Hacked (For real this time)
 

No, this isn't about the competition, but about our website. I got a text message tonight stating that our site was down. When I looked at it, I saw:

Parse error: syntax error, unexpected T_STRING in /home1/ipirates/public_html/admin/settings.php on line 6

Which led me to believe the file was not intact. Upon taking a look at the file, I saw that it had been modified by someone. It says:

What I'd like to know is who is responsible for this. I'm not pointing fingers or anything, but at least they could have emailed us instead of poking around in our site settings. Looks like I get to go on a code hunt and check the database for issues. This should be fun, considering there are no backups.

I realize I have to sanitize my login input for the admin panel with SQL Injection prevention... I don't feel like messing with it though, because I'm tired from the competition. So thank you mysterious hacker, you've made my day difficult.

Re: Hacked (For real this time)
 

I believe PHP has a string sanitization function built in, somewhere.

Re: Hacked (For real this time)
 

to escape inputs use:

Re: Hacked (For real this time)
 

I'm aware of that... unfortunately, at the time some pieces of the site were written, I wasn't. I'll be fixing it.

This might actually have taken us out of the running for website award at the Livonia district this weekend, since I don't know when the hacking occurred. Depending on how soon I can assess the damage and repair it, we might be out of the running at Michigan's state competition as well.

All I want is to find out who did it... I don't appreciate my site being hacked, even in example.

Re: Hacked (For real this time)
 

I think the actual hacking wasn't wise... However, forward-looking, I'm wondering why you guys are reinventing the wheel.

The only admin panel I have on our website is through FTP. Our website is done through Smarty templating system, which makes individual content-files very very simple. The backend files can be very complex, but the actual content-editing part can be very very simple.

Every team should look in to that... Or use a CMS that has already been established to reduce another attack such as this. It was unfair that your site was hacked, but it is the real world. There are no rules in the real world.

Keehun
Team 2502

Re: Hacked (For real this time)
 

At any rate, both holes have been repaired, and I'm bringing the site back up. If anyone notices some holes, please let me know via PM on here. Thanks.

Re: Hacked (For real this time)
 

I highly doubt this was an FRC team member. Most likely an automated script of some sort. You're lucky it was fairly friendly.

Re: Hacked (For real this time)
 

Luckily for you, security is not a criterion of the website award.

Re: Hacked (For real this time)
 

Actually I believe once you win it at one district, you are ineligible at another because all 9 district winners compete for the state website award. It wouldn't make for a very full field if the same teams won the website district award every time. On a side note: http://en.wikipedia.org/wiki/The_Boy_Who_Cried_Wolf .
I'm not saying people won't believe you now, because you have made the case pretty clear to me and others that this is what occurred. But I hope there was a lesson learned in this. I would also assume you alerted Mr. Ketron.

Re: Hacked (For real this time)
 

No, I haven't had the chance to get a hold of Ketron yet.

In response to the other post, an automated script is very unlikely, because it changed very specific things unique to the website. Also, I did not say it was an FRC team that did it, but it still may have been.

And thanks for clearing up the award eligibility thing. I'm glad this situation won't affect us.

Re: Hacked (For real this time)
 

Sorry it happened, but you could be kind of glad. It wasn't as bad as it could have been. They were kind of enough just to show you the holes in a way and not completely trash everything.

Teams need to remember if you do go and re-make the wheel, you need to make security high up on the list. That's the benefit of using a pre-made CMS. Just take it with a grain of salt, and move on. At least it's now a more secure site.

Re: Hacked (For real this time)
 

And remember to make backups FREQUENTLY.

Re: Hacked (For real this time)
 

Yet another very real life lesson learned via FRC! SQL injection is how Anonymous hacked HBGary (well, it's how the hack started...). Very scary stuff; you can read about it on arstechnica.com.

You may be able to ftp into the site, see WHEN the files were modified (if you haven't modified them), and then correlate that with IP access logs (if you keep them). That should tell you what region of the world it came from.

Re: Hacked (For real this time)
 

The issue apparently was that part of the admin panel inadvertently didn't require login to function properly, and so someone was able to change that one file, so really, unless I logged every action, there would be no way to log the IP. Everything should be fixed now anyway, so I'd say I'm good now.

Re: Hacked (For real this time)
 

...unless they were using dialup, and their IP address changed when they logged off and back in.

And don't laugh, I had dialup access only here at the house until just this year.

Re: Hacked (For real this time)
 

I had dialup until November 2009, and I still use it at my dad's. I know the feeling.

Re: Hacked (For real this time)
 

I have dynamic IPs with my current DSL ISP. Even so, there isn't much you can do with an IP address short of giving it to the police, or the ISP. And the ISP keeps logs for at least a while of who has what IP address for how long.

