The fact that WGTour was hacked a couple of days ago probably didn't pass by anyone. They were hacked again today, and after a lot of research, Ilintar, head administrator of WGTour has tracked down and identified the one responsible - their former webmaster AAR.
After a thorough investigation, I've managed to track and identify the person responsible for hacking WGTour and destroying our week's worth of database. This person is none other than our former webmaster, AAR.
What I will now present is full proof of how this person's fault. I am not going to hide anything - I know it might make it easier for that person to break into the site again if he attempts it, but since it will be very hard to get legal proof unless Blizzard decides to provide the IP of the person logged in to account "FF.E0.42.A3" or the administrator of the Finnish anonymous proxy through which the attack itself was made decides to provide information about the person using the proxy. Both are unlikely, so I decided to post all I have right now, especially after finding some hard proof.
First of all, all requests issued to the webserver are very comprehensively logged. This is required for website statistics to work, but it worked in our favor very much in this case. I will explain the proof we had chronologically, ie. in the order we acquired it.
The first clue was the attack itself. First of all, the attacked uploaded a Perl script to the webserver before trying a PHP script. AAR was known for his use of Perl scripts during his work here, it was his programming language of choice before PHP. This was proof of nothing of course, but where I got really suspicious is when I read i the logs that it took only a minute for the attacker from installing the backdoor to cleaning out the database. What he required is information about what the database names were (the broodwar database was pretty obvious because it is provided in most links used on WGTour, but ther members database was not so) plus what the database access info was. I didn't believe it possible for a person not knowing the site architecture very well to find out the passwords so quickly... that led me to believe the person was formerly affiliated with WGTour, and the Perl script led to AAR.
Of course, the attack was done from an anonymous proxy, so I wasn't able to get any information from that direction. However, I found out how the person got admin account passwords - he used a cross-site scripting attack directly of the form AAR first used when he hacked into the site. Now, that would't be so weird, but again, a Perl script was used for the password retrieval and most of all, the hacker bypassed all the security measures I have put into WGTour to prevent such an attack - obviously, he knew the code of my filtering function where I disabled all the ways I knew to make that attack. This too pointed at AAR, since I wrote that function before he left.
Of course, the provider hosting that attack wasn't able to give me anything other than "we shut down the site, sorry", because of legal issues. Thus, I was still without real proof. However, today, the person broke into Live2Win's account and modified the news about the hack. Now, this is a common mistake of many hackers - they become too sure of themselves and make errors. This was exactly the case.
The new 'hack' provided me with plenty of proof. First of all, I started looking at AAR's visits to the site (he has a static IP address of 217.42.212.222) combined with the hacker's visits to the site, by looking at the logs. They were intertwined - AAR log in, read some topic, AAR log out, then the hacker logs in from some proxy, does his stuff and logs out. Rinse and repeat. Now, WGTour has thousands of requests each minute, how was I able to track AAR and the hacker distinctly? Well, the website logs, so useless in catching the hacker, now provided me with the first real proof.
As you might or might not know, every time someone accesses a webserver, his browser sends a lot of information to the server, including the full browser name, version etc. Now, with many users, that would be the newest version of Internet Explorer. But it so happens that AAR is using Mozilla Firefox, and not exactly the newest version of it, too. This made it very easy to track his visits to the site. Now, here is AAR's browser string version sent to WGTour:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.5) Gecko/20041110 Firefox/1.0)
Here, on the other hand, is the hacker's broswer string sent to WGTour:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.5) Gecko/20041110 Firefox/1.0)
Want to play "find the 10 differences"?
When I found that, I went on a further search. There's a script on WGTour that uses javascript (ah, the irony) to send further information about a person's browser to WGTour, including the browser window dimensions and the screen depth. Here, the hacker's info and AAR's info matched, too, 1024x768 resolution, 24 bits per pixel color depth. I was 9(% sure now I had him cornered.
His last mistake really nailed the lid shut. Since his previous hosting was shut down, he was forced to use a new host. Well, he was running out of options, but he wanted to try the same trick again - input the cross-site scripting code, break into an admin account, then nuke the posts erasing any proof. His luck ran out. Because he was forced to use yet another circumvention of the protections I set up, his code displayed a "stack overflow at line 0" for any IE user trying to open the "trojaned" thread. As soon as I found this out, I closed the webserver to prevent him from changing the post. What I found there is final proof that I think will convince you all. The code read:
Now, what does the www.ernci.com site footer say? Guess what:
Web site creators: Andy , Stormer and Graphics by: Mando
That's when I decided I've had enough. Of course, as far as I know AAR, he will now try to deny stuff, maybe saying he rented the prgn subdomain to a friend, that he wasn't aware, bullshit bullshit bullshit. In fact, I don't care. I have posted all the proof for you to make up your opinion. If we receive any abuse feedback, we'll initiate legal actions. As for now, dear Andy, I suggest you start finding yourself a really good lawyer...
