Hiya all,

As you have noticed the past couple of days the site/forums/realm has been down. For a bit i have had a very good idea whats been going on, but i didnt tell any-one not even the GMs.

This morning i got the 100% proof i was after so now i can release the info :).

Each time the something has dropped offline its been due to one of the needed databases not reponding, i foudn teh reason for them not responding when looking into the problem, the database in question simply wasnt there at all. SO i simply do a restore from my last complete backup (this is were the rollbacks have come from).

I thought at 1st that we may have a hacker so while the restores were running i was checking all 3 of the MGA firewall traffic logs, but i couldnt see anything, then i started checking the web site access logs to make sure there was no exploit in any of our sites and something jumped out at me right away.
I saw an old IP addy that i knew the owner of and they and looked at what they were accessing.
I found this (normaly i dont post IPs but in this case i dont care)

84.87.154.70 - - [27/Jun/2009:09:26:30 +0100] "POST /run_patch.php?action=do_run_patch HTTP/1.1" 302 - "http://**HIDDEN**.mgawow.co.uk/run_patch.php" "Mozilla/5.0 (Windows; U; Windows NT 6.0; nl; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729)"
84.87.154.70 - - [27/Jun/2009:09:26:31 +0100] "GET /error.php?err=You%20have%20an%20error%20in%20your% 20SQL%20syntax;%20check%20the%20manual%20that%20co rresponds%20to%20your%20MySQL%20server%20version%2 0for%20the%20right%20syntax%20to%20use%20near%20%2 7DROP%20DATABASE%20**HIDDEN**%27%20at%20line%201 HTTP/1.1" 200 3224 "http://**HIDDEN**.mgawow.co.uk/run_patch.php" "Mozilla/5.0 (Windows; U; Windows NT 6.0; nl; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729)"
84.87.154.70 - - [27/Jun/2009:09:26:31 +0100] "GET /img/warn_red.gif HTTP/1.1" 200 1811 "http://**HIDDEN**.mgawow.co.uk/error.php?err=You%20have%20an%20error%20in%20your% 20SQL%20syntax;%20check%20the%20manual%20that%20co rresponds%20to%20your%20MySQL%20server%20version%2 0for%20the%20right%20syntax%20to%20use%20near%20%2 7DROP%20DATABASE%20**HIDDEN**%27%20at%20line%201" "Mozilla/5.0 (Windows; U; Windows NT 6.0; nl; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729)"
84.87.154.70 - - [27/Jun/2009:09:26:36 +0100] "GET /run_patch.php HTTP/1.1" 200 6335 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; nl; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729)"
84.87.154.70 - - [27/Jun/2009:09:26:43 +0100] "POST /run_patch.php?action=do_run_patch HTTP/1.1" 302 - "http://**HIDDEN**.mgawow.co.uk/run_patch.php" "Mozilla/5.0 (Windows; U; Windows NT 6.0; nl; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729)"
84.87.154.70 - - [27/Jun/2009:09:26:43 +0100] "GET /error.php?err=Error%20-%20Can%27t%20open%20the%20database%20!%20(%27**HID DEN**%27) HTTP/1.1" 200 3107 "http://**HIDDEN**.mgawow.co.uk/run_patch.php" "Mozilla/5.0 (Windows; U; Windows NT 6.0; nl; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729)"
84.87.154.70 - - [27/Jun/2009:09:26:45 +0100] "GET /run_patch.php HTTP/1.1" 200 6335 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; nl; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729)"
84.87.154.70 - - [27/Jun/2009:09:26:52 +0100] "POST /run_patch.php?action=do_run_patch HTTP/1.1" 302 - "http://**HIDDEN**.mgawow.co.uk/run_patch.php" "Mozilla/5.0 (Windows; U; Windows NT 6.0; nl; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729)"
84.87.154.70 - - [27/Jun/2009:09:26:52 +0100] "GET /error.php?err=Can%27t%20drop%20database%20%27**HID DEN**%27;%20database%20doesn%27t%20exist HTTP/1.1" 200 3120 "http://**HIDDEN**.mgawow.co.uk/run_patch.php" "Mozilla/5.0 (Windows; U; Windows NT 6.0; nl; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729)"
84.87.154.70 - - [27/Jun/2009:09:26:55 +0100] "GET /run_patch.php HTTP/1.1" 200 6335 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; nl; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729)"
84.87.154.70 - - [27/Jun/2009:09:26:57 +0100] "GET /char_list.php HTTP/1.1" 302 - "http://**HIDDEN**.mgawow.co.uk/run_patch.php" "Mozilla/5.0 (Windows; U; Windows NT 6.0; nl; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729)"
84.87.154.70 - - [27/Jun/2009:09:26:57 +0100] "GET /error.php?err=Error%20-%20Can%27t%20open%20the%20database%20!%20(%27**HID DEN**%27) HTTP/1.1" 200 3107 "http://**HIDDEN**.mgawow.co.uk/run_patch.php" "Mozilla/5.0 (Windows; U; Windows NT 6.0; nl; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729)"
84.87.154.70 - - [27/Jun/2009:09:27:00 +0100] "GET /index.php HTTP/1.1" 200 - "http://**HIDDEN**.mgawow.co.uk/error.php?err=Error%20-%20Can%27t%20open%20the%20database%20!%20(%27**HID DEN**%27)" "Mozilla/5.0 (Windows; U; Windows NT 6.0; nl; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729)"
84.87.154.70 - - [27/Jun/2009:09:27:03 +0100] "GET /index.php HTTP/1.1" 200 - "http://**HIDDEN**.mgawow.co.uk/error.php?err=Error%20-%20Can%27t%20open%20the%20database%20!%20(%27**HID DEN**%27)" "Mozilla/5.0 (Windows; U; Windows NT 6.0; nl; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729)"
The IP 84.87.154.70 belongs to Machiavelli, he was accessing the GM portal ( a gm/dev only web site ) logging inwith someones GM account and instructing the system to delete parts of its self.

