User panel stuff on forum
Index  ‹  Old news  ‹  RIP Wargamez
  30 posts on 1 page  1
Old news
2006-02-04, 10:32
Member
693 posts

Registered:
Jan 2006
I got a rather sad email from the Wargames admin today:

Quote:
Hi,

sorry to tell you, byt the qw-servers has a voulnability, that has
disabled/deleted a lot of stuff for me.
I normally don't care when a game has some issues, but when it hurts my
other systems, I get rather pissed.
That's why I've been forced to shut down all qw-servers for the time beeing.

The link you provided below is not working for me - please investigate.

If the qw-files someday will get secure again, I can move the files to a
not-important server and load the qw-servers again.

Thanks.

//rivmin


2006-02-04, 10:36
Member
1754 posts

Registered:
Jan 2006
2006-02-04, 10:43
Member
693 posts

Registered:
Jan 2006
I've asked for more info on the vulnerability and then I'll go speak to the MVDsv people about it...
2006-02-04, 13:43
Member
80 posts

Registered:
Jan 2006
Not sure if it has to do with the spectator "2" bug really. MVDSV or KTPRO seems to still have a few flaws. Noticed some brazilian dude, *AnM*Kitana or something join the server one night during a mix and become demoadmin and stuff, most likely its about some hacking issue.
2006-02-04, 16:25
Member
518 posts

Registered:
Jan 2006
wtf no wargamez no eql gg
2006-02-05, 12:08
Member
9 posts

Registered:
Jan 2006
yes there is a vulnerability that allows anyone to get rcon by exploiting the allow_download 1 ( probably by downloading server cfg so setting it to 0 should temporary fix the problem ) that as far as i know its default in every servers, i dont know exactly how i just read this in a Brasilian forum where they have been having alot of troubles cause of this.
2006-02-05, 15:13
Member
398 posts

Registered:
Feb 2006
all games on iop instead then? Be
2006-02-05, 18:31
Member
693 posts

Registered:
Jan 2006
Quote:
Hi,

well, I discovered that my web-server was not showing anything
yesterday, so I made some troubleshooting.
Someone had deleted nearly all the files, and uploaded a new index.php,
with the usual 'You've Been Hacked By bla...bla..bla..., please mail
bla@bla.bla for help'.
This happened 30 jan 06 at 19.34

Sadly for them, index.php is never displayed, so no-one but me did
actually see the haxxor-message.

My problem then was, that I did not know the origin of the voulnability,
så I did some troubleshooting.
Everything was up2date, and it's only me that has access to the box.
I could not find it, so I just reloaded the box, disabled the web-server
and started the q1-servers again.

Then the servers failed to start - could not find some files.....hmmm.
Then I looked at the config-files to locate the problem, and discovered
that the content of the config-file was identical with the haxxored
index.php from my web-server.
The time-stamp of the changes in the config-file, was identical with the
web-servers index.php change, so my conclusion is that somehow they got
write-access to the files and could do what-ever they liked.
Luckily they 'only' destroyed my web-server, and some q1-files.

It's quite common that a game-server has voulnability's, but they
allways only impacts the actual game.
This one was different, since they got access to all my files, and
that's quite bad.
Unfortunately this server was hosting my main web-server [wargamez.dk],
so I was quite pissed.
Now I'm more relaxed, and displayes only 1 page.
Maybe if I find the time some day, I will create a new web-site

I really don't understand why they do things like that - I'm just a
private guy that maintains some game-servers in my sparetime.....I don't
even make any money on it, and has payed all the hardware personally.

Well - life goes on....stay happy.

//riv
2006-02-05, 18:57
Member
248 posts

Registered:
Jan 2006
its so sad, hope that this make developers of mvdsv (and kteams?) to make it safer, we cant have server that noone want to host
2006-02-05, 19:59
Member
38 posts

Registered:
Jan 2006
quake servers have always had lame vulnerabilities, you can google it and find out more

but why in the world was he running it as root?
2006-02-05, 20:03
Member
693 posts

Registered:
Jan 2006
There's now a 0.19.1 pre-rc for 0.20 version. It fixes the security issues but there are some known bugs including a server crash (segfault) when QTV connects. So, QTV needs to be disabled (it's the first RC with QTV support...)

