Oct 30th 2013, 0:16:22
Hi everyone,
So as we discussed in our Announcements post, there was a data breach that resulted in hashed passwords, usernames and other data from Boxcar being compromised. After a couple of weeks of investigating, here are the findings that we’re going to release publicly:
- From early August to late September, there was a variety of malicious requests made to Boxcar with the goal of uncovering exactly how to exploit vulnerabilities (SQL injection)
- On October 15th, SQL Injection was used to extract a significant amount of data directly from boxcar’s database; this information allowed encrypted password hashes to be broken and many accounts logged into, including my own
- At least three users were involved in this hacking episode, one of which was Mr Copper
- Additionally an IP address that was used to make malicious accesses aligned with an IP used by chump aka Mr Silver
- Several alliances pointed to odd things related to their data being compromised or weird access (including chump aka Mr Silver temporarily showing up as an active member of LaF with no access log)
- After the Hanlong/Turtle Crawler scandal broke, Turtle Crawler provided the Boxcar source code in full to at least one RD member
- The injection attempts were directed very precisely, rather than brute force through every possible option, as could only be done with access to source code to identify injection points ahead of time
- Additionally, injection attempts were made against EE; fortunately, since EE was actually designed with SQL injection attempts in mind, these attempts merely add more clutter to our logs….
For those alliances that wish to check for this unauthorised activity, the IP list involved is:
62.76.42.236
64.125.188.25
64.237.37.119
66.249.74.40
69.41.14.215
85.17.31.120
93.115.83.16
93.115.84.122
93.115.84.124
109.201.152.13
109.201.152.26
109.201.154.148
109.201.154.150
109.201.154.151
109.201.154.153
109.201.154.156
109.201.154.169
109.201.154.170
109.201.154.171
109.201.154.178
188.190.120.154
204.235.114.66
The admins reserve the right to treat any instance of of data abuse or extreme cheating as we see fit, so we took a couple of items into consideration when deciding how to deal with this:
- The incredibly high level of severity of what was done by the perpetrators, with obvious intention
- The number of other alliances/players impacted by this breach (100% of Boxcar users must change their passwords now)
- The history, make up and culture of RD’s membership and leadership in EE and E2025
- The lack of deterrent from the punishment dealt out during previous cheating scandals, and ban evasion and internal approval that resulted
- Chump AKA Mr. Silver’s direct (while unsolicited) promise that RD would not do anything illegal and if they did, we would be within our rights to throw the book at them (back when RD was returning to the game)
- That there were at least 3 users involved, and one could be identified positively as Mr Copper, one quite likely Mr Silver and one outstanding suggests significant RD leadership involvement
- Absolute proof:
Snippet of Boxcar logins that absolutely identifies MrCopper as doing this.
User - Time - IP - Clan
mrcopper - 2013-10-16 01:03:35 - 24.74.144.201 -xRDx
++ hundreds of logins on this IP as Mr Copper before this
<lcn_user1> - 2013-10-16 01:11:29 - 24.74.144.201 - LCNostra
<lcn_user2> -2013-10-16 01:10:12 - 24.74.144.201 - LCNostra
CRAP I'M ON NOT ON THE OTHER IP!!!!
<lcn_user1> -2013-10-16 01:13:36 - 93.115.82.54 - LCNostra
The IP's in that 93.115 range also did the injection attacks.
So with this in mind, we’re treating this as a “take your friends down with you” level offence and have deleted the whole of the Reservoir Dogs tag. Given the severity of the issue, we reserve the right to make further, future deletions or take other action on RD as may be warranted.
They all will be allowed to restart, and allowed to keep their Boxcar site, as we understand it was a subset of the players involved.
Please refer to the posts on Boxcar and EE Announcement forums for further information and next steps for password recovery.
