AwakenedRage 11 Posted January 20, 2015 I'm posting this on behalf of PurpleFreeze, Demoria's former lead developer of DCE (Demoria Custom Engine) Warning: Not all information is given to prevent the attacker's from gaining advantage from what we know. Hey everybody this is PurpleFreeze (AKA Alex H) Demoria and Chaotic United are safe for the meantime. 2 weeks ago last Sunday, there were a couple staff members and player's on when suddenly connection for the server just dropped. That was because the server's ethernet was overloaded and made Superdoctor 5 (Our hardware analysis program) disable ethernet as we had set it to that option to prevent the ethernet adapter from shorting out from receiving too much data. You might be asking, how did someone figure out a server that barely anybody from the public would know about? Let alone the port number's that Demoria uses. It is very easy to find out what ports are open on somones network with a quick scan and a program that can send a large amount of packets to take it down. Originally, we ran Demoria with no firewall because it was easier to run. But now we see that people want to put an end to our ambitions. So Michael spent 3 hours configuring a firewall that separate's all ethernet connections to a certain speed and filter's packet's. The firewall has worked perfectly since then. Their decision to use a DDoS attack is a good sign. We've repeatedly received various threats from these individuals about breaking into the servers in some manner or another, at some certain time, for them to do some certain damage. Each time, these threats have proven to be completely false. Reverting to a DDoS attack is comparatively far less harmful and extremely unsophisticated, so this can be taken as a sign that they're ragequitting the "subvert our actual security" plan. Michael and I have deliberately avoided working with the server to put our next plan into action The impression that this guy is trying to make is that he can just waltz into anyone's account whenever he wants and delete everything. This is not the case: the users affected all had weak enough passwords that he could crack them after about 60 guesses. Additionally, we have account recovery features that we have used to restore the items and return them to their rightful owners. Now you may be thinking that 60 guesses is a lot. Most of these things are not done by hand, but rather through a simple program or script to try passwords from a pre-defined list and record the successful ones. This is where we must admit a small mistake on our part: the industry-standard way to protect against this is to put a rate limit on how quickly a given computer may attempt logging in. When we designed our accounts database, we were only focused on the (extremely small) alpha test, and features like that didn't get implemented yet. We finally implemented rate-limiting by returning fake results when a dictionary attack is detected, which interestingly enough caused our attacker to come storming into our IRC and immediately demand to speak to a developer I'm really not entirely sure where his sense of self-entitlement comes from, but I suspect he was frustrated by the numerous fake entries he ended up with thwarting his plans. To better understand his attack, we allowed him to continue under careful control and monitoring - a technique known in the industry as "honeypotting." A honeypot is essentially an isolated sandbox that you can put naughty kids like this into to keep them away from "real" information and better understand their behavior. That is why exactly we "intentionally made the database's go into DIRM mode (Dictionary Intrustion Recovery Measures) This stop's all information from being written but instead it was marked as read-only Nothing of value was lost, but it was showed to him that he is not welcome on our server's and he was trolled and that he is wasting his time. Clues Left: The first character he intruded was named Hocesta venatus which translates into This is a Game. He was moved to an non-existant zone in the game called Ageiterum, which means Try Again? Items were unable to be used and he would constantly be moved to an area that he was at before, as if he was lagging and hurting our servers. LOL No On that last point: As he's already been shut out of the system, and working from a list of compromised accounts from Monday. Finally I ran a security audit on all of our systems. This involves double-checking the logs, configuration, and behavior of each node to ensure that nothing has been comporomised and nothing has been accidentally misconfigured. I'm pleased to report that there is still no evidence that our database is (or ever was) accessible to anyone else (and if it was, why go through all this trouble? Just rename all the Characters to something offensive). Thanks for reading and bearing through with us as we worked this out, Sincerely, PurpleFreeze Share this post Link to post Share on other sites More sharing options...
haloman30 167 Posted January 20, 2015 So are you going to be active on MC again? Y/N? Share this post Link to post Share on other sites More sharing options...
AwakenedRage 11 Posted January 20, 2015 Somewhat, since my PC is back up and running. Share this post Link to post Share on other sites More sharing options...
wafflebitez 44 Posted January 22, 2015 Apperently, this guy has no life since all he tries to do is attack our server. Think about this: if you had a server before that was successful, what would you do if someone remade that server? I'm not directly saying its killerteddy, but that is what I think. Share this post Link to post Share on other sites More sharing options...
haloman30 167 Posted January 22, 2015 I kinda doubt it. Unless i'm mistaken this is just this guys server for his game and we just had the misfortune of being on the same PC, getting caught up in the action. Share this post Link to post Share on other sites More sharing options...
wafflebitez 44 Posted January 22, 2015 I kinda doubt it. Unless i'm mistaken this is just this guys server for his game and we just had the misfortune of being on the same PC, getting caught up in the action. Now that I think about it, its possible. Share this post Link to post Share on other sites More sharing options...
