No, this isn't about the competition, but about our website. I got a text message tonight stating that our site was down. When I looked at it, I saw:

Parse error: syntax error, unexpected T_STRING in /home1/ipirates/public_html/admin/settings.php on line 6

Which led me to believe the file was not intact. Upon taking a look at the file, I saw that it had been modified by someone. It says:

<?php
$title = "HAXORED";
$copyright = "&copy;2009-2011 Monroe Trojan Robotics";
$footer1 = "Logos of FIRST and our sponsors are trademarks of their respective owners. All rights reserved.";
$footer2 = "Running ScurvyCMS, coded by Brandon Dusseau. Your site is vulnerable to SQL injection.";
$footer3 = "Also your <a href="[omitted]">[omitted]</a> page is wide open.";
?>


What I'd like to know is who is responsible for this. I'm not pointing fingers or anything, but at least they could have emailed us instead of poking around in our site settings. Looks like I get to go on a code hunt and check the database for issues. This should be fun, considering there are no backups.

I realize I have to sanitize my login input for the admin panel with SQL Injection prevention... I don't feel like messing with it though, because I'm tired from the competition. So thank you mysterious hacker, you've made my day difficult.

I believe PHP has a string sanitization function built in, somewhere.

I believe PHP has a string sanitization function built in, somewhere.

to escape inputs use:

mysql_real_escape_string($string);

I'm aware of that... unfortunately, at the time some pieces of the site were written, I wasn't. I'll be fixing it.

This might actually have taken us out of the running for website award at the Livonia district this weekend, since I don't know when the hacking occurred. Depending on how soon I can assess the damage and repair it, we might be out of the running at Michigan's state competition as well.

All I want is to find out who did it... I don't appreciate my site being hacked, even in example.

I think the actual hacking wasn't wise... However, forward-looking, I'm wondering why you guys are reinventing the wheel.

The only admin panel I have on our website is through FTP. Our website is done through Smarty templating system, which makes individual content-files very very simple. The backend files can be very complex, but the actual content-editing part can be very very simple.

Every team should look in to that... Or use a CMS that has already been established to reduce another attack such as this. It was unfair that your site was hacked, but it is the real world. There are no rules in the real world.

Keehun
Team 2502

At any rate, both holes have been repaired, and I'm bringing the site back up. If anyone notices some holes, please let me know via PM on here. Thanks.

I highly doubt this was an FRC team member. Most likely an automated script of some sort. You're lucky it was fairly friendly.

Luckily for you, security is not a criterion of the website award.

I'm aware of that... unfortunately, at the time some pieces of the site were written, I wasn't. I'll be fixing it.

This might actually have taken us out of the running for website award at the Livonia district this weekend, since I don't know when the hacking occurred. Depending on how soon I can assess the damage and repair it, we might be out of the running at Michigan's state competition as well.

All I want is to find out who did it... I don't appreciate my site being hacked, even in example.

Actually I believe once you win it at one district, you are ineligible at another because all 9 district winners compete for the state website award. It wouldn't make for a very full field if the same teams won the website district award every time. On a side note: http://en.wikipedia.org/wiki/The_Boy_Who_Cried_Wolf .
I'm not saying people won't believe you now, because you have made the case pretty clear to me and others that this is what occurred. But I hope there was a lesson learned in this. I would also assume you alerted Mr. Ketron.

No, I haven't had the chance to get a hold of Ketron yet.

In response to the other post, an automated script is very unlikely, because it changed very specific things unique to the website. Also, I did not say it was an FRC team that did it, but it still may have been.

And thanks for clearing up the award eligibility thing. I'm glad this situation won't affect us.

Sorry it happened, but you could be kind of glad. It wasn't as bad as it could have been. They were kind of enough just to show you the holes in a way and not completely trash everything.

Teams need to remember if you do go and re-make the wheel, you need to make security high up on the list. That's the benefit of using a pre-made CMS. Just take it with a grain of salt, and move on. At least it's now a more secure site.

And remember to make backups FREQUENTLY.

Yet another very real life lesson learned via FRC! SQL injection is how Anonymous hacked HBGary (well, it's how the hack started...). Very scary stuff; you can read about it on arstechnica.com.

You may be able to ftp into the site, see WHEN the files were modified (if you haven't modified them), and then correlate that with IP access logs (if you keep them). That should tell you what region of the world it came from.

The issue apparently was that part of the admin panel inadvertently didn't require login to function properly, and so someone was able to change that one file, so really, unless I logged every action, there would be no way to log the IP. Everything should be fixed now anyway, so I'd say I'm good now.