Download here:

http://quakeworld.ru/files/vvd/mvdsv/

Bug reports to kreon@quakeworld.ru
2006-02-07, 22:35
Member
693 posts

Registered:
Jan 2006
LATEST NEWS 7/2/06 22.30 UK TIME

There is now a 'test' server running. We (the wargamez admin and I) are checking the configs and trying to work out how to disable QTV.

When the wargamez admin is satisfied that MVDsv is secure again, he will move the servers back to "wargamez.dk".
2006-02-08, 01:49
News Writer
2260 posts

Registered:
Jan 2006
sweet!!!!
best news 2day
2006-02-08, 08:18
Member
518 posts

Registered:
Jan 2006
nice!! good job vm, and everybody that worked to get the server back on!
2006-02-08, 12:12
Member
693 posts

Registered:
Jan 2006
An MVDsv dev has checked out our configs and given them the thumbs-up. I've also passed on the command to disable QTV support so we should be good to go as soon as rivmin (wargamez admin) checks his mails
2006-02-08, 12:31
News Writer
2260 posts

Registered:
Jan 2006
lets fix some kind of thank you pic to him?
2006-02-08, 12:47
Administrator
888 posts

Registered:
Jan 2006
http://dev.neod.com/temp/qw/thanks.jpg
Join us on discord.quake.world
2006-02-08, 12:48
Administrator
888 posts

Registered:
Jan 2006
=)
Join us on discord.quake.world
2006-02-08, 12:58
Member
85 posts

Registered:
Jan 2006
haha
Mean Machine QuakeWorld Clan
2006-02-08, 15:39
Member
518 posts

Registered:
Jan 2006
hahaha nice one
2006-02-08, 16:29
Member
1754 posts

Registered:
Jan 2006
that's so sweet bps
2006-02-08, 16:33
Member
108 posts

Registered:
Jan 2006
comic sans must die
Spell "mogul," Bateman. How do you spell mogul? M-o-g-u-l. Mo-gul. Mog-ul. Ice, ghosts, aliens-
2006-02-08, 20:30
Member
693 posts

Registered:
Jan 2006
.. and they're back!

wargamez.dk:27501
wargamez.dk:27502
wargamez.dk:27503
wargamez.mine.nu:27501
2006-02-08, 20:42
Member
518 posts

Registered:
Jan 2006
nice!!!!!

wargamez.mine.nu:27501 is in sweden right?

38ms there :[

and coulnd't there be 2 more servers or something and a qizmo that would be nice.
2006-02-08, 22:05
News Writer
2260 posts

Registered:
Jan 2006
gaz, dontforgett to give him the picture
2006-02-08, 22:39
Member
693 posts

Registered:
Jan 2006
Quote:
nice!!!!!

wargamez.mine.nu:27501 is in sweden right?

38ms there :[

and coulnd't there be 2 more servers or something and a qizmo that would be nice.


Do you want the moon on a stick too?
2006-02-08, 23:04
Member
117 posts

Registered:
Jan 2006
autotrack don't work? says "Not available with server ver < 2.4"
2006-02-08, 23:16
Member
271 posts

Registered:
Feb 2006
And maybe when Disconnect is back from holiday, he'll get around to fixing the qtv issue.

gore: I'd say that was a client bug to do with expectations. Force whoever made your client to fix it (alternativly, get the server admins to change the *version string of the server's sourcecode - prefix with 2.4).
moo
2006-02-09, 09:26
Member
518 posts

Registered:
Jan 2006
VM? Why isn't it possible, sundays the server are always full. Qizmo can be used to maybe get better pings on intarweb.dk and get2net from nl/de/uk/be and offcourse for caming.
2006-02-11, 11:10
Member
26 posts

Registered:
Jan 2006
somebody should tell the admin to enable the erasing of old demos.
  30 posts on 1 page  1