Re: Hacked (For real this time)
 

An update... I checked the IP logger I implemented yesterday and found this:

The IP traces to AT&T's Livonia node, which covers a good chunk of Southeast Michigan. Any ideas?

Re: Hacked (For real this time)
 

Yep, that's your run-of-the-mill SQL Injection attack. Since the person didn't actually gain access to your site, I don't think that's actually illegal. It's probably the same person as before though, so you could try going to the ISP/Police. I kinda doubt they will spend time on a simple injection with no real damage (except that you had to fix your site).

Re: Hacked (For real this time)
 

To be more specific, we found it traces to somewhere near the corner of 5-mile and Farmington in Livonia, which happens to be near the location of Churchill High School.

Re: Hacked (For real this time)
 

Not sure where you got that address.

Seems like the address is from Texas

http://whois.arin.net/rest/customer/C01622289

Re: Hacked (For real this time)
 

IP : 76.226.163.182
Host : ppp-76-226-163-182.se3.sfldmi.sbcglobal.net


sfldmi = Southfield, Michigan I think.

Re: Hacked (For real this time)
 

Well I ran it also-
http://whois.arin.net/rest/net/NET-76-226-160-0-1/pft

Got Texas. But just running the IP on Google, I see this-

http://ip-reports.org/76.226.163.0/

Re: Hacked (For real this time)
 

Do a tracert, like Brandon did.

Re: Hacked (For real this time)
 

Ah, I see.

But when I used network-tools.com, I got different results-

http://network-tools.com/default.asp...76.226.163.182

Emphasis mine.

Re: Hacked (For real this time)
 

The first couple of hops should be your local ISP, which is why you are getting Dallas in your tracert.

Re: Hacked (For real this time)
 

I live in Georgia, just north of Atlanta. :confused:

Re: Hacked (For real this time)
 

Go to a command prompt and type

tracert 76.226.163.182

that should start the trace from your location.

Re: Hacked (For real this time)
 

It won't be your local ISP if you do a trace using a web site like he did.

Re: Hacked (For real this time)
 

Yup, it started from my location, but it finished on the same sfldmi name.

Re: Hacked (For real this time)
 

I didn't use a tracert, but MaxMind GeoIP, which is known for being extremely accurate.

Re: Hacked (For real this time)
 

That's even closer to Parkview Memorial Cemetery. Maybe you should call Ghost Busters? :rolleyes:

Re: Hacked (For real this time)
 

So have you fixed the SQL injection vulnerability?

I'd do that instead of caring who did it. They were nice enough to let you know that you need to get your act together instead of thrashing your site.

Re: Hacked (For real this time)
 

Wrong on so many levels.

Re: Hacked (For real this time)
 

I think you're tremendously overstating the accuracy of IP geolocation. I just tried MaxMind GeoIP, and it got my current location wrong by 175 miles, and my home wrong by 30 miles. Drawing any conclusions about what high school it might be will only lead to trouble.

Re: Hacked (For real this time)
 

MaxMind has some odd options. Someone else ran it, and it was spot on my place, so I assumed any other output would be just as accurate. I don't want to point any fingers (as I think I said before), just pointing out a possibility (which seems to get me into trouble for some reason).

Re: Hacked (For real this time)
 

If you didn’t want to point any fingers, then why did you point out that 5 Mile and Farmington are “near” Livonia Churchill High School? The fact is that Churchill is about 4-1/2 miles from that location. Just about any location in S.E. Michigan is within 4-1/2 miles from a high school. There must be hundreds, if not thousands, of active IPs within such a 4-1/2 mile radius. Your mention of Churchill was indeed pointing a finger. You need to stop playing internet sleuth before you end up embarrassing yourself and your team any further.

Re: Hacked (For real this time)
 

No - He just needs to learn to only announce final results instead of incomplete possibilities.

The internet sleuthing is educational, interesting and valuable.

My opinion is that Brandon's skill level and progress are similar to the skill levels and progress of thousands of students who play engineer and/or computer scientist each year in STEM robotics competitions.

Let's not celebrate one set of (often clumsy) efforts and denigrate the other (often clumsy) set.

Instead, maybe we can choose to guide/mentor both.

Blake

Re: Hacked (For real this time)
 

My apologies for that. Someone told me that those roads were the corner where the school was located. I do feel kinda stupid now for not checking that for myself.

Re: Hacked (For real this time)
 

$10 says it was one of your own team's programmers just trying to have some fun by experimenting with different things. It's more curiosity than malicious intent.

Re: Hacked (For real this time)
 

I can guarantee you that it was not our team, since none of the members except me have the knowledge to do such a thing, and I didn't hack our own site. I am sure however that the intent was not malicious, but I still don't appreciate that type of thing happening.

