Jump to content
Eternal Lands Official Forums
Pyewacket

Warning of possible attempts to use admin access commands

By Pyewacket, in Bots

Recommended Posts

DogBreath   

DogBreath
Posted

I'm only weighing in here because I host a few bots myself. There's nothing wrong with sounding the warning bells if there's something to be worried about... :D

 

However, I also think there's difference between 'trying' something to see if it works and 'finding'/using an abuse. I often find myself wondering 'if I did this would that happen?' in game. If I try something and it turns out to be an abuse I report it and feel good. I guess I wonder if we're not overreacting here a bit? It is a game...

 

Someone gets curious, tries a few commands. They don't work. He moves along. Big deal... :)

 

I guess we'll never really know his intentions but, no harm no foul?

 

Just my 2gc...

(Also, little things like this make us pause and look at our code/security and feel good that it's working correctly... Is that really a bad thing? :) )

Share this post

Link to post
Share on other sites

zoki   

zoki
Posted

First of all, I do not want my age to affect anyones opinion of the matter.

 

What I did could be considered as a crime, but I don't know whats the big fuss for?

I was bored at the time and I thought what the heck why not? I'm sure a lot of

people tried that, so why not me too.

I guess I'm up for some punishment, not that I really care, there are still a lot of bots

that I can still use... I guess. Whatever.... just want to ask a mod to close this so no

more letters are used on the "exploit looking ""hacker"" "bigshot" bot ""scammer""....

Share this post

Link to post
Share on other sites

Catseyes   

Catseyes
Posted

Apologies for poking my nose in here - but if we all took the approach of "well I was bored so did/tried it" I for one would not be impressed.

 

For example the people who are bored and try to log in to Ent's or any player's account - they wernt hacking *honest* they were just bored - would this really be seen as a valid excuse?

 

Bordom should not be an excuse - if your that bored go do something else - why try to cause trouble?

 

Catseyes

Share this post

Link to post
Share on other sites

kl4Uz   

kl4Uz
Posted

If the bots admin functions could be easily accessed through simple pms without any other check, I'd indeed be worried. No harm was done here, nothing bad happenend, the situation just escalated. Let's all move on.

Share this post

Link to post
Share on other sites

kailomonkey   

kailomonkey
Posted

I think the point here is that taking bot attack attempts seriously is a good thing, but the degree of action taken should suit the situation. As I've read, zoki sent 5 lines to the bot, not all of which were inappropriate commands. It is clearly not a serious, prolonged or intense attempt to actually break into any bot, and taking such extreme actions against anyone who has ever typed a couple of strange command to a bot would result in banning the majority of your bot's customers. Having the responsibility of running so many of the EL bots gives you a resposibility to the community in general, and being appropriate with both the bot's owners And customers. If you honestly think that someone who typed a couple of dodgy commands is a serious threat to your customer's bots, fair enough. But I personally see no sign that this person poses any more threat than your average jo, and really do hope that those in positions of responsibility will see that and ateast come to a compromise of blame.

Share this post

Link to post
Share on other sites

Aislinn   

Aislinn
Posted
Apologies for poking my nose in here - but if we all took the approach of "well I was bored so did/tried it" I for one would not be impressed.

 

For example the people who are bored and try to log in to Ent's or any player's account - they wernt hacking *honest* they were just bored - would this really be seen as a valid excuse?

 

Bordom should not be an excuse - if your that bored go do something else - why try to cause trouble?

 

Catseyes

Absolutely. I deal with this all the time, success is not the point, the attempt is, and says a lot about the character of a person. It's not cute, it's not nice, it's not acceptable to try to access what is not your property to access, for any reason, on any level, unless you have permission from the owner. A good life lesson.

I support Labrat's assessment of the situation and how he handled it. I'd do the same.

Share this post

Link to post
Share on other sites

Banedon   

Banedon
Posted

I believe the action taken against the perpatrator was not strong enough. He should be banned for such a blatent attempt.

 

Why do I say this, here is why. By the perps own admission he was bored so he thought he would try and see what he could do.

 

So basically if my kids are out in the yard playing and you are bored you would try to offer them candy to see if they would come over to you.

 

Right cause you are bored. YOu would try different items that kids would like. And me as their father should see nothing wrong with this. I should not call the police because "You are just bored" and you were just "Testing"

 

I guess I would be over reacting if I would come out to protect my kids. Because you are just "Bored" and have no idea about kids but are "Planning" on having kids, So you just wanted to "test" to see how kids would react.

