since day one). I obviously wasn't going to advertise this and point it out until I fixed it. I relied only on my trust in the community, given that I'm providing these services for free. I still do place this trust in everyone. But I'm taking reasonable precautions now. Writing a backdoor into Quake1, given that it is open source, is about as easy and straightforward as it gets to any moderately experienced programmer. Exploiting these types of things rarely require any skill or detailed knowledge, but rather only one to be an asshole and the inability to look at one's self in the mirror with any degree of self-respect/worth/esteem. (See above: Publicly known RDP/RPC vulnerabilities.)
Even if this were to still be done, the Quake servers are now on an auto-scheduled backup to a location outside of the "bubble" on a completely different server, thus making any attempts of this nature somewhat pointless.

So how do you like that?

With that said, the Quake servers are now back up! Enjoy! Take care everyone.

Cheers,
Jonathan

**Panix** · 11-08-2009, 08:39 AM

Originally posted by vis View Post

Panix,

Can you explain to me where you found that site or that information?

Thanks,
Brian

Google search of the douchebag's name left on the website.

Originally posted by Avalanche View Post

This has been a good experience I suppose, as it finally got me to take the time to do what I should have done a long time ago. This took me a few days; the server is now Fort Knox. I only regret that it took so much time away from my other obligations this week.

These are the steps that I've taken:

The server now has a firewall.
All traffic is denied except for what I explicitly enable.
All ICMP and other traffic is dropped except for a very select few, limited, secret IP ranges, thus allowing both myself and the datacenter to continue to do remote server monitoring. (Revealing what the ranges are, would in itself, open up the server to spoofed-packet DDoS attacks.)
A rule was created that tells the firewall to drop all traffic to any service that suddenly experiences abnormally high traffic, thus allowing the server and all other services to continue to function normally.
The datacenter has what is approaching 1 Tbps of total bandwidth. (FYI, 1 Tbps is approaching the bandwidth that entire continents are connected at.) If a DDoS attack does occur, traffic is further blocked at the datacenter's core distribution layer before it even gets close to the server's 1 Gbps connection.
I've had constant problems with Microsoft RDP and RPC vulnerabilities, which is how I suspect that this one may have occurred, but haven't yet verified it. This isn't the first. I've learned my lesson about laziness now. Because of this, access to the machine must now be done through a the server's backend network, using PPTP VPN tunneling, and encrypted using a VeriSign SSL authentication certificate.
I updated the server with all the related above critical security patches.
Furthermore, since I'm now able to access the server perfectly fine from the private backend, I can still login and make any necessary rule changes, were a DDoS attack to occur.
The Quake servers now run in their own self-contained virtual machine "bubble"--any code that might be run by a malicious moder will now be limited, at best. This is an overt security hole that I've been well aware of for a long time (since day one). I obviously wasn't going to advertise this and point it out until I fixed it. I relied only on my trust in the community, given that I'm providing these services for free. I still do place this trust in everyone. But I'm taking reasonable precautions now. Writing a backdoor into Quake1, given that it is open source, is about as easy and straightforward as it gets to any moderately experienced programmer. Exploiting these types of things rarely require any skill or detailed knowledge, but rather only one to be an asshole and the inability to look at one's self in the mirror with any degree of self-respect/worth/esteem. (See above: Publicly known RDP/RPC vulnerabilities.)
Even if this were to still be done, the Quake servers are now on an auto-scheduled backup to a location outside of the "bubble" on a completely different server, thus making any attempts of this nature somewhat pointless.

So how do you like that?

With that said, the Quake servers are now back up! Enjoy! Take care everyone.

Cheers,
Jonathan

And people wonder why I harp on using Windows Update at work

**Avalanche** · 11-08-2009, 09:25 AM

Originally posted by Panix View Post

Google search of the douchebag's name left on the website.

He never left his name on the site though...

**Panix** · 11-08-2009, 09:52 AM

Originally posted by Avalanche View Post

He never left his name on the site though...

o rly?

By Panix187

If it's not an individual's name then it's the name of some lame ass Egyptian script kiddie crew.

Announcement

hdzbot being compromised...

hdzbot being compromised...

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment