Monday, February 28, 2011

Message from Absenm about the Grand Exchange Central situation

Below is an official announcement from Absenm about the latest news from the Grand Exchange Central and the status of the site recovery. As you are aware, the GEC is being completely reworked at the moment, including the forum, which makes it hard for Absenm to keep in touch with the GEC users. I am happy to use Runewise and Runescape Reader's Digest to get the message out and I would encourage you to help too. If you know someone who used to use GEC and wonders what happened to it, point them here or reprint/link this post. Thank you!

Greetings Runewise Friends. My name is Absenm, and I am the webmaster of a site known as The Grand Exchange Central.

Over the past couple of weeks the Grand Exchange Central (GEC) has been the victim of a targeted hacking attack. At first it started out small, and I worked diligently to head it off as quickly as possible. Usually I was able to get in and restore things within hours if not minutes of each attack. I spent a lot of time trying to secure things. But the attacks kept coming, stronger and nastier. I eventually needed to temporarily close down to confront the issue head on and prevent GEC visitors from becoming victims.

Sadly, some people did manage to get infected by rouge javascript that was injected to my site. To those people I formally apologize. I know this must be frustrating to you. There is nothing we can do to change what has happened. But know that the GEC takes your security seriously, and our current efforts to protect you and all our visitors in the future are extensive, massive, and severe. I take this attack on the GEC personally, and rest assured I have been spending every waking minute confronting this issue. I do urge anyone who visited the GEC in February to make sure you perform solid virus scans on your computers, just to play it safe.

I admit, I probably should have taken greater efforts to alert our visitors to the situation. I did mention the hacking attempts in our forums several times. But it would have been more responsible for me to post a warning outright on our main page too. There are a couple of reasons for not taking that step. First, I thought I had it handled and that it was just an isolated script kiddie. Second, I really didn't want to give the hackers the satisfaction. Third, I didn't want to publicize the issue to prevent others from trying to take advantage of the situation. So I just notified visitors through the forums. In the future, potential security threats will be posted on our main pages immediately. In fact, if the GEC detects its under attack, it will automatically post a warning. This warning won't mean we have been hacked, simply that an attempt is being made and visitors should be cautious. (This is a new security feature we have added). I toyed with the idea of having the site automatically shut down, but then decided against it. Anyone who wanted to shutdown our site would simply just need to start trying. That isn't a solution. Plus, every large site is attacked multiple times every day.

Before I go further, some of you have noticed that the domain has expired. Please don't let this scare you. As it turns out, the domain name was set to expire already. After talking to my hosting provider to make sure I had leeway in renewal, I decided for security reasons to allow it to expire. The GEC was already down for our security overhaul, and we already had plans to go to a VPS, so safely expiring the domain was not an issue for me. Frankly, it is just less of a distraction for me right now. I have all my attention on overhauling the GEC, and I don't want to keep tabs on an open domain just in case someone managed to start posting code there. This is overkill. But I really want to protect my visitors, even if it kills the GEC search rankings.

So, what happened? Everything concerning the GEC has been destroyed in a manner of fashion. By my own hand no less. I suspect the problem arose from a rootkit being hidden on my site, injected through a malformed URL. The GEC is terribly complex, and I couldn't find the access point or rootkit. And even if I did find a rootkit, I could not be certain it was the only one. Thus, post attack security simply wouldn't cut it. I'd secure all directories. I'd sanitized my variables. But it was already too late. The safety of our visitors and future of the GEC depended on drastic actions. So I killed everything (kind of). I'm working with backups from last year right now.

So what is happening now? Well, just because I'm working from backups from last year doesn't mean much of any of those backups will ever see the light of day again in their original form. I am going page by page, line by line, rewriting everything using all the security precautions recommended from various security professionals. When GEC2.0 returns in the beginning of March, there will be several layers of security and monitoring. We are being both defensive in our measures, and proactive. No site is hack proof. But you can know, that if we ever do get hacked again, we did everything we could.