Re: Hacked (For real this time)
 

The issue is resolved. It was a student at our high school (non-team member).

Thank you Brandon for embarrassing our team (again) by inferring that another team may have done this before thoroughly investigating the actions taken. Mr. Ketron will know about what you have done, and what the other student has done before MSC. I would like to say that a lesson should have been learned from this, but with you lessons never are learned.

Re: Hacked (For real this time)
 

For what it's worth, the above post embarrassed your team more than anything Brandon did.

Please, for the sake of your team, keep your dirty laundry out of the public eye.

Re: Hacked (For real this time)
 

Your public reaction and criticism is definitely more embarrassing than everything Brandon said/did.

As a leader on your team, you should set a higher example.

Re: Hacked (For real this time)
 

Dang, looks like I owe someone...

Close though.

Re: Hacked (For real this time)
 

For what its worth 99% of the time I would completely agree with you, however given the situation, which you do not fully know, I believe my actions to be wholly justified. It is not in the best interest of anyone to take strong action after one or two offenses, and I assure you I am not reacting this way because of one or two offenses. This whole situation makes me sick and I wish this thread didn't exist, however it does.

All I meant to communicate in my post above was that the situation was solved and MTR did not condone the actions taken by one student.

Re: Hacked (For real this time)
 

I'm not judging your actions toward the student - I am judging your public conduct as a member and representative leader of a robotics team.

If you honestly can read your message and see nothing wrong with its format, location, and presentation - you should not be in a position to be lecturing or punishing other students.

Re: Hacked (For real this time)
 

As a team president, I wouldn't call out my teammates on CD. I would talk to them at a meeting, or email them, but I wouldn't air internal matters and team politics in front of the entire FIRST community. Doing that reflects badly on your team.

Re: Hacked (For real this time)
 

You're right. Looking back at that after I've calmed down I conducted myself horribly. I don't mean to make excuses but I was under a lot of self-induced stress to get all the scouting excel docs for this weeks competition done. In my stress I acted in the most poor way possible that I could have. There is nothing I can do to take my own words back, but I shouldn't have ever written them.

I made myself look foolish and stupid, I think I deserve it after those two posts. Please don't look down on the rest of my team because of my mistake, they don't deserve it.

Re: Hacked (For real this time)
 

Folks,

Some people believe that it is impossible to non-trivially separate teams' collective identities and reputations from those of individual FIRST participants who also happen to be members of those teams.

And , I know that there are plenty of folks who choose to organize and evaluate their FIRST experiences using the "Any member's mistake is the entire team's mistake" approach.

Well, for what it is worth, I'm not one of those people, and there are quite a few others who have similar attitudes. I recommend worrying less about "team reputations" and more about individuals.

I know there are plenty of folks with other opinions. That's OK. My point is that it's OK to dial back the "We need to be Stepford FIRSTers" just a bit, because... It's OK to view the world through a lens other than that one, if you care to.

Blake

Re: Hacked (For real this time)
 

For the record, I believe that what Trevor said was (somewhat) fair, and with all the stress lately, I can understand how he would slip up and post something he shouldn't have. I've done it enough to where I can't really blame someone else who does it. With that, I'd like to see that particular topic end with this post.

In addition, the attack located in Livonia (provided it actually was from there, is probably not the same person that successfully hacked the site. A lot of other attempts to access our admin panel have been made, with no success. I have this message for everyone who has or plans to try something: our panel is no longer vulnerable to SQL injection. In addition, the login is not a simple one, so trying more generic logins will get you nowhere.

Thank you to everyone who posted a constructive response.

Re: Hacked (For real this time)
 

When posts from a team member having the title "Leadership" are directed toward or mention other team members by name, the connection is hard to ignore. When those posts claim explicitly to be speaking for the team itself, it is not reasonable to try to separate the person from the team.

Re: Hacked (For real this time)
 

Perhaps - Then again, perhaps not. In the sense pertinent to this topic, we are obviously dealing with amateurs, novices and (very often) loosely organized entities. I don't care to confer more authority or gravitas on those people or organizations with than they deserve.

Except in carefully controlled circumstances, I first do my best to invoke healthy skepticism that the larger, and typically quite diverse, groups are truly represented by any one person's actions or utterances. If I do invoke a "You are besmirching your team" attitude, I try to do that much latter in the process/conversation.

I feel that to do otherwise is to ignore overwhelming evidence that the individuals (especially students) typically do not speak or act for their teams in the pertinent controversial settings.

To look at it from another angle, try this: I dislike compounding someone else's mistakes by making one myself (by allowing my opinion of the entire team's reputation to become conflated with my opinion of the one member).

Blake