Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Explantion of the events that took place:
- A few weeks ago, me and a couple of other people were talking in a teamspeak server. Atonement got brought up
- and a user was talking about how they missed their dead character. I wound up mentioning that I used to code
- for atonement and that I might still have shell access to the server. I checked and sure enough I was able
- to log into the server. After a round of egging each other on, I wound up setting the creation state of the character
- from dead(4) to alive(2), I also changed some information about the character, giving them a ghostly appearance
- and modifying their equipment file to contain cat ears, a 'neko' backpack, and a standard dress I nabbed from a
- different equipment file. Shortly after the account was activated and logged in to, an admin by the name of Viking
- noticed the character they knew to be dead. It was played off as a bug and the character was disabled.
- A little later into the evening, or perhaps the day after, we got together again and I was talking about an old
- item I had created when I was playing around on the build server, it was capable of establishing a link in the form
- of a portal between the location it was used from and a seperate room. Essentially creating a "closet-in-the-box".
- One thing led to another and I wound up creating an instance of it inside the player file of the user's active
- character, Shunt, a dark-red-haired, high-cheekboned male. I also modified his player stats so he had 30 education,
- the stat required to at least effectively use the item he had. We played around with it and spooked a couple of
- characters. Shortly afterwards, the same admin caught on and we lost the item.
- Between these two events I created and uploaded a PHP file called flashload onto the atonement server, with the initial
- function of giving us the ability to upload modified player files to the server, and to use a shell command to delete the
- existing player file. I also uploaded a generic PHP shell I grabbed online, only because I didn't want to commit enough to
- write excessive shell functionality for the flashload file. I also established a user in webmin called pastmud because I
- got fed up messing with the PHP files and just decided to create a user that mimicked the legitimate server user "futuremud".
- At this point, things calmed down for a little bit. We had had our fun, spooked a couple of characters, and played off
- the destruction of lost alien technology.
- Then one night early into august, me and the person who did not have their character revived (I mentioned that there was
- a couple of people in the other teamspeak) were in a more populated teamspeak server. We were talking about the mischief we
- got up to a few weeks prior. The person registered an account and I changed their character's state from pending(1) to
- alive(2), occassionaly modifying the character record further because we had bypassed the character generation process, as
- at one point they were three inches tall and didn't know how to speak common. I modified his equipment file to match my last
- character's and loaded him up with another of those cubes I had made. He went in game, dropped the cube for someone else to find,
- and went off to do someother stuff. All the while we're talking to others about what we had done last time. After a bit of egging
- on, I wound up selecting every character in the database and setting their create state to alive(2). After I connected to the
- server and verified what had happened we started to attract more attention, after some pressuring, I released the credentials for
- JDK and pastmud to connect to Webmin to the channel, and some people went off to fool around as they would.
- I then modified the database so every second and fourth character was named Amos and Malik respectively. As a couple
- of those present played Armageddon and those are two fameous character names. This is where things initially went wrong, the character
- entries use the character's name as their primary key, so when the server tried to save the first Amos or Malik, it wound up updating
- all rows in the database, so when we tried to play a trick by changing some player names around, it wound up taking the first quitting
- character and updating all entries in the database, so Angrboda wound up with about 700 Malik characters.
- Now, I knew that these changes wouldn't be permanent, as I could just as easily revert the MySQL transactions and undo what was done.
- So what we did next was establish a new column in the character table as a number that automatically incremented and acted as a second
- primary key. We issued the same Amos/Malik update command but made it add the row ID to the end of the name. The damage was done though
- and one person had access to a quarter of the characters in the database. So I issued an update query that applied a random account
- as the owner of the Malik and Amos characters incrementaly. At this point, someone mentions in teamspeak that a user on the atonement chat
- noticed the changes, and they had a pair of numbered Malik characters available. Were all having a hoot at this point and decide
- to create a little party, I started on a query that changed the room ID of all characters to one I grabbed randomly, and attempted to change
- the descriptions of all characters to the famous "tall, muscular man" from armageddon, during our party in teamspeak I take a screenshot
- of the query and post it to facebook.
- At this point though, I've already received messages from Kith, and we know that he is on to us. So I got sloppy trying to push what I could
- through and apparently the description change query didn't go trough. But the room change was a seperate query itself and apparently passed.
- Someone gets the idea to start dropping schemas and their tables from the database at this point, which causes the forums and game servers to
- go down. Almost at the same time I find I'm booted from MySQL, as one of the other guys had been fucking around on webmin and closed down some
- firewall exceptions on the server. This is where I realize shit is starting to hit the fans, as I'm locked out of MySQL and SSH and someone's
- gone too far with webmin, so I try to distract Kith and buy time to figure out what happened. Then I hear someone saying they fired off the
- delete command and the server is starting to crash, at this point I'm panicking as even the backdoors I had installed have dissappeared and
- I'm quite effectively locked out of the server, but more importantly is that the transaction log of MySQL is most probably erased and we can't
- roll back the changes anymore.
- Realizing the server can't get any more destroyed as it is, the night starts to wrap up and people start going their seperate ways to do other
- things. I try contacting Kith to see if he has a way to restore the server. Then asking if he can submit a ticket (which thankfully worked),
- this was the last I heard from him though. http://puu.sh/OI52
- I wind up leaving the computer to head out with my family at this point, which carries us over to today, August 4th. I log on and with one eye closed
- check the website to discover that its been revived. I notice the 8/2 thread, read it, and see that I've been outed. Which wasn't unexpected. After
- reading about how I'm pretty much worse than shit itself, I pretty much give a shrug, fiddle around to check the accounts on webmin, then notice I've
- still got the backdoors installed, as they were added prior back during the first time I loaded the cube item and were taken into the backup.
- I give another shrug, think to let shit be shit, and decide to deface the index page of the website. At this point, I'm starting to regret what I did, and
- why I wronged Atonement a second time when they were justified in their comments. I restored the index page and notified Holmes of where the backdoors are
- located, I told him others took part and that I highly doubt the password hashes were taken, they were salted as well and I doubt the others had time to
- find the salt.
- http://puu.sh/OIgK http://puu.sh/OIi0
- At around the same time, Jaunt contacts me and pretty much condemns me, I initially resist ousting the others that took place, but
- later cave in and reveal the teamspeak server we were all on, he mentions some stuff about social marketing and more condeming, I
- realize I'm fucked either way and tell him to raze my identity to the ground. I realize I'm only digging myself a deeper hole and start
- asking what to do to compensate the community. Luckily they chose not to pursue what I did, and ended by telling me that if I did something
- like this again, I was essentially a dead man under fines and sentences.
- I'm left to my thoughts for a bit, I start to write a letter of apology but before I finish it, I wind up checking atonement again for replies and
- come to the conclusion that they're after my blood (lynch all the hackers), subsequently I sign the letter in my blood and apply a thumbprint. I
- send it off to Jaunt and he posts it on my behalf.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement