Posted October 1, 2016 Bump! Active and fun start to the pvp server! Can't wait for more. Share this post Link to post Share on other sites
Posted October 2, 2016 Would be great without the 8x skill and 5x timers. I played for a couple days and was able to get my Carpentry/masonry up to 50 as well as a few other skill, including fighting up to 30. I give it about a month or maybe two before everyone has maxed out their skills, get bored, and move on. Share this post Link to post Share on other sites
Posted October 2, 2016 1 hour ago, Budzilla said: Would be great without the 8x skill and 5x timers. I played for a couple days and was able to get my Carpentry/masonry up to 50 as well as a few other skill, including fighting up to 30. I give it about a month or maybe two before everyone has maxed out their skills, get bored, and move on. That's why there's pvp. Share this post Link to post Share on other sites
Posted October 9, 2016 Fun pvp server with a lot of people! Highly recommended. Share this post Link to post Share on other sites
Posted December 17, 2016 The connection to the game is broken this server is closed?? Or is it under attack?? What will we do.... Share this post Link to post Share on other sites
Posted December 17, 2016 10/10 server come to the pvp island and fight me Share this post Link to post Share on other sites
Posted December 17, 2016 Official statement regarding the security breach on Zenath. This is the full story as we know it, there is an exploit in WU that allows someone to log into any character if they can get the Steam ID of that character. This exploit allowed someone with the IP 73.216.131.102 access to the character Jaygriff which had admin powers on Zenath. This is not the only character that was accessed however but it's the character that was used to cause mayhem on the server before we took it down. We can prevent people from getting access to admin powers but what we can't do is prevent the exploit from being used on regular players. We have restored a backup that is unfortunately roughly 2 days old right now (in the future we're going to make sure full backups are done more often then that) but the result of this exploit is that if we bring the server up now then we can't guarantee the safety of any characters if they can figure out what steam account is using it. So what are the options here? Well there are honestly only bad options in one way or another. 1. Leave the server down until CodeClub provides a fix for the exploit. 2. Bring the server up with the backup anyway, ban the IP of the exploiter but an IP ban is not any kind of final solution. Second option allows people to play but they can't be sure their stuff is safe and obviously this is a nightmare for us to try and admin. Right now we have not brought the server back up pending a final decision. Share this post Link to post Share on other sites
Posted December 17, 2016 (edited) Sorry to hear what happend with the server. But how long would it take for option 1? Good luck with this decision. Edited December 17, 2016 by tclunatic Share this post Link to post Share on other sites
Posted December 17, 2016 Option 1 isn't likely to happen anytime soon, though we are also looking into third party fixes which seem more likely to happen within a reasonable timeframe. Hard to know for sure so far but as soon as we have any kind of conclusive info we're going to share it (fastest way to get this is on our discord, that's where everything goes first) Share this post Link to post Share on other sites
Posted December 17, 2016 technically you could remove any gm's from the server until you needed one , then only give temp gm access to that toon while you need it and then remove em when your done. Share this post Link to post Share on other sites
Posted December 17, 2016 Yes that is true but it does not solve the issue that any player on the server could be a target instead then. Only limiting the possible damage done to a more individual basis rather than server wide. Share this post Link to post Share on other sites
Posted December 17, 2016 Check out Sindusk's server tweaks - he just uploaded a fix that might correct this issue. I haven't finished testing it yet myself. Share this post Link to post Share on other sites
Posted December 17, 2016 I strongly recommend the owner of the breached account seek technical assistance in removing malware and viruses, as well as secure their Steam account. After a rather close review of our code, the only way someone could have compromised accounts is by having access to the user's computer or Steam account. Unless modded out (which I do believe is against our use agreement), the client and server work together to use Steam for authentication. The short of it is the client sends the SteamID as well as an authentication token. We hash the SteamID as a password, yes - however we rely on the authentication token. This is given to Steam directly through native calls (SteamJNI) and Steam then validates the token and ID to ensure it came from the same user. Thus there is no way with simple client modifications to spoof or break this method of authentication, not without greater access - such as the user's machine or the game server itself. The code posted on Github earlier is a fine example of how to remove Steam authentication, but it effectively renders any patched client useless with servers that are not also patched to remove authentication. In essence, unless your server has had Steam authentication removed, then the only logical way this incident happened is that the affected user has his or her computer or Steam account compromised. Share this post Link to post Share on other sites