The portal is now had a massive over haul and has some major restriction on what it can do and who can use it

We are very sorry for the downtime you'v had togo through, you can thank Machiavelli for it. I also aprtly blame myself, i made him a GM, i gave him access, when he leaves i shuld have re-named everything (been done now), just goes to show you , you cant trust anyone.


Once agian im very sorry for all this and it wont be happening again.


@ Machiavelli
Grow up,
YOU stepped down as GM then you got your self banned from one of the better servers and now have to play on another server(i hope your new server owner see's this), this isnt our fault and i thought you had freinds that played here, some friend you are to them. Just cos you wanted to leave then come back isnt our fault. Have a good life in what every you do in the furture, "with friends like you who needs enemies".
Find something better todo with your time, i can think of a few but if i listed them i woudl have to ban my self from the forums.

Thanks Biglad,

Again it shouldn't be us apologises and it should be Machiavelli. But i've seen it myself all Systems are now secure to the maximum, there should be no more long downtimes.
Machiavelli all you have done is made your self a hated person when once respected.

Wow... i wasn't expecting that. At first i was frustrated by the way this situation was being dealt with by the gms but now i understand completely. You had to keep quiet about this.
I have utmost respect for you Biglad, good luck with restoring the site/forums/realm. We'll be here when this is all done with. :D

Edit - I hope no gms think i'm having a digg at them. That is in no way my intention and i am sorry if you feel i have spoken out of turn.

Shouldn't be long now :) Not many of us was expecting the childish attitude but..... thats how the mind of his works i suppose. All will be back up soon :)

WOW.....like Rachael sayed "...and it should be Machiavelli."
but anyway ..he does something for this server...maybe now hate this server...anyway BAD for this time and GOOD(goodhmm for somethings not all) for what he done in the past BEFORE T.G COMES.





BTW if machi u see this post and u want teach me how u "instructing the system to delete parts of its self." :D
me<<noob LOL
and /applause BIGlad for 'capture" /bow

Thanks for the info GM's, and the fact we had a small rollback rather pales in comparison to this information. Here's hoping everyone else feels the same.

Keep up the good work! :)

Just a little from my side. As you know, we've been working REAL hard in bringing you a good 3.1.3 server. We were ready to do a test merge with the accounts and chars this weekend. With this 'terrorist' attack, don't get me wrong, that is exactly what it was, we are a few days behind schedule. I apologise for it. We are working hard bringing the server up again, and then we'll be back on track with the 3.1.3 work.

Please start downloading the required patches so you dont get left behind.

Cheers,

Az

download but do not install them yet!

Why not install.

Got three copies running of Wow one still at 2.4.3. and one at 3.1.3 and one as a back up so i don't need to reinstaal every time lol.

ME a noob of note. When the time comes where do i download these patches

http://www.torrentz.com/search?q=world+of+warcraft+wrath+of+the+lich+king

http://www.wowwiki.com/Patch_mirrors

Thanks a million for you're excellent sleuthing skills in catching this hacker. I never trusted him as you and many others are well aware of. But I never thought he'd be so childish to to something like that.

And yes he didn't cover his tracks well enough - or at all it seems from the original post. So all in all well done.

Cheers @ BigLad for teh "capture" :D and Cheer @ all other GM's for doin their best for us :D /// I will miss ya :(

MGA is now back it its normal self after we found iur chilish terrorist, i have this small feeling that some1 is upset they left MGA and when they wanted to come back as a DEV we said no.

Once again sorry for the downtime but it couldnt be helped.

@ Machi
As the Merovingian would say
"Mark my words boy, Mark them well, I have survived your predecessors and I will survive you."

LONG LIVE MGA

@ Machi
As the Merovingian would say
"Mark my words boy, Mark them well, I have survived your predecessors and I will survive you."

Haha!!! So true so true.
And yerp long live MGAWoW

well done big and all the rest (sorry don't know the names)

but i see no reason for keep trowing dirt, the server had a attack and we survived the attack and MGA wil be stronger after this i'm sure.

So congrats with the well done job to all of you.

numbers

look what i found on line

http://www.philosophypages.com/ph/macv.htm

looks like history is repeating its self

LMAO, i found this really funny.

LOL @ that link, Sure does seem history is repeating its self