Poker Tracker Site Problems?

[HermannTL]

I picked up JS/Psyme when someone hacked the Low Limit Poker site, getting the same results from AVG. What I found was that deleting the temporary files got rid of the compomised files. Further scanning shows no infection.

[tehDiceman]

[ QUOTE ]
[ QUOTE ]
errr...

What do I do? AVG doesn't want to heal it.

[/ QUOTE ]

Move to virus vault then remove it then run another scan to make sure it has not come back

[/ QUOTE ]

that is just a temporary internet file, you could clear the cache or just flat delete it. as long as it goes away, i'd call it nothing to worry about.

[ptrack pat]

[ QUOTE ]
[ QUOTE ]
[ QUOTE ]
Another question. Could whoever has hacked the site be harvesting IP addresses from those of us whose PT checks for updates to try to hack our machines at a later date?

[/ QUOTE ]

im pretty clueless about this stuff. Is that possible?

[/ QUOTE ]
That depends on a lot of things like whether or not this information was actually stored in a database (which is probably the case) and whether or not the hacker was able to obtain access to said database.

PT Pat would probably be able to answer this, though.

[/ QUOTE ]

No user IP's are stored by PT anywhere. When PT checks for updates, all it does is checks the version number in PT with a version number that is just stored on an HTML page on my site. If the version numbers are different it just tells you there is an update available, that's it. It doesn't check IP's to make sure that people are valid users or anything like that.

Again, the site is down now because I have asked my hosting company to take it off line until the problem can be resolved.

[SplicesX]

pocker tracker owned 80/20

[fozzy71]

[ QUOTE ]
pocker tracker owned 80/20

[/ QUOTE ]

SplicesX
stranger


Reged: 09/14/07
Posts: 1

U registered just to say that?

Worst Lurker post ever?

[SplicesX]

[ QUOTE ]
[ QUOTE ]
pocker tracker owned 80/20

[/ QUOTE ]

SplicesX
stranger


Reged: 09/14/07
Posts: 1

U registered just to say that?

Worst Lurker post ever?

[/ QUOTE ]

im not a lurker! i'm Splices!

[ QUOTE ]
Pokerroom's chat was hacked twice this weekend. It was only viewable to those with the download client, but a player clearly not seated on the tables was spamming the chatbox. PR has no observer chat. As the de facto head of the Kick PR's Ass Movement over there, the Saturday chat hacker contacted me via PM. I had no idea who this guy was or what he could do when he requested my email addy to send me 'screenshots of collusion.' I never received them. He calls himself proX(tm), and claimed to be a friend of the so-called 'splices,' the hacker behind the securident site. He also showed me the lobby he created, and it was the real deal. Most insidious thing about the lobby he showed me was that it logged you into an account supposedly banned for life. He clearly demonstrated the vulnerability of PR's source code. While his effect on the games was purely psychological, I for one am of the opinion that it's only a matter of time before the two of them or someone else takes it to the next level.

The posting of personal information was the result of 'social engineering' pulled off by these same two people if their claim of "ownership" of the TotalBluff site on its emptied homepage was any indication of who did it. Reportedly, one or both of them swindled the provider into believing they were OwlLawyer, or some other TB admin and persuaded them to give them the Admin Passwords through the provision of some kind of information they should not have had. According to the grapevine, the pair wiped their server and then posted the content of TB Private Messages in Pokah containing phone numbers, passwords, flimsy accusations of collusion (one email was an offer of staking), and otherwise private personal conversations released for no other reason than individual humiliation. This was a Federal offense whoever did this, involving wire fraud and credit card fraud, and the FBI, reportedly, is investigating ProX(tm) and splices.

What I found most disgusting, excluding the pure maliciousness of the TB attack, was PR's complete inability to delete those posts on the spot. How the most BASIC of security measures, the removal of publicly posted private information, could not be affected by SOMEONE in their organization is unforgivable. Getting hacked is one thing. Getting used is another.










TOD THE MOD

Someone took the Java client and ran it through a decompiler. Now, this is not something that is difficult to do, and what you get out is a source code that will create the bytecode of the Java client, but in a pretty garbled state (depending on how intelligent the decompiler is). Doing this is against our Terms of Service, but it isn't something that we in any way can do anything about - you can run any program, Java or Windows binary through a decompiler and get something out from it.

The person then managed (which is quite impressive, I must admit) to figure out what certain parts of the source code would do - basically he figured out the structure of the program, to some extent.

The third stage of what he did was to alter the code in some ways (specifically regarding to the chat functionallity). Now, the chat functions are in now way connected to the actual game play. The game play is controlled by the game servers - they deal the cards, enforce the rules, awards the pots etc. There is a big transaction system in the back end that makes sure that all bets are accounted for, all game actions valid and so on. The chat is different - it doesn't run through all the checks and balances that the actual playing of the game does. Because of this, the "hacker" managed to send incorrect chat information. Now, this is of course not good, and it has forced us to take a new look on how we handle chat on the server level. But also, there has been no breach of security when it comes to the game play.

The changes made to the client included a few other things - it was based on the Java client for one of the other operators in the Network, but identified itself as a PokerRoom.com client. The clients for different operators are almost identical - only graphical elements are changed, so what was done was something roughly equal to a "modding" of the client, in that it became a PokerRoom.com client with a different set of graphics.

The fact that he used the "hacked" client to log in with a blocked account is also something that we're now looking into. Normally when you log in with a blocked account an error code is sent back to the client and that is then handled by the client. He by-passed this error code handling routine, and because of this was able to log in any way. This is probably the most serious part of the "hack", but still, it doesn't put anyone elses account at risk.

The second issue that has been brought up here was very nicely explained by djdaddio, and we, together with TotalBluff, are looking into that incident as well. I fully understand his frustration with the fact that personal information was posted in Pokah and not deleted for several hours - it was poor performance on our part, no doubt about that. The reason for it is quite simple though, and probably something the "hacker" counted on - the posts were made on Good Friday, at a time where the Support and Pokah staffing is on a natural low. Because of this it took too long for us to become aware of the posts, and hence remove them. For that we're very sorry.

Todd


[/ QUOTE ]

[Unknown Soldier]

pt_pat:

thanks for the info, hope you can get all this sorted soon. Good luck!

[blackize]

[ QUOTE ]


No user IP's are stored by PT anywhere. When PT checks for updates, all it does is checks the version number in PT with a version number that is just stored on an HTML page on my site. If the version numbers are different it just tells you there is an update available, that's it. It doesn't check IP's to make sure that people are valid users or anything like that.

[/ QUOTE ]

Ok I realize this much, but I guess what I should ask is this.

I assume your server or host maintains a record of the IP addresses that connect to your site. Is it possible that the hacker gained access to server side records of these connections?

[davidlong14]

good luck

[Ehrie]

I´m not sure if I downloaded an update the last two days.
Can you tell me if the this update changes the pt version number?
And if it does can you please tell me if the version 2.16.03d is clean?