You may be able to ftp into the site, see WHEN the files were modified (if you haven't modified them), and then correlate that with IP access logs (if you keep them). That should tell you what region of the world it came from....unless they were using dialup, and their IP address changed when they logged off and back in.

And don't laugh, I had dialup access only here at the house until just this year.

I had dialup until November 2009, and I still use it at my dad's. I know the feeling.

...unless they were using dialup, and their IP address changed when they logged off and back in.

And don't laugh, I had dialup access only here at the house until just this year.

I have dynamic IPs with my current DSL ISP. Even so, there isn't much you can do with an IP address short of giving it to the police, or the ISP. And the ISP keeps logs for at least a while of who has what IP address for how long.

An update... I checked the IP logger I implemented yesterday and found this:

04/03/2011 12:41:03 - 76.226.163.182 - - FAILED ATTEMPT
04/03/2011 13:02:09 - 76.226.163.182 - ' OR '1'='1'-- - FAILED ATTEMPT
04/03/2011 13:02:17 - 76.226.163.182 - ' OR '1'='1 - FAILED ATTEMPT
04/03/2011 13:02:22 - 76.226.163.182 - - FAILED ATTEMPT
04/03/2011 13:02:23 - 76.226.163.182 - - FAILED ATTEMPT

The IP traces to AT&T's Livonia node, which covers a good chunk of Southeast Michigan. Any ideas?

Yep, that's your run-of-the-mill SQL Injection attack. Since the person didn't actually gain access to your site, I don't think that's actually illegal. It's probably the same person as before though, so you could try going to the ISP/Police. I kinda doubt they will spend time on a simple injection with no real damage (except that you had to fix your site).

To be more specific, we found it traces to somewhere near the corner of 5-mile and Farmington in Livonia, which happens to be near the location of Churchill High School.

To be more specific, we found it traces to somewhere near the corner of 5-mile and Farmington in Livonia, which happens to be near the location of Churchill High School.

Not sure where you got that address.

Seems like the address is from Texas

http://whois.arin.net/rest/customer/C01622289

Not sure where you got that address.

Seems like the address is from Texas



IP : 76.226.163.182
Host : ppp-76-226-163-182.se3.sfldmi.sbcglobal.net


sfldmi = Southfield, Michigan I think.

IP : 76.226.163.182
Host : ppp-76-226-163-182.se3.sfldmi.sbcglobal.net


sfldmi = Southfield, Michigan I think.




Well I ran it also-
http://whois.arin.net/rest/net/NET-76-226-160-0-1/pft

Got Texas. But just running the IP on Google, I see this-

http://ip-reports.org/76.226.163.0/

Well I ran it also-
http://whois.arin.net/rest/net/NET-76-226-160-0-1/pft

Got Texas.

Do a tracert, like Brandon did.

Do a tracert, like Brandon did.




Ah, I see.

But when I used network-tools.com, I got different results-

http://network-tools.com/default.asp?prog=trace&host=76.226.163.182

TraceRoute to 76.226.163.182 [ppp-76-226-163-182.se3.sfldmi.sbcglobal.net]
Hop (ms) (ms) (ms) IP Address Host name
1 9 14 9 72.249.128.109 -
2 75 60 80 8.9.232.73 xe-5-3-0.edge3.dallas1.level3.net
3 43 41 40 4.69.145.204 ae-4-90.edge2.dallas3.level3.net
4 17 15 59 12.122.139.194 cr1.dlstx.ip.att.net
5 83 53 39 12.122.212.10 cr1.dlstx.ip.att.net
6 57 62 44 12.122.28.90 cr2.sl9mo.ip.att.net
7 71 72 60 12.122.2.21 cr2.cgcil.ip.att.net
8 103 73 80 12.122.2.21 cr2.cgcil.ip.att.net
9 138 Timed out Timed out 12.83.61.58 -
10 74 91 66 76.205.15.83 se4-g9-2.sfldmi.sbcglobal.net
11 107 120 105 76.205.15.83 se4-g9-2.sfldmi.sbcglobal.net
12 94 123 106 76.226.163.182 ppp-76-226-163-182.se3.sfldmi.sbcglobal.net

Trace complete
Emphasis mine.

The first couple of hops should be your local ISP, which is why you are getting Dallas in your tracert.

The first couple of hops should be your local ISP, which is why you are getting Dallas in your tracert.

I live in Georgia, just north of Atlanta. :confused:

I live in Georgia, just north of Atlanta. :confused:

Go to a command prompt and type

tracert 76.226.163.182

that should start the trace from your location.

The first couple of hops should be your local ISP, which is why you are getting Dallas in your tracert.