Posted December 17, 2016 1 minute ago, Keenan said: I strongly recommend the owner of the breached account seek technical assistance in removing malware and viruses, as well as secure their Steam account. After a rather close review of our code, the only way someone could have compromised accounts is by having access to the user's computer or Steam account. Unless modded out (which I do believe is against our use agreement), the client and server work together to use Steam for authentication. The short of it is the client sends the SteamID as well as an authentication token. We hash the SteamID as a password, yes - however we rely on the authentication token. This is given to Steam directly through native calls (SteamJNI) and Steam then validates the token and ID to ensure it came from the same user. Thus there is no way with simple client modifications to spoof or break this method of authentication, not without greater access - such as the user's machine or the game server itself. The code posted on Github earlier is a fine example of how to remove Steam authentication, but it effectively renders any patched client useless with servers that are not also patched to remove authentication. In essence, unless your server has had Steam authentication removed, then the only logical way this incident happened is that the affected user has his or her computer or Steam account compromised. My review came to the same point. On the other hand this is very strange and a good example why I recommend protecting at least GM accounts with master passwords. Share this post Link to post Share on other sites
Posted December 17, 2016 That's the thing, it's not just one account, the same IP logged in to at least 5 different wurm accounts on the server. Two of which were related to the server hosts and the others were unrelated. All the mayhem was from the one account that had GM powers. For example my character was logged into and I have two-factor authentication enabled on my steam account thus it could not even been attempted to be logged into without a notice going out regarding it. He did not even access my GM character but rather went for the one that had matching steam and ingame names. But I am not a coder so I can't say anything for sure just that for this attack to have happened it would have required multiple different unrelated steam accounts be breached within a very short timeframe or the server (which is still being investigated though seems unlikely) Still looking into this though. Share this post Link to post Share on other sites
Posted December 17, 2016 5 minutes ago, raidsoft said: That's the thing, it's not just one account, the same IP logged in to at least 5 different wurm accounts on the server. Two of which were related to the server hosts and the others were unrelated. All the mayhem was from the one account that had GM powers. For example my character was logged into and I have two-factor authentication enabled on my steam account thus it could not even been attempted to be logged into without a notice going out regarding it. He did not even access my GM character but rather went for the one that had matching steam and ingame names. But I am not a coder so I can't say anything for sure just that for this attack to have happened it would have required multiple different unrelated steam accounts be breached within a very short timeframe or the server (which is still being investigated though seems unlikely) Still looking into this though. What server-side mods do you currently use? Share this post Link to post Share on other sites
Posted December 17, 2016 Quite a few; Ashproduce, betterdig, bountymod, creatureagemod, cropmod, harvesthelper, inbreedwarning, meditatemod, movetocenter, pickmoresprouts, sacrificemod, salvemod, serverpacks, spellmod, surfaceminingfix, timerfix, upkeepcosts and a custom one we've done internally for our own specific fixes. Obviously we're going to be reviewing these as well. Share this post Link to post Share on other sites
Posted December 17, 2016 16 minutes ago, raidsoft said: Quite a few; Ashproduce, betterdig, bountymod, creatureagemod, cropmod, harvesthelper, inbreedwarning, meditatemod, movetocenter, pickmoresprouts, sacrificemod, salvemod, serverpacks, spellmod, surfaceminingfix, timerfix, upkeepcosts and a custom one we've done internally for our own specific fixes. Obviously we're going to be reviewing these as well. Have you checked the logs if there are any hints on how this could have been done? Share this post Link to post Share on other sites
Posted December 18, 2016 (edited) I'm going to snip everything I just said and point out that there is indeed something in the code, you just aren't seeing it because he purposefully left out the bit that makes it function. He's trying to make a business with this, offering to hack player accounts for IRL money through his forums. He wants to be the only one able to do this so he can make money. Leaving it open on github like this would be too easy, and he certainly has no intentions to release the fully working and functioning code. Edited December 18, 2016 by Huntar Share this post Link to post Share on other sites
Posted December 18, 2016 Well, this was a fun way to spend a weekend... But! The server is back up. Enjoy! Share this post Link to post Share on other sites
Posted December 18, 2016 Earlier in this thread there was a suggestion that the entire Wurm Unlimited code base was insecure. A developer indicated that you should do more research into the security of your GMs accounts and the mods you've installed. There was also a YouTube video posted by someone who has clear prior modding experience in other games. And now the server is back online. Did you find and fix the root cause? Are the players of your server safe or is it likely this will happen again? Share this post Link to post Share on other sites