 

I am glad I am not a MOD cause from the info posted here you would be banned atleast for a month.

 

OH BTW I will get the International law on hacking, and send you the website, because what you were doing on the loose reading could be construed as an attempt to hack.

Successful or not "hacking" is breaking the law.

 

I ban first to on my servers with an auto ban when any attempt to access my server from any ports but standard open ports is attempted.

 

BY you own thought process, IF you had a server, and you saw an attempt to gain access to your server, you would do nothing? Because he has a right to test your server w/o your permission because he wants to get a server of his own and he is BORED. But that is right you don't know this person and you did not grant him access to try.

 

But why ban him maybe he could gain access and steal all your info off this server, because you were sure he was just BORED and wanted to have his own server.

 

 

I THink you should now know why your story is so weak.

Share this post

Link to post
Share on other sites

kailomonkey   

kailomonkey
Posted

How about people who make too harsh a scapegoat out of people, should we start making analogies to RL witch hunts, stonings, cutting hands off a boy who steals an apple? No, I don't think we should, but my point... please, enough analogies.

 

Now the server and law analogy is more appropriate. I do not know the law on this but personally I'm sure most of us Would block a potential hacker given he has gone out of his way to access and activate programs that allow him to make such attempts. On top of this we have no simple way to send a warning or open discussion. So I agree that in those circumstances you would simply block the person from your servers, but in this situation we have the entire network of bot owners to bring to our attention any other hack attempts, we have the person himself in contact explaining openly what he did and able to be warned and informed what was wrong with his actions, and lastly the player did not have to install any specialist hacking software.

 

This is obviously a sensitive issue, nobody wants to be hacked or even attempted to be hacked. And just reading an oposing argument will likely just cause more fueled replies, but just look at what was done. Is it not possible that this could have been dealt with more subtley? Laughing at the bot owner when questioned wasn't a wise move, that is for sure : P but isn't it possible to give this player the benefit of the doubt, and send him away with a warning...

 

In that case it makes sense to let all bot owners know of this so that the warning can be followed through if broken. Giving him the benefit of the doubt also would entail unblocking him from the bots, and letting business go on as usual, while still prepared to take the actions seen here already if warnings were not heeded.

 

I doubt he really has that great a need for the bot's services, and we are not lawyers, so I am done. I personally apologise for offending anyone in difficult situations, and suggest both parties (the banner and bannee) try doing the same.

Share this post

Link to post
Share on other sites

LabRat   

LabRat
Posted

In point of fact I had unblocked him immediately after speaking to Lyndy, and considered the matter closed.

 

This thread, and specifically the comments about my policy in post 2 of it is the reason the ban was reinstated and made lifetime.

 

I never made this thread, the bot owner did which is completely his prerogative.

 

I have had people that agree 100% with my actions and people that think I am completely in the wrong. I believe I am doing the right thing and at the end of the day as far as the bots I own and host go I have the last word on their security.

Share this post

Link to post
Share on other sites

tork_unib   

tork_unib
Posted
As I've read, zoki sent 5 lines to the bot, not all of which were inappropriate commands. It is clearly not a serious, prolonged or intense attempt to actually break into any bot, and taking such extreme actions against anyone who has ever typed a couple of strange command to a bot would result in banning the majority of your bot's customers.

 

*SNIP*

 

If you honestly think that someone who typed a couple of dodgy commands is a serious threat to your customer's bots, fair enough. But I personally see no sign that this person poses any more threat than your average jo, and really do hope that those in positions of responsibility will see that and ateast come to a compromise of blame.

 

But is this where it begins, or ends? It's a lot easier to spot a serious, prolonged or intense attempt to compromise a service when you are perusing a log. Far harder to spot the odd command sent here and there.

 

 

Having the responsibility of running so many of the EL bots gives you a resposibility to the community in general, and being appropriate with both the bot's owners And customers.

 

I usually let the matter of who is paying me cold hard (real) cash dictate where i weight my loyalties. In this case, i think that would be the bot owners. Access to the bots by customers is a privilage, not a right.

 

 

success is not the point, the attempt is, and says a lot about the character of a person.
I ban first to on my servers with an auto ban when any attempt to access my server from any ports but standard open ports is attempted.
I believe I am doing the right thing and at the end of the day as far as the bots I own and host go I have the last word on their security.

 

Damn straight on all the above.

Share this post

Link to post
Share on other sites

Mar(c)   

Mar(c)
Posted (edited)
Apologies for poking my nose in here - but if we all took the approach of "well I was bored so did/tried it" I for one would not be impressed.