It won't be your local ISP if you do a trace using a web site like he did.

Yup, it started from my location, but it finished on the same sfldmi name.

I didn't use a tracert, but MaxMind GeoIP, which is known for being extremely accurate.

To be more specific, we found it traces to somewhere near the corner of 5-mile and Farmington in Livonia, which happens to be near the location of Churchill High School.

That's even closer to Parkview Memorial Cemetery. Maybe you should call Ghost Busters? :rolleyes:

So have you fixed the SQL injection vulnerability?

I'd do that instead of caring who did it. They were nice enough to let you know that you need to get your act together instead of thrashing your site.

... I'd do that instead of caring who did it. They were nice enough to let you know that you need to get your act together instead of thrashing your site. Wrong on so many levels.

To be more specific, we found it traces to somewhere near the corner of 5-mile and Farmington in Livonia, which happens to be near the location of Churchill High School.

I didn't use a tracert, but MaxMind GeoIP, which is known for being extremely accurate.

I think you're tremendously overstating the accuracy of IP geolocation. I just tried MaxMind GeoIP, and it got my current location wrong by 175 miles, and my home wrong by 30 miles. Drawing any conclusions about what high school it might be will only lead to trouble.

MaxMind has some odd options. Someone else ran it, and it was spot on my place, so I assumed any other output would be just as accurate. I don't want to point any fingers (as I think I said before), just pointing out a possibility (which seems to get me into trouble for some reason).

MaxMind has some odd options. Someone else ran it, and it was spot on my place, so I assumed any other output would be just as accurate. I don't want to point any fingers (as I think I said before), just pointing out a possibility (which seems to get me into trouble for some reason).

If you didn’t want to point any fingers, then why did you point out that 5 Mile and Farmington are “near” Livonia Churchill High School? The fact is that Churchill is about 4-1/2 miles from that location. Just about any location in S.E. Michigan is within 4-1/2 miles from a high school. There must be hundreds, if not thousands, of active IPs within such a 4-1/2 mile radius. Your mention of Churchill was indeed pointing a finger. You need to stop playing internet sleuth before you end up embarrassing yourself and your team any further.

You need to stop playing internet sleuth before you end up embarrassing yourself and your team any further.
No - He just needs to learn to only announce final results instead of incomplete possibilities.

The internet sleuthing is educational, interesting and valuable.

My opinion is that Brandon's skill level and progress are similar to the skill levels and progress of thousands of students who play engineer and/or computer scientist each year in STEM robotics competitions.

Let's not celebrate one set of (often clumsy) efforts and denigrate the other (often clumsy) set.

Instead, maybe we can choose to guide/mentor both.

Blake

If you didn’t want to point any fingers, then why did you point out that 5 Mile and Farmington are “near” Livonia Churchill High School? The fact is that Churchill is about 4-1/2 miles from that location. Just about any location in S.E. Michigan is within 4-1/2 miles from a high school. There must be hundreds, if not thousands, of active IPs within such a 4-1/2 mile radius. Your mention of Churchill was indeed pointing a finger. You need to stop playing internet sleuth before you end up embarrassing yourself and your team any further.

My apologies for that. Someone told me that those roads were the corner where the school was located. I do feel kinda stupid now for not checking that for myself.

$10 says it was one of your own team's programmers just trying to have some fun by experimenting with different things. It's more curiosity than malicious intent.

I can guarantee you that it was not our team, since none of the members except me have the knowledge to do such a thing, and I didn't hack our own site. I am sure however that the intent was not malicious, but I still don't appreciate that type of thing happening.

The issue is resolved. It was a student at our high school (non-team member).

Thank you Brandon for embarrassing our team (again) by inferring that another team may have done this before thoroughly investigating the actions taken. Mr. Ketron will know about what you have done, and what the other student has done before MSC. I would like to say that a lesson should have been learned from this, but with you lessons never are learned.

For what it's worth, the above post embarrassed your team more than anything Brandon did.

Please, for the sake of your team, keep your dirty laundry out of the public eye.

The issue is resolved. It was a student at our high school (non-team member).

Thank you Brandon for embarrassing our team (again) by inferring that another team may have done this before thoroughly investigating the actions taken. Mr. Ketron will know about what you have done, and what the other student has done before MSC. I would like to say that a lesson should have been learned from this, but with you lessons never are learned.

Your public reaction and criticism is definitely more embarrassing than everything Brandon said/did.

As a leader on your team, you should set a higher example.

Dang, looks like I owe someone...

Close though.

For what it's worth, the above post embarrassed your team more than anything Brandon did.