Cheers,
pang, qz, martian and the EE staff
So as we discussed in our Announcements post, there was a data breach that resulted in hashed passwords, usernames and other data from Boxcar being compromised. After a couple of weeks of investigating, here are the findings that we’re going to release publicly:
- From early August to late September, there was a variety of malicious requests made to Boxcar with the goal of uncovering exactly how to exploit vulnerabilities (SQL injection)
- On October 15th, SQL Injection was used to extract a significant amount of data directly from boxcar’s database; this information allowed encrypted password hashes to be broken and many accounts logged into, including my own
- At least three users were involved in this hacking episode, one of which was Mr Copper
- Additionally an IP address that was used to make malicious accesses aligned with an IP used by chump aka Mr Silver
- Several alliances pointed to odd things related to their data being compromised or weird access (including chump aka Mr Silver temporarily showing up as an active member of LaF with no access log)
- After the Hanlong/Turtle Crawler scandal broke, Turtle Crawler provided the Boxcar source code in full to at least one RD member
- The injection attempts were directed very precisely, rather than brute force through every possible option, as could only be done with access to source code to identify injection points ahead of time
- Additionally, injection attempts were made against EE; fortunately, since EE was actually designed with SQL injection attempts in mind, these attempts merely add more clutter to our logs….
For those alliances that wish to check for this unauthorised activity, the IP list involved is:
62.76.42.236
64.125.188.25
64.237.37.119
66.249.74.40
69.41.14.215
85.17.31.120
93.115.83.16
93.115.84.122
93.115.84.124
109.201.152.13
109.201.152.26
109.201.154.148
109.201.154.150
109.201.154.151
109.201.154.153
109.201.154.156
109.201.154.169
109.201.154.170
109.201.154.171
109.201.154.178
188.190.120.154
204.235.114.66
The admins reserve the right to treat any instance of of data abuse or extreme cheating as we see fit, so we took a couple of items into consideration when deciding how to deal with this:
- The incredibly high level of severity of what was done by the perpetrators, with obvious intention
- The number of other alliances/players impacted by this breach (100% of Boxcar users must change their passwords now)
- The history, make up and culture of RD’s membership and leadership in EE and E2025
- The lack of deterrent from the punishment dealt out during previous cheating scandals, and ban evasion and internal approval that resulted
- Chump AKA Mr. Silver’s direct (while unsolicited) promise that RD would not do anything illegal and if they did, we would be within our rights to throw the book at them (back when RD was returning to the game)
- That there were at least 3 users involved, and one could be identified positively as Mr Copper, one quite likely Mr Silver and one outstanding suggests significant RD leadership involvement
- Absolute proof:
Snippet of Boxcar logins that absolutely identifies MrCopper as doing this.
User - Time - IP - Clan
mrcopper - 2013-10-16 01:03:35 - 24.74.144.201 -xRDx
++ hundreds of logins on this IP as Mr Copper before this
<lcn_user1> - 2013-10-16 01:11:29 - 24.74.144.201 - LCNostra
<lcn_user2> -2013-10-16 01:10:12 - 24.74.144.201 - LCNostra
CRAP I'M ON NOT ON THE OTHER IP!!!!
<lcn_user1> -2013-10-16 01:13:36 - 93.115.82.54 - LCNostra
The IP's in that 93.115 range also did the injection attacks.
So with this in mind, we’re treating this as a “take your friends down with you” level offence and have deleted the whole of the Reservoir Dogs tag. Given the severity of the issue, we reserve the right to make further, future deletions or take other action on RD as may be warranted.
They all will be allowed to restart, and allowed to keep their Boxcar site, as we understand it was a subset of the players involved.
Please refer to the posts on Boxcar and EE Announcement forums for further information and next steps for password recovery.
Cheers,
pang, qz, martian and the EE staff
-=Pang=-
Earth Empires Staff
pangaea [at] earthempires [dot] com
Boxcar - Earth Empires Clan & Alliance Hosting
http://www.boxcarhosting.com
Earth Empires Staff
pangaea [at] earthempires [dot] com
Boxcar - Earth Empires Clan & Alliance Hosting
http://www.boxcarhosting.com