Quick announcement about Rudora

[GrowlZ1010]

First things first. Rudora's new managers are WanDaMan, Kiirar, and myself.

Secondly, on Wednesday, May 7, the server was attacked. All levels and scripts were deleted. We had a recent levels backup, which has been uploaded, but all our NC stuff was completely destroyed. We're working on rebuilding it.

The person responsible has deleted all logs, although we suspect that he either got the password of an Admin or was let in by one of our staff. Action is being taken to ensure such a leak will not happen again (mandatory IP ranges, minimum possible rights to do job, etc.), and until we can work out more details about this attack, a hiring freeze is in place so we don't rehire the person who gave out this RC.

However, that doesn't change the fact that months of our scripting team's hard work has been destroyed. We're recovering critical systems now, and most of the jobs have been restored from recent backups, but there was so much in the NC we hadn't backed up. This is going to set us back even longer, I'm afraid.

On a related note, any staff who have lost their RCs as a result of this attack should contact myself on AIM (GrowlZ1010) to get your RC back. You probably won't have the same scope of rights as you did before, as part of our new security setup yadda, but you'll get what you need.

Thanks for reading, and I apologize (again) for the delay. We're working as hard as we can. I'll post server updates every so often - hopefully next time I'll have better news.

[Spark910]

The person responsible has been globally banned. But there could be a second person. I haven't talked to Aftershock fully about it, and so, nothing more can be said on my part.

About Rudora. Those 3 have worked great as well as other staff. They are a great tri-managment team. I am confident that they can get Rudora back in no time. WanDaMan is working on levels, and we all know his speed. The others are fixing up NC.

I was happy to get PWA, but sad too as I had to leave Rudora. I had played rudora since almost day one. I became friends with the first owner and I enjoyed every day on graal. I think I have over 800-900 hours on Rudora split over Spark910 and Rudora_Admin3. I started out as FAQ, became GP, GP Asst Chief, then Manager. Rudora's second manager was 'Shadowless' by that time Rudora seemed doomed as there was not a good staff team at all, and Shadowless went on vaction for 3 weeks, and so, rudora was shut down.

I brought back Rudora as I thought Zas should have been manager. I loved every day, and dont regret a min of it. I, like Aftershock have seen what Rudora has, and its got some nice things, and when the day comes for an opening I am confident it will be a great community.

Im a bit upset right now because of what happened as I have watched rudora grow, and now its been presented with this barrier. Also I am a bit upset because I have wrote what my past on Rudora, I didn't realise it was so long or good. But I would never have applied for PWA if I didn't think Rudora would be in good hands. And so me applying just proved my confidence in the staff team.

GOOD LUCK GUYS AND GALS. I WILL MISS YOU! !

[zell12]

It is your responsibility to ensure all the accounts with access to the RC has ip ranges set and their rights are only minimum to allow them to do their job properly. You should have done this long ago. Also, you and your staff should keep up-to-date back-up's of the levels and npc's every time a change is made.

Oh well, I guess Nemesis and crew will be making sure that his rules are enforced on all servers, like the ip ranges on the accounts and such. Good-luck re building the scripts.

[Spark910]

Quote:

Originally posted by zell12
It is your responsibility to ensure all the accounts with acces to the RC has ip ranges set and their rights are only minimum to allow them to do their job properly. You should have done this long ago. Also, you and your staff should keep up-to-date back-ups of the levels and npcs every time a change is made.

Oh well, I guess Nemesis and crew will be making sure that his rules are enforced on all servers, like the ip ranges on the accounts and such.

First part:

Well actually about 4 days ago I was going to backup as my computer had totaly screwed me over, so had to install windows again, and had lost everything. It did the same thing the next day, by which time I had been hired on PWA and then it got attacked. Besides they have levels apparently, but not NC, but to be fair I think the only way to back it up on your computer is with a manual saving of all NPCs. There should be a ''Back up all NPCs'' button which downlaods all the NPC scripts to your hard-drive.

Second Part:

*Is waiting for Aftershock to confirm it okay for me to post rules/advice document on PWs*

[HoudiniMan]

The fact still stands that IP ranges are mandatory for all servers..

[GrowlZ1010]

Quote:

Originally posted by HoudiniMan
The fact still stands that IP ranges are mandatory for all servers..

Our staff, for the most part, have IP ranges. That was a generalization for our future security plans. Our main problem was people having excessive rights, which we're going to monitor closely from now on. Besides, IP ranges won't protect anything against someone on the inside working out, which, as I said, is going to be a lot harder from now on.

[Spark910]

Quote:

Originally posted by HoudiniMan
The fact still stands that IP ranges are mandatory for all servers..

Heres what I think what happened, someone added that person to attack Rudora only. So IP ranges wouldn't have made a difference (all high admins did have IP ranges already apparently) And I know people who cant be trusted shouldn't be high staff. But there is a high staff member, who IS trusted, who turns sour, then its horrible as all security risks were put into place, but it wouldnt help.

[HoudiniMan]

Well then i guess you guys just have to exercise more caution on who you make high admins... If i was an owner im not sure i'd have more than 1 anyway... Too many people with setrights is dangerous.

[GrowlZ1010]

Quote:

Originally posted by HoudiniMan
Well then i guess you guys just have to exercise more caution on who you make high admins... If i was an owner im not sure i'd have more than 1 anyway... Too many people with setrights is dangerous.

You're quite right. Probably, this time round, it'll only be the three managering people who get setrights. The reason we have three is for a balance of skills - Wan's the best at levels, I'm a sort of scripts/ganis/sounds/emergency graphics (:P) person, and Kiirar does scripting.