 

For example the people who are bored and try to log in to Ent's or any player's account - they wernt hacking *honest* they were just bored - would this really be seen as a valid excuse?

 

Bordom should not be an excuse - if your that bored go do something else - why try to cause trouble?

 

Catseyes

Absolutely. I deal with this all the time, success is not the point, the attempt is, and says a lot about the character of a person. It's not cute, it's not nice, it's not acceptable to try to access what is not your property to access, for any reason, on any level, unless you have permission from the owner. A good life lesson.

I support Labrat's assessment of the situation and how he handled it. I'd do the same.

Big difference between trying passwords and this issue though.

Trying passwords is undoubtedly trying to find the key to get in.

 

Triggered by his guild's quest for a guild bot, he tried a few possible admin commands to see if they return any message, telling him if the command is available.

If it was even his intention to take advantage of the bot this way, would he ever find the key to get in with possible admin commands?

No! The <name> part of the key [PM from <name>: <admincommand>] will may never fit!

(And what were the commands he tried, again? Withdraw, store, and.. *shivers* adminhelp.)

So it should be clear that I take the terms "exploit attempt" far from serious in this issue, from both sides of it (the side of the accused and the side of the bot programmer).

 

By the same reasoning, are we going to throw people out of a guild or out of the game, when we find out they tried ingame guild leader commands like #set_name, #accept or #set_enemy_guild, while not having the rank for them?

 

_____

 

 

This thread, and specifically the comments about my policy in post 2 of it is the reason the ban was reinstated and made lifetime.

Yeah, you mentioned a few times already:

Will he stay banned? absolutely. Will I lose sleep over turning down Lyndy's bot because of his attitude after the matter was resolved originally and access to the bots by him was restored (oh didn't he mention that part? strange..) no.
It was *after* he had been allowed access again that this thread was posted and he chose to attack me in his posts. As far as I was concerned he had learned his lesson and that was an end to the matter.

I'm still wondering what exactly "his attitude", his "attack in his posts", his "comments about your policy" are.

Was it that he felt offended by you? (It's somewhat understandable that he felt that way.)

Or was it that he said that his guild probably won't use your service?

 

 

To be clear to everybody, I'm perfectly fine with how this issue was being handled, up to (and including) Zoki's explanation (his first post) in this thread:

  • Pyewacket reports to LabRat that Zoki was trying admin level commands.
  • LabRat bans him from his bots.
    At that time, it's a temporary ban pending the investigation, although he already judges it to be "definitely looking for an exploit".
  • LabRat has a talk with Zoki (and yes it's an offensive talk).
  • Later that night, LabRat has a talk with Lyndy and decides to unban Zoki.
  • A couple of hours later, Pyewacket starts the topic, asking for a "perfectly plausible and reasonable explanation".
  • Half a day later, Zoki gives his explanation, he "used these commands to see only if they work", "this was lets just say, kind of a test."

I don't see anything that went terribly wrong here.

Ok, I'm shocked that it's being classified it as "definitely an exploit attempt" right after it's being reported, but nothing went terribly wrong [edit to clarify] in the procedure as I described here [/edit], I'd say.

At this time, I'd say everything was resolved, done and over with...

But no.

 

And now I hear more bot owners are banning Zoki, while the current ban by LabRat is not even about the so-called "exploit attempt" directly (which I thought it was at first, too), but because of some "attitude" in post Zoki's first post here.

Yes, IMO this thread/issue has really turned into a witchhunt.

Edited by Mar(c)

Share this post

Link to post
Share on other sites

Catseyes   

Catseyes
Posted
Big difference between trying passwords and this issue though.

Trying passwords is undoubtedly trying to find the key to get in.

 

Apart from his guild *thinking* about obtaining a bot - he was trying commands that he shouldn't have which could have given him access to them (I dont know about the running of bots so not 100% sure) which is the same as someone trying passwords on other people's accounts in my opinion - the intent was there.

 

I don't see anything that went terribly wrong here.

Ok, I'm shocked that it's being classified it as "definitely an exploit attempt" right after it's being reported, but nothing went terribly wrong, I'd say.

 

Again apologies but surely if Im reading you correctly because his attempt didn't work he wasn't doing anything wrong?

 

Trying to gain access to anything being it bot/account (in EL) or (extreme example) bank account etc (in RL) even if it fails should be seen as a hostile attempt to cause harm/trouble etc and should be punished.