What I will now present is full proof of how this person's fault. I am not going to hide anything - I know it might make it easier for that person to break into the site again if he attempts it, but since it will be very hard to get legal proof unless Blizzard decides to provide the IP of the person logged in to account "FF.E0.42.A3" or the administrator of the Finnish anonymous proxy through which the attack itself was made decides to provide information about the person using the proxy. Both are unlikely, so I decided to post all I have right now, especially after finding some hard proof.
First of all, all requests issued to the webserver are very comprehensively logged. This is required for website statistics to work, but it worked in our favor very much in this case. I will explain the proof we had chronologically, ie. in the order we acquired it.
The first clue was the attack itself. First of all, the attacked uploaded a Perl script to the webserver before trying a PHP script. AAR was known for his use of Perl scripts during his work here, it was his programming language of choice before PHP. This was proof of nothing of course, but where I got really suspicious is when I read i the logs that it took only a minute for the attacker from installing the backdoor to cleaning out the database. What he required is information about what the database names were (the broodwar database was pretty obvious because it is provided in most links used on WGTour, but ther members database was not so) plus what the database access info was. I didn't believe it possible for a person not knowing the site architecture very well to find out the passwords so quickly... that led me to believe the person was formerly affiliated with WGTour, and the Perl script led to AAR.
Of course, the attack was done from an anonymous proxy, so I wasn't able to get any information from that direction. However, I found out how the person got admin account passwords - he used a cross-site scripting attack directly of the form AAR first used when he hacked into the site. Now, that would't be so weird, but again, a Perl script was used for the password retrieval and most of all, the hacker bypassed all the security measures I have put into WGTour to prevent such an attack - obviously, he knew the code of my filtering function where I disabled all the ways I knew to make that attack. This too pointed at AAR, since I wrote that function before he left.
Of course, the provider hosting that attack wasn't able to give me anything other than "we shut down the site, sorry", because of legal issues. Thus, I was still without real proof. However, today, the person broke into Live2Win's account and modified the news about the hack. Now, this is a common mistake of many hackers - they become too sure of themselves and make errors. This was exactly the case.
The new 'hack' provided me with plenty of proof. First of all, I started looking at AAR's visits to the site (he has a static IP address of 217.42.212.222) combined with the hacker's visits to the site, by looking at the logs. They were intertwined - AAR log in, read some topic, AAR log out, then the hacker logs in from some proxy, does his stuff and logs out. Rinse and repeat. Now, WGTour has thousands of requests each minute, how was I able to track AAR and the hacker distinctly? Well, the website logs, so useless in catching the hacker, now provided me with the first real proof.
As you might or might not know, every time someone accesses a webserver, his browser sends a lot of information to the server, including the full browser name, version etc. Now, with many users, that would be the newest version of Internet Explorer. But it so happens that AAR is using Mozilla Firefox, and not exactly the newest version of it, too. This made it very easy to track his visits to the site. Now, here is AAR's browser string version sent to WGTour:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.5) Gecko/20041110 Firefox/1.0)
Here, on the other hand, is the hacker's broswer string sent to WGTour:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.5) Gecko/20041110 Firefox/1.0)
Want to play "find the 10 differences"?
When I found that, I went on a further search. There's a script on WGTour that uses javascript (ah, the irony) to send further information about a person's browser to WGTour, including the browser window dimensions and the screen depth. Here, the hacker's info and AAR's info matched, too, 1024x768 resolution, 24 bits per pixel color depth. I was 9(% sure now I had him cornered.
His last mistake really nailed the lid shut. Since his previous hosting was shut down, he was forced to use a new host. Well, he was running out of options, but he wanted to try the same trick again - input the cross-site scripting code, break into an admin account, then nuke the posts erasing any proof. His luck ran out. Because he was forced to use yet another circumvention of the protections I set up, his code displayed a "stack overflow at line 0" for any IE user trying to open the "trojaned" thread. As soon as I found this out, I closed the webserver to prevent him from changing the post. What I found there is final proof that I think will convince you all. The code read:
Now, what does the www.ernci.com site footer say? Guess what:
Web site creators: Andy , Stormer and Graphics by: Mando
That's when I decided I've had enough. Of course, as far as I know AAR, he will now try to deny stuff, maybe saying he rented the prgn subdomain to a friend, that he wasn't aware, bullshit bullshit bullshit. In fact, I don't care. I have posted all the proof for you to make up your opinion. If we receive any abuse feedback, we'll initiate legal actions. As for now, dear Andy, I suggest you start finding yourself a really good lawyer...
This was the official announcement made by
Ilintar on WGTour, and he requested it to be published on GosuGamers.Links
WGTour.com - Official news by Ilintar