[HoudiniMan]

Technically speaking, while not really the best idea, the manager(s) don't need to be able to make anything at all if they can keep the respective teams organized... You might want to reconsider your policy for choosing people.

[G_yoshi]

Quote:

Originally posted by GrowlZ1010


You're quite right. Probably, this time round, it'll only be the three managering people who get setrights. The reason we have three is for a balance of skills - Wan's the best at levels, I'm a sort of scripts/ganis/sounds/emergency graphics (:P) person, and Kiirar does scripting.

HAHA!!! Now where'd you find those threads? (points to your second sig).

Its been long since that most fun event :]

[GrowlZ1010]

Quote:

Originally posted by G_yoshi
HAHA!!! Now where'd you find those threads? (points to your second sig).

Its been long since that most fun event :]

I can't give away all my secrets..

[thesaiyan]

Quote:

Originally posted by HoudiniMan
Well then i guess you guys just have to exercise more caution on who you make high admins... If i was an owner im not sure i'd have more than 1 anyway... Too many people with setrights is dangerous.

For real. There should be like a rule for all servers. The set server options right should only be for managers and/or co-managers. Thats to insure a 'high admin' doesn't go postal and start hiring *****s to delete servers.

Anyways I hope you 3 get the NC and scripts back up and running. Rudora was always a cool server.

[zell12]

You still have to realize, if their ip is static or dynamic, they MUST have an ip range, it is a rule. You can add such things like:
12.66.144.*
12.*.*.55,12.*.*.145
etc... Just try to get a pattern down. You can link the ip's together using the comma.

As for the rights issue, you should be the only with with: set rights; set folder rights; server options; edit folder configuration.
NC should only be given to scripters, and you should limit their nc rights to the weapons list and classes, limited access to the db npcs and the NPC Admin with full access to all of them.

Levels folder should be set up so the people (besides you) only have .nw/.graal rights to the levels folder to stop people from local ipbanning *.*.*.* X_x

Just a few hints, and if you need help organizing the server I'll be more than happy to help you out some more, I just don't feel that some of the people from the PWA are experanced enough, however I am sure they could manage.

[Tseng]

Security, security, security.

Your server was not "attacked."

Your server was "improperly set up to allow a staff member to abuse his/her power and delete the server."

-> Take action to ensure this does not happen in the future.

*set IP ranges
*do not give people rights they should not have (e.g. rw to logs/* outside of the managers/high admins)
*keep few managers/high admins
*ensure someone is trustworthy before giving them excessive rights

[MadWolf]

#1. Why would you give RW rights to the log folder out? Why would somone need to edit logs? Hmm?

#2. IP Ranges have been mandatory for some time now, everyone is aware of this. Howcome you did not have it set?

#3. This was not a attack of a hacker or anything else. Your fault, no need to place blame on anyone but managment.

I do hope you get your scripts back, and rebuild you NPC DB successfully. Good luck.

Side note: Who was the person who did this?

[GrowlZ1010]

Quote:

Originally posted by MadWolf
#1. Why would you give RW rights to the log folder out? Why would somone need to edit logs? Hmm?

#2. IP Ranges have been mandatory for some time now, everyone is aware of this. Howcome you did not have it set?

#3. This was not a attack of a hacker or anything else. Your fault, no need to place blame on anyone but managment.

I do hope you get your scripts back, and rebuild you NPC DB successfully. Good luck.

Side note: Who was the person who did this?

First point. A few NATs had such access so that they could delete files created with savelog2, but this seems like a Bad Plan now. But anyone with setrights and setfolderrights can give themselves that.

Secondly. We have IP ranges. Again, though, anyone with setrights can just ignore that when makin' a new RC.

Third, it looks like someone on the inside may have been responsible for giving out RC. And when one of your own trusted staff goes bad the only thing you can do is do more checks in future.

I acknowledge that too many people had too many rights on Rudora, but we're going to start regulating these more. A lot more.

Oh, and I can't currently disclose the name of the person who we believe is responsible. Apparently investigations are being done and so I can't comment on their identity.

[zell12]

Quote:

Originally posted by MadWolf
...

You just said what Tseng said. -_-

[Tseng]

1) Give them rw access to logs/theirname*.txt

2) Set Rights does _NOT_ allow you to give rights you do not have; set folder rights allows you to set any folder rights.

And OBVIOUSLY you should ABSOLUTELY NOT have someone with set rights/folder rights who you want to restrict write access to logs to.

OBVIOUSLY.

[Kaimetsu]

Well, at least this is an opportunity to be rid of all those actionserverwarps

[Spark910]

Quote:

Originally posted by Kaimetsu
Well, at least this is an opportunity to be rid of all those actionserverwarps

Maybe, but as well as every NPC too which is a shame =[

[zell12]

Well, the only person with server options, folder config, set rights, and set folder rights should be the Manager. If the Manager is doing his job by monitoring the staffs actions and such than these events would never of took place.

Be cautious of whom you give these rights too. I would love to see these rights be restricted to Managers only -- made an offical rule. Would stop most of these problems from offuring.

[DarkShadows_Legend]

Sounds like a big hoax to cover their lack of development, but I'm probably wrong.

[Chicken_l33t]

Congrats to the new owners of Rudora.
It has changed quite alot since it first came out and it looks good level wise and all and Good luck to all the new managers especially Wan. I reckon you will all do a good job, and I don't beleive it'd be a hoax >.>.

[zell12]

I can't belive Wan still works on levels, after catching him stealing levels and putting them on Mithica, I fired and banned him.
Oh well, people change, I hope he did.