7/7/2015 - Exploit Situation

[Braunsberg]

I find that hard to believe.

 

Was it not odd / obvious that last187 was being a blatent cheater? I mean, I know you were in the same aa, but you must have had at least a thread of doubt that all of his funding was credible

Allow me to butt in for a moment.

 

Although I don't honestly know what many of my alliance mates thought, many of the smaller ones didn't necessarily have a reason to question things. Our higher officials had been putting together a bunch of growth programs and the like and simply pushed for the smaller nations to get signed up for them. Many of the smaller nations were just sent large aid packages periodically thanks to these programs and didn't really have much of an idea of what was going on with regards to last187's deposits or the large number of nations receiving these aid packages. Therefore I will defend the smaller nations of Terradoxia and those who were not active officials directing these programs.

 

However, larger nations such as myself - and our leading officials who handle bank money frequently - should not have had any trouble deciding that something illegitimate was occurring. I rarely do anything with the alliance bank and even I could easily see how preposterous the huge deposits made by last187 were, and the ridiculous growth of nations like New European Empire. Anyone in our alliance to whom the bank was visible, and who is large enough to have reasonable understanding of the income in this game, should very easily have concluded that last187 was cheating.

 

This of course does not mean I blame my alliance mates who just didn't say anything - many of them obviously may not have paid much attention, and others might have been afraid of looking foolish after making a risky claim - but it is nonsensical that some of our most active and involved officials say they had no idea this was happening. It was blatantly obvious that something was wrong.

[Eric]

Allow me to butt in for a moment.

 

Although I don't honestly know what many of my alliance mates thought, many of the smaller ones didn't necessarily have a reason to question things. Our higher officials had been putting together a bunch of growth programs and the like and simply pushed for the smaller nations to get signed up for them. Many of the smaller nations were just sent large aid packages periodically thanks to these programs and didn't really have much of an idea of what was going on with regards to last187's deposits or the large number of nations receiving these aid packages. Therefore I will defend the smaller nations of Terradoxia and those who were not active officials directing these programs.

 

However, larger nations such as myself - and our leading officials who handle bank money frequently - should not have had any trouble deciding that something illegitimate was occurring. I rarely do anything with the alliance bank and even I could easily see how preposterous the huge deposits made by last187 were, and the ridiculous growth of nations like New European Empire. Anyone in our alliance to whom the bank was visible, and who is large enough to have reasonable understanding of the income in this game, should very easily have concluded that last187 was cheating.

 

This of course does not mean I blame my alliance mates who just didn't say anything - many of them obviously may not have paid much attention, and others might have been afraid of looking foolish after making a risky claim - but it is nonsensical that some of our most active and involved officials say they had no idea this was happening. It was blatantly obvious that something was wrong.

True, well said. When I joined Terradoxia  I was nation score 200. I looked at the forums, checked out the alliance, then did nothing until later job openings came up. Even later on, as CC and DMoD, I had nothing to do with finances and I had not been instructed to touch the bank. 

[Morgan]

It's quite different actually, they had a cheater within their alliance sending them millions. Most other alliances had all their market offers bought up. One is much more noticeable than the other hence the question is being raised on how the hell Terradoxia had no clue about this.

 

I take responsibility for everything that occurred within our alliance. However, I asked Last187 to fund our growth program, and he said he would use his income to do so. I never had a reason to believe that he had illegitimate funds. 

[Isolatar]

It's funny how suddenly you care about cheaters. Weren't you the one asking why you should rat out people you consider your friends?

 

What a hypocrite.

 

I don't think I've said that I care about cheaters? Mind showing me where I said that?

 

Also when I said snitching out your mates, I wasn't talking about Ghost. I was talking about Carter and Hiott who were mentioned several times in the logs

[Ogaden]

It sounds like the exploiters actually have hacked into the SSH console and are modifying the database directly.

