Bay 12 Games Forum

Please login or register.

Login with username, password and session length
Advanced search  
Pages: 1 [2]

Author Topic: SEO-spam corruption of bay12games.com  (Read 4690 times)

FallacyofUrist

  • Bay Watcher
  • Blatant furry. Also a hypnotist.
    • View Profile
Re: SEO-spam corruption of bay12games.com
« Reply #15 on: January 01, 2016, 10:44:05 am »

I weep because I can't trust the new version of dwarf fortress.
Logged
FoU has some twisted role ideas. Screw second-guessing this mechanical garbage spaghetti, I'm basing everything on reads and visible daytime behaviour.

Would you like to play a game of Mafia? The subforum is always open to new players.

Skyrunner

  • Bay Watcher
  • ?!?!
    • View Profile
    • Portfolio
Re: SEO-spam corruption of bay12games.com
« Reply #16 on: January 01, 2016, 11:22:50 am »

Toady pls gif md5s?
Logged

bay12 lower boards IRC:irc.darkmyst.org @ #bay12lb
"Oh, they never lie. They dissemble, evade, prevaricate, confoud, confuse, distract, obscure, subtly misrepresent and willfully misunderstand with what often appears to be a positively gleeful relish ... but they never lie" -- Look To Windward

Akura

  • Bay Watcher
    • View Profile
Re: SEO-spam corruption of bay12games.com
« Reply #17 on: January 01, 2016, 11:36:16 am »

I weep because I can't trust the new version of dwarf fortress.

To be fair, the latest version came out after the problem was discovered. I don't know if the exploit was closed, however.
Logged
Quote
They asked me how well I understood theoretical physics. I told them I had a theoretical degree in physics. They said welcome aboard.
... Yes, the hugs are for everyone.  No stabbing, though.  Just hugs.

Silverybearded

  • Bay Watcher
  • Midor Belnekol!
    • View Profile
Re: SEO-spam corruption of bay12games.com
« Reply #18 on: January 01, 2016, 12:08:38 pm »

I weep because I can't trust the new version of dwarf fortress.

To be fair, the latest version came out after the problem was discovered. I don't know if the exploit was closed, however.
It is in the process of being closed. At least I think that's what the server migration is.
Logged
Engraved is a superior rendition of an image of Arkoth, the local deity of balance and speech, and two elves. Arkoth is burning the two elves. Arkoth is laughing. The two elves are suffering. The image was commissioned by the Round Guild, a local dwarven government.

lethosor

  • Bay Watcher
    • View Profile
Re: SEO-spam corruption of bay12games.com
« Reply #19 on: January 02, 2016, 10:46:50 am »

That's not what the migration was about (it was due to Toady's hosting company restructuring their hosting plans), but there were some software upgrades involved, apparently:
Nameservers should be switching over slowly now.  The bug tracker is live on the new server, so it should come up for people as the day goes by (it'll list zero bugs while it still points to the old one, and you might see that for a while).  The php/server/etc. are running on newer versions [...]
Logged
DFHack - Dwarf Manipulator (Lua) - DF Wiki talk

There was a typo in the siegers' campfire code. When the fires went out, so did the game.

wierd

  • Bay Watcher
  • I like to eat small children.
    • View Profile
Re: SEO-spam corruption of bay12games.com
« Reply #20 on: January 02, 2016, 11:42:15 am »

migrating to a newer version of nginx would close the security hole. However, as I pointed out, many enterprise setups use older software for "reasons".  The best solution in that case would be to leverage the security of the underlying OS to prevent the nginx process from tampering with the http directory structure.

That way even if nginx get's pwned again, the pwned process lacks the credentials to do anything. 

I dont think Toady does *nix though, and that would be arcane *nix administration.  (Well, not really-- it can be done with about 3 commands on the console, but you have to know what you are doing.) 

Sadly, webhosting companies manage the server daemon group account policy and the file system security portions of administration. They just offer services like "Hey, We offer CGI/BIN legacy service/SQL database daemon service/PHP preprocessing service/ASP service/ etc." Then they control which implementations and version offered.

Unless toady wants to manage his own server (which I doubt he will do, because 1) It's expensive to pay for that kind of bandwidth, and 2) He doesnt *nix) there probably isn't much he can do about this exploit other than ask the hosts to please fix the daemon group and filesystem security on the webhost, and hope they listen to him.

Logged

lethosor

  • Bay Watcher
    • View Profile
Re: SEO-spam corruption of bay12games.com
« Reply #21 on: January 02, 2016, 03:12:52 pm »

Just because the old nginx version was vulnerable doesn't mean that it was exploited to modify index.html, or that it's easy to do so. FTP or shell access could have been used somehow, for example (or something else; I don't know exactly what entry points are set up on the servers). I do agree that limiting nginx's write access is a good idea, but I haven't seen anything to suggest that it isn't (or is) already limited, or to what extent.
(Upgrading nginx is a good idea anyway, of course.)
Logged
DFHack - Dwarf Manipulator (Lua) - DF Wiki talk

There was a typo in the siegers' campfire code. When the fires went out, so did the game.
Pages: 1 [2]