 

This is not a witch hunt, this is purely people's opinions on what is seen as right and wrong. People who think he was trying something bad have banned him from bots whereas those that do not see it as bad have not. Im sure this is not any different to people having opinions on if bagjumping etc is right or wrong.

 

Catseyes

Share this post

Link to post
Share on other sites

Mar(c)   

Mar(c)
Posted
he was trying commands that he shouldn't have which could have given him access to them
... which could not, could never have given him access.
which is the same as someone trying passwords on other people's accounts in my opinion - the intent was there.
Oh, did he really intend to get access for his own benefit? Nope.

 

 

I don't see anything that went terribly wrong here.

Ok, I'm shocked that it's being classified it as "definitely an exploit attempt" right after it's being reported, but nothing went terribly wrong, I'd say.

Again apologies but surely if Im reading you correctly because his attempt didn't work he wasn't doing anything wrong?

You're not reading it correctly; with "nothing went terribly wrong" I didn't refer to the so-called "attempt".

I referred (again) to the procedure followed by the owner and the hoster/programmer of the bot as I described there.

Sorry for wording it not clearly enough.

 

This is not a witch hunt, this is purely people's opinions on what is seen as right and wrong.
Opinions, yes -- opinions based on false assumptions. :)

(-- the assumptions that those commands could have given him access, that it was his intention to get access and benefit from it, and that the current bot ban is about the "attempt" itself.)

Share this post

Link to post
Share on other sites

LabRat   

LabRat
Posted

Gratz marc - you riled yet another response out of me. And yes I did notice you PM the bot the other day just after making your post. I don't tend to ban people for just having opinions different to mine - but I bet you secretly hoped you would have been on the ban list too so you could find yet another reason to post without just rehashing the same post.

 

My opinion was (and remains still) that he posed a (however small is irrelevant) threat to bot security.

 

I did not unban him because I believed his story - I unbanned him because of Lyndy's intervention on his behalf.

 

I banned him the second time because he appeared to have learned nothing at all from being banned and the help that Lyndy gave him. If lyndy had not talked to me and assured me of his grasp of the severity of the situation he would never have been unbanned.

 

Witch hunt - You're the one holding that torch a little close to *my* body and I only have one bodily source of liquid with which to douse it. and the second word is "off"

 

The bots are my responsibility. My say is final. Oh and the count of people siding with me in this matter in PM is increasing hourly. Want to be the first person to PM me saying you disagree with my actions?

Share this post

Link to post
Share on other sites

Mar(c)   

Mar(c)
Posted
Gratz marc - you riled yet another response out of me. And yes I did notice you PM the bot the other day just after making your post. I don't tend to ban people for just having opinions different to mine - but I bet you secretly hoped you would have been on the ban list too so you could find yet another reason to post without just rehashing the same post.

Excuse me??

Care to explain in public what that PM was and why you think my intention with that PM was to tick you off?

Share this post

Link to post
Share on other sites

LabRat   

LabRat
Posted

Sure, the command you attempted was that most ebul and innocuous command INV.

 

I didn't say that your intention was to check if you were banned, but it's funny how you remember the event yourself isn't it - I PM god knows how many bots every day, you never know when they have damaged crowns of life. Ask me 20 minutes after which ones I PM'd and the answer would be along the lines of "Well I know I definitely PM'd gossip today, and possibly Agneum and Titanta. I am pretty certain I PM'd miria as she regularly has damaged COLs but don't hold me to that".

 

Yet you remember sending that one command to Agneum 4 days ago and there wasn't a reason behind doing it that made it stick in your mind?

Share this post

Link to post
Share on other sites

Mar(c)   

Mar(c)
Posted
Sure, the command you attempted was that most ebul and innocuous command INV.

 

I didn't say that your intention was to check if you were banned, but it's funny how you remember the event yourself isn't it - I PM god knows how many bots every day, you never know when they have damaged crowns of life. Ask me 20 minutes after which ones I PM'd and the answer would be along the lines of "Well I know I definitely PM'd gossip today, and possibly Agneum and Titanta. I am pretty certain I PM'd miria as she regularly has damaged COLs but don't hold me to that".

 

Yet you remember sending that one command to Agneum 4 days ago and there wasn't a reason behind doing it that made it stick in your mind?

Again, assuming that I remember some event... fyi, I cheched my chatlog.

 

And btw, I checked for the name Passion, and what I found was that I did a [PM to Passion: wanted rost].

Maybe that was because I wanted to sell some rostogol stones, and yes I PM'ed a bunch of bots, including Agneum apparently.