 

from Rampage's logs: (Ghost) We also have access to cronjobs

 

Only way you can modify the crontab is with SSH access. Sheepy better change his password and user name

 

Also this means this is a bigger problem than you thought, if they have access to the SSH console they have access to everything.

Edited July 8, 2015 by Ogaden

[Buorhann]

I take responsibility for everything that occurred within our alliance. However, I asked Last187 to fund our growth program, and he said he would use his income to do so. I never had a reason to believe that he had illegitimate funds. 

 

 

Wasn't there a thread that you guys defended Last till he was found guilty ( due to that thread involving him in the moderation forums ) when he joined your alliance?

 

Pretty sure there was one.  If so, pretty sure that would give you reason to believe he had illegitimate funds.  Let alone, that thread in the moderation forums should've been a red flag by itself.

[Braunsberg]

Wasn't there a thread that you guys defended Last till he was found guilty ( due to that thread involving him in the moderation forums ) when he joined your alliance?

 

Pretty sure there was one.  If so, pretty sure that would give you reason to believe he had illegitimate funds.  Let alone, that thread in the moderation forums should've been a red flag by itself.

There was a thread about a month ago that presented information suggesting that last187 was cheating, yes, but nobody from Terradoxia defended him. But you are correct that the thread itself contained sufficient information to conclude that the preposterous amount of money coming from last187 was illegitimate. At the time Sheepy did not take action because he could not yet fully prove that it was cheating.

[Morgan]

Wasn't there a thread that you guys defended Last till he was found guilty ( due to that thread involving him in the moderation forums ) when he joined your alliance?

 

Pretty sure there was one.  If so, pretty sure that would give you reason to believe he had illegitimate funds.  Let alone, that thread in the moderation forums should've been a red flag by itself.

 

I was never aware about a thread that existed that stated Last187 was cheating, and neither was our current leadership (Josh and I) involved in any defense of Last187. 

[Alex]

It sounds like the exploiters actually have hacked into the SSH console and are modifying the database directly.

 

from Rampage's logs: (Ghost) We also have access to cronjobs

 

Only way you can modify the crontab is with SSH access. Sheepy better change his password and user name

 

Also this means this is a bigger problem than you thought, if they have access to the SSH console they have access to everything.

 

I found and addressed the cron job security issue a long time ago. It was a vulnerability within the files themselves, not the crontab.

[Clarke]

It's quite different actually, they had a cheater within their alliance sending them millions. Most other alliances had all their market offers bought up. One is much more noticeable than the other hence the question is being raised on how the hell Terradoxia had no clue about this.

Terradoxia is more likely just touching the surface since they were the only ones who showed signs of cheating in absurd growth figures.

Under the surface I think we will find that many nations have being given funds/resources in significant numbers by cheaters but were competent in their cheating by not using it to boost themselves yet. 

Edited July 8, 2015 by Clarke

[Dan77]

 

Thought he was banned?  Surely should be forum banned too.

[Moreau]

Roll terradoxia

[Dongs (old)]

Reminds me of the good old days.

https://www.youtube.com/watch?v=4c5nLZvymGM

(If you can spot the 9 dec. 2013, get glasses)

Edited July 8, 2015 by Dongs

[Eric]

It sounds like the exploiters actually have hacked into the SSH console and are modifying the database directly.

 

from Rampage's logs: (Ghost) We also have access to cronjobs

 

Only way you can modify the crontab is with SSH access. Sheepy better change his password and user name

 

Also this means this is a bigger problem than you thought, if they have access to the SSH console they have access to everything.

So you're saying that say they don't like you. They can hack the database and destroy your nation completely?

[TellUrGrlThx]

Usually when you start a growth program for your alliance you increase taxes to pay for it and set a goal for all members so they are aware of how long the higher taxes will last. You don't ask your top member to pay for all of it. Considering he was paying for it and was still growing should have been a big red flag. Just saying....

[Kim Jong-Il]

Well actually not at all. I have never even spoken to last187 and I actually joined Terradoxia AFTER the Great VE War, meaning that I've been here 3 or so weeks. I was promoted to Deputy MoD because of a shuffle in government and a resignation due to RL Commitments, but I don't know too much about Terradoxia.

