Since many clans are now talking about this, it’s probably a good time to lay all the facts out in public, so everyone knows.
Throughout August, there were a number of incidents with the league servers, which had quite a large impact on the league. The servers were repeatedly crashing (only during matches), with what looked like a clean application exit.
The new server administrators endeavoured to find the cause of these crashes, so Cratos built some further security and logging measures to keep track of every access to the servers.
On Sunday 15th August at 10:58am, all of the league servers were attacked and as a result, taken offline. Further diagnosis revealed that the servers had been sent into an infinite startup loop due to corruption in the settings files. All leagueserevers were involved #1, #2, #4, #5, #6, #7 and all 2v2: #2, #3, #4.
Since the server admin team, and the remaining league admin team had no access to any of the 2v2 servers, there was no way to fix these.
It was revealed that the settings were intentionally corrupted (not by cause of automation). On the 22nd of August the following facts were disclosed:
Immediate action by the new administrators was taken, all League Servers were locked down and every point of access was changed.
On Saturday 24th August, every server, except Server 6 was fully locked down.
Doh and Martz helped by securing all other access points the attacker could’ve had access to (League Database, Site etc).
After 6 days (30th August), all servers were secured, proved by further logged failed attempts to access them.
At 20:24 (UK time) on 30th August, an unexpected guest arrived in IRC:
[20:24] •• Psy has joined: #[channel]
Due to security reasons, the whole log of this conversation cannot be shown, but an unbiased stripped version of the nights log is available (see attached).
To sum up the conversation held on 30th-31st August, Psy (who’s IP matched that which was being logged as attacking the servers) was asked if he knew anything about the attacks.
Various logs were used as evidence; yet Psy remained adamant that he had nothing to do with the numerous attacks the league servers endured.
He claimed that his PC had been left on throughout the time he was “away”, and that it had no anti-virus OR firewall active.
He also stated that all the league passwords and details were readily viewable from his desktop.
Now, if he is indeed correct, and the above allegations cannot be placed solely on him, then it was his negligence that lead to these attacks, of which he is 100% guilty.
Unfortunately, this wasn’t the end of things. Now "the attacker" had no further access to the servers directly, they decided to attack the benign services that kept the league running; first, the league site, and then the Server Setup System.
An unused defunct FTP account to the league site suddenly appeared in the logs on Thursday 2nd September. Many league files were altered / replaced with much older versions, rendering the entire league site inoperable.
The new ip that appeared in the latest logs was from a Madrid based University; not from Psy's ip. However previous days to this, the ftp username and password were tested from his IP address which we repeatidly logged. A day later the same user/pass details were used from the Madrid University and the damage was done.
Martz / doh quickly recovered a backup of the site and ensured further access could not be gained.
Psy returned to IRC once more, on the 3rd of september (see logs attached); but still denied trying to access the servers.
On Monday 6th September (exact time unknown, but roughly estimated to be between midday and 19:00) the setup system completely failed. Immediate action was taken, and on Tuesday morning, both Martz and Timo began diagnosing the possible cause.
It was proved that the majority of the setup system code had been altered, in a similar way to the league site, to remove all event logging and alerts, also to send it into an infinite loop (presumably in the intention of crashing the entire system). The other core files used in the setup system were also altered beyond repair & recovery.
Currently work is being done on construction of a new, more secure setup system, which will be hosted in conjunction with the league site, but due to the vast amount of damage caused on the old setup system, this is having to be rewritten completely.
Please be patient during this recovery time, the server administrators will be doing their best to manually run the servers uninterrupted until the new system is in place.
Many Thanks,
utassault.net Staff
(IRC Log pt 1-3 attached).
Throughout August, there were a number of incidents with the league servers, which had quite a large impact on the league. The servers were repeatedly crashing (only during matches), with what looked like a clean application exit.
The new server administrators endeavoured to find the cause of these crashes, so Cratos built some further security and logging measures to keep track of every access to the servers.
On Sunday 15th August at 10:58am, all of the league servers were attacked and as a result, taken offline. Further diagnosis revealed that the servers had been sent into an infinite startup loop due to corruption in the settings files. All leagueserevers were involved #1, #2, #4, #5, #6, #7 and all 2v2: #2, #3, #4.
Since the server admin team, and the remaining league admin team had no access to any of the 2v2 servers, there was no way to fix these.
It was revealed that the settings were intentionally corrupted (not by cause of automation). On the 22nd of August the following facts were disclosed:
- The servers’ settings were not corrupted via automation or via an (un)known exploit. They were intentionally corrupted via Webadmin.
- Since all league servers, including all 2v2 server were modified (and even the new admin team didn’t have access to all of them) it seems to have been someone else with all access....
- LeagueServer#7 logged that on Thursday (19th August) morning @ 3am someone from Spain (Madrid) connected to the server via webadmin.
- No settings were modified during this last login session
Immediate action by the new administrators was taken, all League Servers were locked down and every point of access was changed.
On Saturday 24th August, every server, except Server 6 was fully locked down.
Doh and Martz helped by securing all other access points the attacker could’ve had access to (League Database, Site etc).
After 6 days (30th August), all servers were secured, proved by further logged failed attempts to access them.
At 20:24 (UK time) on 30th August, an unexpected guest arrived in IRC:
[20:24] •• Psy has joined: #[channel]
Due to security reasons, the whole log of this conversation cannot be shown, but an unbiased stripped version of the nights log is available (see attached).
To sum up the conversation held on 30th-31st August, Psy (who’s IP matched that which was being logged as attacking the servers) was asked if he knew anything about the attacks.
Various logs were used as evidence; yet Psy remained adamant that he had nothing to do with the numerous attacks the league servers endured.
He claimed that his PC had been left on throughout the time he was “away”, and that it had no anti-virus OR firewall active.
He also stated that all the league passwords and details were readily viewable from his desktop.
Now, if he is indeed correct, and the above allegations cannot be placed solely on him, then it was his negligence that lead to these attacks, of which he is 100% guilty.
Unfortunately, this wasn’t the end of things. Now "the attacker" had no further access to the servers directly, they decided to attack the benign services that kept the league running; first, the league site, and then the Server Setup System.
An unused defunct FTP account to the league site suddenly appeared in the logs on Thursday 2nd September. Many league files were altered / replaced with much older versions, rendering the entire league site inoperable.
The new ip that appeared in the latest logs was from a Madrid based University; not from Psy's ip. However previous days to this, the ftp username and password were tested from his IP address which we repeatidly logged. A day later the same user/pass details were used from the Madrid University and the damage was done.
Martz / doh quickly recovered a backup of the site and ensured further access could not be gained.
Psy returned to IRC once more, on the 3rd of september (see logs attached); but still denied trying to access the servers.
On Monday 6th September (exact time unknown, but roughly estimated to be between midday and 19:00) the setup system completely failed. Immediate action was taken, and on Tuesday morning, both Martz and Timo began diagnosing the possible cause.
It was proved that the majority of the setup system code had been altered, in a similar way to the league site, to remove all event logging and alerts, also to send it into an infinite loop (presumably in the intention of crashing the entire system). The other core files used in the setup system were also altered beyond repair & recovery.
Currently work is being done on construction of a new, more secure setup system, which will be hosted in conjunction with the league site, but due to the vast amount of damage caused on the old setup system, this is having to be rewritten completely.
Please be patient during this recovery time, the server administrators will be doing their best to manually run the servers uninterrupted until the new system is in place.
Many Thanks,
utassault.net Staff
(IRC Log pt 1-3 attached).