Become a premium member to remove ads
AwakenedRage

DDoS Attack #2

12 posts in this topic

I'm posting this on behalf of PurpleFreeze, Demoria's former lead developer of DCE (Demoria Custom Engine)

 

 

Warning: Not all information is given to prevent the attacker's from gaining advantage from what we know.

 

 

Hey everybody this is PurpleFreeze (AKA Alex H) Demoria and Chaotic United are safe for the meantime. 2 weeks ago last Sunday, there were a couple staff members and player's on when suddenly connection for the server just dropped. That was because the server's ethernet was overloaded and made Superdoctor 5 (Our hardware analysis program) disable ethernet as we had set it to that option to prevent the ethernet adapter from shorting out from receiving too much data.

 

You might be asking, how did someone figure out a server that barely anybody from the public would know about? Let alone the port number's that Demoria uses.

 

It is very easy to find out what ports are open on somones network with a quick scan and a program that can send a large amount of packets to take it down. Originally, we ran Demoria with no firewall because it was easier to run. But now we see that people want to put an end to our ambitions. So Michael spent 3 hours configuring a firewall that separate's all ethernet connections to a certain speed and filter's packet's. The firewall has worked perfectly since then.

 

9c8b5a7735c2b622242d229257176592.png

 

Their decision to use a DDoS attack is a good sign. We've repeatedly received various threats from these individuals about breaking into the servers in some manner or another, at some certain time, for them to do some certain damage. Each time, these threats have proven to be completely false. Reverting to a DDoS attack is comparatively far less harmful and extremely unsophisticated, so this can be taken as a sign that they're ragequitting the "subvert our actual security" plan.

 

 

Michael and I have deliberately avoided working with the server to put our next plan into action

 

The impression that this guy is trying to make is that he can just waltz into anyone's account whenever he wants and delete everything. This is not the case: the users affected all had weak enough passwords that he could crack them after about 60 guesses. Additionally, we have account recovery features that we have used to restore the items and return them to their rightful owners.

Now you may be thinking that 60 guesses is a lot. Most of these things are not done by hand, but rather through a simple program or script to try passwords from a pre-defined list and record the successful ones. This is where we must admit a small mistake on our part: the industry-standard way to protect against this is to put a rate limit on how quickly a given computer may attempt logging in. When we designed our accounts database, we were only focused on the (extremely small) alpha test, and features like that didn't get implemented yet.

We finally implemented rate-limiting by returning fake results when a dictionary attack is detected, which interestingly enough caused our attacker to come storming into our IRC and immediately demand to speak to a developer 

 

 

I'm really not entirely sure where his sense of self-entitlement comes from, but I suspect he was frustrated by the numerous fake entries he ended up with thwarting his plans.

To better understand his attack, we allowed him to continue under careful control and monitoring - a technique known in the industry as "honeypotting." A honeypot is essentially an isolated sandbox that you can put naughty kids like this into to keep them away from "real" information and better understand their behavior.

 

That is why exactly we "intentionally made the database's  go into DIRM mode (Dictionary Intrustion Recovery Measures) 

This stop's all information from being written but instead it was marked as read-only

 

Nothing of value was lost, but it was showed to him that he is not welcome on our server's and he was trolled and that he is wasting his time.

Clues Left:

  • The first character he intruded was named Hocesta venatus which translates into This is a Game.
  • He was moved to an non-existant zone in the game called Ageiterum, which means Try Again?
  • Items were unable to be used and he would constantly be moved to an area that he was at before, as if he was lagging and hurting our servers. LOL No

 

On that last point: As he's already been shut out of the system, and working from a list of compromised accounts from Monday.

Finally I ran a security audit on all of our systems. This involves double-checking the logs, configuration, and behavior of each node to ensure that nothing has been comporomised and nothing has been accidentally misconfigured. I'm pleased to report that there is still no evidence that our database is (or ever was) accessible to anyone else (and if it was, why go through all this trouble? Just rename all the Characters  to something offensive).

 

Thanks for reading and bearing through with us as we worked this out,

Sincerely,

PurpleFreeze

Share this post


Link to post
Share on other sites

Apperently, this guy has no life since all he tries to do is attack our server. Think about this: if you had a server before that was successful, what would you do if someone remade that server? I'm not directly saying its killerteddy, but that is what I think.

Share this post


Link to post
Share on other sites

Maverick, the person who caused this mess is an extremely dangerous individual. He threatened to leak my personal information such as Address, IP Address, Social Networking Accounts etc.

As PurpleFreeze said,

 

 

Their decision to use a DDoS attack is a good sign. We've repeatedly received various threats from these individuals about breaking into the servers in some manner or another, at some certain time, for them to do some certain damage. Each time, these threats have proven to be completely false. Reverting to a DDoS attack is comparatively far less harmful and extremely unsophisticated, so this can be taken as a sign that they're ragequitting the "subvert our actual security" plan.

 

From the thing Maverick has tried to do to me I would say he tried to get onto our database server, to start getting the IP's of the players and slowly dox all their information. But because of him doing this once before, I activated SSL on the DBServer which I agree was excellent timing to do so.

 

We then decided that he would have to be doxed in order for any of this to stop. The difference from us doing it is that we used it from information that he left behind logging on to our servers, this made it 100% legal as long as we didn't distribute information to the public. I have put the minimum amount of information to show what had to be done. We eventually were able to establish an address.                                                 

[2:42:11 AM] AS: Name Removed for Privacy (Person who hacked my server)

Age: 18
Birthday: September 21st, 1996
Walchwil, Switzerland
Address: Artherstrasse 25, xxxx Walchwil, Switzerland
Phone Number: 041-544-xxxx
School: International School of Zug and Luzern

Origin:
City, State: Winnetka, Illinois
Phone Number: (847) 386-7010
Address: XXXX Scott Ave Winnetka, IL 60093
School: New Trier High School
[2:42:11 AM] AS: Dox
[2:42:20 AM] InventMagic: omg
[2:42:23 AM] InventMagic Monster the Third™: you doxxed him
[2:42:30 AM] AS: Now Maverick's turn
[2:42:40 AM] InventMagic™: you doxxing maverick?
[2:42:53 AM] AwakenedSecret: In the process
[2:43:34 AM] AwakenedSecret: Name: XXXXXXXXXX
Phone: (616)-884-XXXX
Address: XXXX Sunset Ridge Dr NE
City, Zip-code: Rockford, MI 49341-7586
Personal Instagram: @XXXXXX

School: Rockford High School
[2:43:58 AM] InventMagic™: omg how did you do this
[2:44:12 AM] AwakenedSecret: School Address: 4100 Kroes Street Northeast, Rockford, MI 4931, United States
School Phone Number: (616) 863-6030
[2:44:16 AM] AwakenedSecret: Got his IP from our logs, which is 100% legal because he connected to my server that I own XD
[2:44:20 AM] InventMagic™: OMG
[2:44:22 AM] AwakenedSecret: When he hacked he didn't use a VPN
[2:44:27 AM] AwakenedSecret: D*****S
[2:44:28 AM] InventMagic™: both of them?
[2:44:39 AM] AwakenedSecret: XXXXX and Maverick didn't use any sort of protection
[2:44:45 AM] AwakenedSecret: And his name isn't even Maverick clearly (OH THIS IS ACTUALLY CORRECT)
[2:44:51 AM] InventMagic™: I bet there parents didn't either
[2:44:55 AM] AwakenedSecret: LEL

[2:45:44 AM] AwakenedSecret: Wrong url hold on
[2:46:39 AM] AwakenedSecret: Fixed it
[2:46:55 AM] AwakenedSecret:  Get reckt.

 

Well I do have a particular development, Authorities have gotten involved in the case. Its currently still being investigated. But according to one of his former partners (Who betrayed him). He is locked up tight, either way I supplied enough evidence to prove that he is the culprit. Even if he isn't in jail, he will be within the next 2 weeks.

 

 

So, Maverick was swatting people and all of a sudden he was freaking out, and then the cops busted down his bedroom door and yelled "GET ON THE F**king GROUND" I was able to find his REAL trial. I will give the info later, but this is his REAL dox right here:

Link Removed

 

 

17 other servers were DDoSed at the same exact time that this occured

 

cf3fcbe27dd3af3b4e61b83f4675ec03.png

 

Only reason  I was dragged into this mess is because of me being part of the community and my involvement with the community.  None of our Databases were compromised and Maverick never saw your information. I made sure of that.

 

I will never use logs or databases to get your personal information, I only do it if you threaten to do it to me, my family and my friends.

 

No more downtime for a while I apologize for the server going down randomly this past week. DDoS attacks werent the only cause, our house is being renovated as well and the connection would cause players to get kicked all of a sudden. However they were able to reconnect shortly after.

Share this post


Link to post
Share on other sites

Must have been hell you've went through.

 

Lol, thats an understatement.

 

Mind PMing your Skype or something? I run the server currently, upgrading it soon to.

 

HP Proliant DL585 G5

AMD Opteron™ 8393 SE Quad-Core Processor

NOTE: Support for 2 or 4 processors

Memory: 128GB (256GB Max)

 

 

Just want to ask a couple questions. You probably know what its about.

Share this post


Link to post
Share on other sites

Lol, thats an understatement.

 

Mind PMing your Skype or something? I run the server currently, upgrading it soon to.

 

HP Proliant DL585 G5

AMD Opteron™ 8393 SE Quad-Core Processor

NOTE: Support for 2 or 4 processors

Memory: 128GB (256GB Max)

 

 

Just want to ask a couple questions. You probably know what its about.

 

Bro the forums have PM's no need for Skype XD

Share this post


Link to post
Share on other sites

Lol, thats an understatement.

 

Mind PMing your Skype or something? I run the server currently, upgrading it soon to.

 

HP Proliant DL585 G5

AMD Opteron™ 8393 SE Quad-Core Processor

NOTE: Support for 2 or 4 processors

Memory: 128GB (256GB Max)

 

 

Just want to ask a couple questions. You probably know what its about.

Sure why not? I'll PM you it.

 

So glad you don't buy intel CPUs for servers. Saves you a bunch of money.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now