 

However, to be honest, I created my nation a long long time ago when Kangaroo Ocean was still best in the world. Then suddenly he is kicked out of the Top 10 and 10 new nations replace him... truthfully I do find that suspicious.

 

However I can honestly say that I did not cheat. I have received 7.5 million dollars or so from Terradoxia, although most of that was around a month ago. Feel free to investigate my trades if nescesary and I will be happy to cooperate with you cause honestly, I am quite disappointed that these people shamed our alliance and the entire game like that just so they could be top in a ONLINE VIRTUAL GAME. I can guarantee you though that these people (the cheaters) are NOT a accurate representation of our alliance, all the alliances on Orbis, and Politics and War as a whole.

 

Steve (Kangaroo Ocean) just has bad luck with game nerfs and thats why he's lower (still in top 20 btw). I wasn't acusing you of cheating, but wondering how you wouldnt think last187 was.

 

Also just realized you were the dude who embargoed our aa bc one of our members went rougue and hit one of your guys, but left during the war, and you assumed he was still there. The reason was !@#$ing hilarious, but I forgot what it was exactly

[Alex]

So you're saying that say they don't like you. They can hack the database and destroy your nation completely?

 

No. This has never happened, so there's no reason to think that it can happen. The exploit is limited to cash and resources as far as we know.

[Kim Jong-Il]

It sounds like the exploiters actually have hacked into the SSH console and are modifying the database directly.

 

from Rampage's logs: (Ghost) We also have access to cronjobs

 

Only way you can modify the crontab is with SSH access. Sheepy better change his password and user name

 

Also this means this is a bigger problem than you thought, if they have access to the SSH console they have access to everything.

 

Could they not create another account seperate from sheepy's with SSH access?

[Alex]

Could they not create another account seperate from sheepy's with SSH access?

 

Remember, there's no reason to believe they have SSH access in the first place. With that kind of power, I think we'd see a lot more than just spawned money.

 

This exploit is most likely a vulnerability or bug somewhere in the code that they have found how to abuse. It's entirely possible that it's already been fixed, due to various security and integrity improvements that have already been made. I'm working on a solution to make the game, what I would like to think of as, "exploit proof" that should be rolled out here shortly.

 

In the mean time, if the exploit does still exist, the exploiters are certainly laying low and taking it easy with all of the attention they've gotten. As soon as they come back out of the shadows and attempt to exploit again, we'll know for sure what the bug was and have it fixed.

[ELPINCHAZO]

No. This has never happened, so there's no reason to think that it can happen. The exploit is limited to cash and resources as far as we know.

anything can happen IF YOU BELIEVE!!

 

But seriously there is no such thing as exploit proof as long as you are using SQL-PHP-JAVASCRIPT-APACHE etc.

 

vigilance is the only cure.

[Alex]

anything can happen IF YOU BELIEVE!!

 

But seriously there is no such thing as exploit proof as long as you are using SQL-PHP-JAVASCRIPT-APACHE etc.

 

vigilance is the only cure.

 

 I don't mean exploit-proof in the sense that there will never be a vulnerability or bug in the code. I mean exploit-proof in that if someone were to use an exploit, it would be immediately obvious and confirmed that they did, in fact, cheat somehow, and could be immediately removed from the game (and hopefully the exploit that they used, fixed).

[ELPINCHAZO]

Poor last... I liked that guy

you would

[Raiden]

Good luck to Sheepy and Malone. 

[Legend]

Good luck in closing the exploit.  As for meting out punishments.  Hit those who knowingly participated hard. If there were nations who just happened to receive cash so it was hidden, axe that much cash if possible.

 

I'll still be playing, it isn't ruined.  

[TellUrGrlThx]

you would

 

https://www.change.org/p/alliance-of-rose-kick-john-harms-out-of-the-allinace

 

Only 76 more to go