Well, ban me for trying to sell some rostogol stones. :)

 

My apologies for assuming it's about losing business, while it's about trying to teach someone a lesson.

 

I'm done here.

Share this post

Link to post
Share on other sites

conavar   

conavar
Posted (edited)

Wow long Thread.

 

One thing to point out though

 

NOTHING can be proven 100% either way.

 

His reasons for using the commands might have been totally innocent BUT they might not, no 3rd party can stand on their soap box and claim he is either innocent or guilty.

 

I personally Agree with Labrats stance on the matter, as a bot hoster he has an obligation to his customers and any hint of transgression should be dealt with as HE see's fit.

 

In some circumstances its just better to be safe than sorry.. no point shutting the barn door after the horse has bolted

Edited by conavar

Share this post

Link to post
Share on other sites

dejan   

dejan
Posted (edited)

With all due respect to all people involved here - this whole discussion is ridiculous. As system administrator I often see people executing different kind of programs trying to gain root access on couple of servers I care about. Even though such act is not good, I, on contrary, believe there are positive sides of all this. I heave learned a lot from hacker's exploits and attacks in my life, and that knowledge helps me to fight them. Think about this as well.

 

Instead of whining here, do your best to make a more robust, better software!

 

For God's sake, millions of people are trying to access servers by trying various password combinations. I guess many of people who read this thread, who have online home-servers know this. If not, just read your syslog!! Is this something bad? Again, I think not.

 

Those who know me well probably know that I know Zoki (he was, after all, originally in Yugo guild). I assure you this reaction is not caused by this fact. I would not protect Zoki if he did anything wrong, and I believe he did not (this time :).

 

Best regards to all of you. \o/

Edited by Dejan

Share this post

Link to post
Share on other sites

Banedon   

Banedon
Posted
With all due respect to all people involved here - this whole discussion is ridiculous. As system administrator I often see people executing different kind of programs trying to gain root access on couple of servers I care about. Even though such act is not good, I, on contrary, believe there are positive sides of all this. I heave learned a lot from hacker's exploits and attacks in my life, and that knowledge helps me to fight them. Think about this as well.

 

Instead of whining here, do your best to make a more robust, better software!

 

For God's sake, millions of people are trying to access servers by trying various password combinations. I guess many of people who read this thread, who have online home-servers know this. If not, just read your syslog!! Is this something bad? Again, I think not.

 

Those who know me well probably know that I know Zoki (he was, after all, originally in Yugo guild). I assure you this reaction is not caused by this fact. I would not protect Zoki if he did anything wrong, and I believe he did not (this time :D.

 

Best regards to all of you. \o/

 

Actually Yes it is bad that is why it is Illegal in just about every country. If it was not bad it would not be illegal. Do you think the one company that owned a satellite and it got hacked and moved out of its normal orbit and lost millions of dollars that what was positive about that.

 

Now what if you worked for that company as the system admin and you said well yea I saw it happening but I did nothing about it cause I wanted to see what he was doing to better protect us in the future.

 

Using excuses to hide behind.

 

I do taking hacking seriously and If you would try to hack my server, and I was able to catch the act with programs I run. YOU would and I MEAN would Be GOING TO JAIL.

 

Serious or Not I don't taking Hacking Lightly.

 

Or you could say I take it that lightly that I pay a 3rd party company to keep my servers secure and if they do get hacked and data is taken or disrupted they are responsible. YOu better believe they don't take hacking litely either.

 

I apologize in advance for how harsh this is, However I think only people that have data that could cause serious issues truly understand the reason to cut off immediatly any possibility of hacking.

Share this post

Link to post
Share on other sites

robotbob   

robotbob
Posted
Wow long Thread.

 

One thing to point out though

 

NOTHING can be proven 100% either way.

 

His reasons for using the commands might have been totally innocent BUT they might not, no 3rd party can stand on their soap box and claim he is either innocent or guilty.

 

I personally Agree with Labrats stance on the matter, as a bot hoster he has an obligation to his customers and any hint of transgression should be dealt with as HE see's fit.

 

In some circumstances its just better to be safe than sorry.. no point shutting the barn door after the horse has bolted

 

I personally think innocent or guilt here is irrelevant, I see 'trying commands because I was bored' as a General Intent Crime

 

I heave learned a lot from hacker's exploits and attacks in my life

 

I learned how I can waste alot of time restoring backups because a hole in some m$ piece of shit I was forced to admin.

I've never thought, thank you criminal! :)

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go To Topic Listing Bots

  • Recently Browsing   0 members

    No registered users viewing this page.

×