Please, for the sake of your team, keep your dirty laundry out of the public eye.

For what its worth 99% of the time I would completely agree with you, however given the situation, which you do not fully know, I believe my actions to be wholly justified. It is not in the best interest of anyone to take strong action after one or two offenses, and I assure you I am not reacting this way because of one or two offenses. This whole situation makes me sick and I wish this thread didn't exist, however it does.

All I meant to communicate in my post above was that the situation was solved and MTR did not condone the actions taken by one student.

For what its worth 99% of the time I would completely agree with you, however given the situation, which you do not fully know, I believe my actions to be wholly justified. It is not in the best interest of anyone to take strong action after one or two offenses, and I assure you I am not reacting this way because of one or two offenses. This whole situation makes me sick and I wish this thread didn't exist, however it does.

All I meant to communicate in my post above was that the situation was solved and MTR did not condone the actions taken by one student.

I'm not judging your actions toward the student - I am judging your public conduct as a member and representative leader of a robotics team.

If you honestly can read your message and see nothing wrong with its format, location, and presentation - you should not be in a position to be lecturing or punishing other students.

As a team president, I wouldn't call out my teammates on CD. I would talk to them at a meeting, or email them, but I wouldn't air internal matters and team politics in front of the entire FIRST community. Doing that reflects badly on your team.

I'm not judging your actions toward the student - I am judging your public conduct as a member and representative leader of a robotics team.

If you honestly can read your message and see nothing wrong with its format, location, and presentation - you should not be in a position to be lecturing or punishing other students.

You're right. Looking back at that after I've calmed down I conducted myself horribly. I don't mean to make excuses but I was under a lot of self-induced stress to get all the scouting excel docs for this weeks competition done. In my stress I acted in the most poor way possible that I could have. There is nothing I can do to take my own words back, but I shouldn't have ever written them.

I made myself look foolish and stupid, I think I deserve it after those two posts. Please don't look down on the rest of my team because of my mistake, they don't deserve it.

Folks,

Some people believe that it is impossible to non-trivially separate teams' collective identities and reputations from those of individual FIRST participants who also happen to be members of those teams.

And , I know that there are plenty of folks who choose to organize and evaluate their FIRST experiences using the "Any member's mistake is the entire team's mistake" approach.

Well, for what it is worth, I'm not one of those people, and there are quite a few others who have similar attitudes. I recommend worrying less about "team reputations" and more about individuals.

I know there are plenty of folks with other opinions. That's OK. My point is that it's OK to dial back the "We need to be Stepford FIRSTers" just a bit, because... It's OK to view the world through a lens other than that one, if you care to.

Blake

For the record, I believe that what Trevor said was (somewhat) fair, and with all the stress lately, I can understand how he would slip up and post something he shouldn't have. I've done it enough to where I can't really blame someone else who does it. With that, I'd like to see that particular topic end with this post.

In addition, the attack located in Livonia (provided it actually was from there, is probably not the same person that successfully hacked the site. A lot of other attempts to access our admin panel have been made, with no success. I have this message for everyone who has or plans to try something: our panel is no longer vulnerable to SQL injection. In addition, the login is not a simple one, so trying more generic logins will get you nowhere.

Thank you to everyone who posted a constructive response.

Some people believe that it is impossible to non-trivially separate teams' collective identities and reputations from those of individual FIRST participants who also happen to be members of those teams.

When posts from a team member having the title "Leadership" are directed toward or mention other team members by name, the connection is hard to ignore. When those posts claim explicitly to be speaking for the team itself, it is not reasonable to try to separate the person from the team.

When posts from a team member having the title "Leadership" are directed toward or mention other team members by name, the connection is hard to ignore. When those posts claim explicitly to be speaking for the team itself, it is not reasonable to try to separate the person from the team. Perhaps - Then again, perhaps not. In the sense pertinent to this topic, we are obviously dealing with amateurs, novices and (very often) loosely organized entities. I don't care to confer more authority or gravitas on those people or organizations with than they deserve.

Except in carefully controlled circumstances, I first do my best to invoke healthy skepticism that the larger, and typically quite diverse, groups are truly represented by any one person's actions or utterances. If I do invoke a "You are besmirching your team" attitude, I try to do that much latter in the process/conversation.

I feel that to do otherwise is to ignore overwhelming evidence that the individuals (especially students) typically do not speak or act for their teams in the pertinent controversial settings.

To look at it from another angle, try this: I dislike compounding someone else's mistakes by making one myself (by allowing my opinion of the entire team's reputation to become conflated with my opinion of the one member).

Blake