I'm not going to go into exactly all the security we have implemented. I'm not going to give hackers a blue print. But I will let you know that the entire site will be starting out clean. If a file is on our site, it will have been scrutinized for every possible weakness. Again, nothing that was there in the past will be there in the future without some form of security modification. Also, we are off loading our forums to a remote forums host. That means an attack on the forums (which is where I think this started), can not bleed onto the rest of the site. Also, a hosted forum has the benefit of always being updated to the latest security patches. For a few more weeks, the MGE portion of the site will also be down. That is a weak point that will take longer to protect. But the GEC itself, with its graphs and lists and Runedexs will be available.

Our goal is to be back up on March 3rd. That's the goal. And we think we will make it. The only reason I can see that will cause us to not meet that deadline is if my hosting provider takes longer to drop us onto a VPS. That is scheduling that is kind of out of my hands right now.

Also, be aware, we are still collecting price data. So even though we have been down now almost a week, GE pricing data has still been collected and will be available as soon as we are back up.

Once again, I apologize to anyone effected by this. Trust me. I have been deeply effected by this myself. And I feel your pain. I am terribly embarrassed and hurt and frustrated and mad. We were just hitting our stride, and this happens. I hope that the RS community will quickly come to trust our site again. I think the measures we have taken will make all our visitors feel safe and secure.

I'd also like to thank Vaskor for allowing us to reach the RS community through the Runewise site while the GEC is down. Runewise will always have a friend and partner with the GEC.


runescape said...

ouch... as long as you keep tracking the data then it's all fine except for google who is probably gonna drop you from its rankings because your site is 'unavailable' at the moment

Anonymous said...

Any programmer should know that sanitizing your variables is the most important part. 80% of coding is sanitation, validation, and error handling. They didn't deserve what happened to them but they learned their lesson the hard way. Getting rid of the domain was an awful choice, they wont protect their security in any way by doing this.

Absenm said...

Just to clarify, we did not get rid of the domain. I simply have the domain down. will renew on March 3rd. Yeah, it probably was a pointless precaution, but it's done now.

Merch Gwyar said...

I hate that this has happened to you, Absenm, but thank you for all of the hard work that you've done in protecting us. <3

Stramel said...

The site should be up this weekend, due to some issues the site was unable to launch today as planned. Absenm has been hard at work getting the site back up! I'd like to thank him for all his hard work!

Ratdaddy57 said...

Patiently Waiting For The Update GEC Thanks much For Your Hard Work

Again Thank You

Stramel said...

Sorry its taking so long guys! Absenm wrote the site in two years and is having to go through every line of code to get it back up. Hope to have it back up and running tomorrow guys!

Absenm said...

Day one of recovery is finally here. I'd love to go through the horrible amount of detailed work I needed to do to secure things. But visitors don't care about that as long as the site is up. We all don't think about the work and security that goes into a site. We just want it up.

So we are two weeks late. And I'm sorry for that. It hurt me as much as anyone. But I had to take priorities into account. And visitor safety was forefront. I just couldn't allow anything... anything... On the live system till I knew it was perfect. Rootkits can hide anywhere. Along with just a few lines of rouge code. And your money and time depends on us being safe. I didn't fully appreciate that concept. I was too focused on just building, not securing.

When I started I just wanted it to work. And most of the time I was lucky it even worked. I didn't know what I was doing. I didn't know how easy it was to hack a site like mine. Ironically, the hacker didn't even get in through my code. But because I foolishly allowed the forums go out of date. Still, it was me, in the end.
I allowed this to happen because I didn't think anyone would try hacking me. How could I have been so foolish. Never again.

Anyway. Today we started putting some limited data up. We are keeping a close eye on things. But we see the light. In the next few days it'll be like we never left.

hibbynana na said...

farmer100 contact us

2006-2009 RuneWise, all rights reserved.
Reproducing or copying any material found on this page is not allowed.
Runescape is a trademark of Jagex 2000-2009 Andrew Gower