AwakenedRage 11 Posted January 23, 2015 Maverick, the person who caused this mess is an extremely dangerous individual. He threatened to leak my personal information such as Address, IP Address, Social Networking Accounts etc. As PurpleFreeze said, Their decision to use a DDoS attack is a good sign. We've repeatedly received various threats from these individuals about breaking into the servers in some manner or another, at some certain time, for them to do some certain damage. Each time, these threats have proven to be completely false. Reverting to a DDoS attack is comparatively far less harmful and extremely unsophisticated, so this can be taken as a sign that they're ragequitting the "subvert our actual security" plan. From the thing Maverick has tried to do to me I would say he tried to get onto our database server, to start getting the IP's of the players and slowly dox all their information. But because of him doing this once before, I activated SSL on the DBServer which I agree was excellent timing to do so. We then decided that he would have to be doxed in order for any of this to stop. The difference from us doing it is that we used it from information that he left behind logging on to our servers, this made it 100% legal as long as we didn't distribute information to the public. I have put the minimum amount of information to show what had to be done. We eventually were able to establish an address. [2:42:11 AM] AS: Name Removed for Privacy (Person who hacked my server)Age: 18Birthday: September 21st, 1996Walchwil, SwitzerlandAddress: Artherstrasse 25, xxxx Walchwil, SwitzerlandPhone Number: 041-544-xxxxSchool: International School of Zug and LuzernOrigin:City, State: Winnetka, IllinoisPhone Number: (847) 386-7010Address: XXXX Scott Ave Winnetka, IL 60093School: New Trier High School[2:42:11 AM] AS: Dox[2:42:20 AM] InventMagic: omg[2:42:23 AM] InventMagic Monster the Third™: you doxxed him[2:42:30 AM] AS: Now Maverick's turn[2:42:40 AM] InventMagic™: you doxxing maverick?[2:42:53 AM] AwakenedSecret: In the process[2:43:34 AM] AwakenedSecret: Name: XXXXXXXXXXPhone: (616)-884-XXXXAddress: XXXX Sunset Ridge Dr NECity, Zip-code: Rockford, MI 49341-7586Personal Instagram: @XXXXXXSchool: Rockford High School[2:43:58 AM] InventMagic™: omg how did you do this[2:44:12 AM] AwakenedSecret: School Address: 4100 Kroes Street Northeast, Rockford, MI 4931, United StatesSchool Phone Number: (616) 863-6030[2:44:16 AM] AwakenedSecret: Got his IP from our logs, which is 100% legal because he connected to my server that I own XD[2:44:20 AM] InventMagic™: OMG[2:44:22 AM] AwakenedSecret: When he hacked he didn't use a VPN[2:44:27 AM] AwakenedSecret: D*****S[2:44:28 AM] InventMagic™: both of them?[2:44:39 AM] AwakenedSecret: XXXXX and Maverick didn't use any sort of protection[2:44:45 AM] AwakenedSecret: And his name isn't even Maverick clearly (OH THIS IS ACTUALLY CORRECT)[2:44:51 AM] InventMagic™: I bet there parents didn't either[2:44:55 AM] AwakenedSecret: LEL[2:45:44 AM] AwakenedSecret: Wrong url hold on[2:46:39 AM] AwakenedSecret: Fixed it[2:46:55 AM] AwakenedSecret: Get reckt. Well I do have a particular development, Authorities have gotten involved in the case. Its currently still being investigated. But according to one of his former partners (Who betrayed him). He is locked up tight, either way I supplied enough evidence to prove that he is the culprit. Even if he isn't in jail, he will be within the next 2 weeks. So, Maverick was swatting people and all of a sudden he was freaking out, and then the cops busted down his bedroom door and yelled "GET ON THE F**king GROUND" I was able to find his REAL trial. I will give the info later, but this is his REAL dox right here: Link Removed 17 other servers were DDoSed at the same exact time that this occured Only reason I was dragged into this mess is because of me being part of the community and my involvement with the community. None of our Databases were compromised and Maverick never saw your information. I made sure of that. I will never use logs or databases to get your personal information, I only do it if you threaten to do it to me, my family and my friends. No more downtime for a while I apologize for the server going down randomly this past week. DDoS attacks werent the only cause, our house is being renovated as well and the connection would cause players to get kicked all of a sudden. However they were able to reconnect shortly after. Share this post Link to post Share on other sites More sharing options...
Atomicbeast101 12 Posted January 23, 2015 Must have been hell you've went through. Luckily, it got sorted out Share this post Link to post Share on other sites More sharing options...
AwakenedRage 11 Posted January 23, 2015 Must have been hell you've went through. Lol, thats an understatement. Mind PMing your Skype or something? I run the server currently, upgrading it soon to. HP Proliant DL585 G5 AMD Opteron™ 8393 SE Quad-Core Processor NOTE: Support for 2 or 4 processors Memory: 128GB (256GB Max) Just want to ask a couple questions. You probably know what its about. Share this post Link to post Share on other sites More sharing options...
haloman30 167 Posted January 23, 2015 Lol, thats an understatement. Mind PMing your Skype or something? I run the server currently, upgrading it soon to. HP Proliant DL585 G5 AMD Opteron™ 8393 SE Quad-Core Processor NOTE: Support for 2 or 4 processors Memory: 128GB (256GB Max) Just want to ask a couple questions. You probably know what its about. Bro the forums have PM's no need for Skype XD Share this post Link to post Share on other sites More sharing options...
Atomicbeast101 12 Posted January 24, 2015 Lol, thats an understatement. Mind PMing your Skype or something? I run the server currently, upgrading it soon to. HP Proliant DL585 G5 AMD Opteron™ 8393 SE Quad-Core Processor NOTE: Support for 2 or 4 processors Memory: 128GB (256GB Max) Just want to ask a couple questions. You probably know what its about. Sure why not? I'll PM you it. So glad you don't buy intel CPUs for servers. Saves you a bunch of money. Share this post Link to post Share on other sites More sharing options...
Atomicbeast101 12 Posted January 24, 2015 Bro the forums have PM's no need for Skype XD Forums don't have notification features when you're not on it lol. That's why I prefer Skype Share this post Link to post Share on other sites More sharing options...