Project was just hacked

Glitch Help
1

My project was hacked.
When I closed my computer this random anonymous guy detected i wasn’t active and edited the code.
Its called onlinux.glitch.me.

Clarification: Well i did cd /t/t/t;, && was disabled, ; was also disabled. That meant he would be stuck in the /t/t/t directory. And he acessed the project that’s different from someone abusing the terminal.

I just saw a anonymous person logging stuff in assets/some random file name which could contain private data. He also was able to see my previous terminal history :0 and recover the file while i was inactive after a rewind. gosh he even disabled my restrictions that restrict commands but I added them back and rebackupped it.

2

mate, you realise the project is a literal terminal? there aren’t some nice people on here, tbh, You should’ve expected someone to do somethin like that.

2 Likes
3

Well i did cd /t/t/t;, && was disabled, ; was also disabled. That meant he would be stuck in the /t/t/t directory.
And he acessed the project that’s different from someone abusing the terminal.

4

mate, just roll back the project, or get glitch support to roll it back to a set time you know it was last working…

5

It’s rewinded but that doesnt mean we should let the hackers hack us.

6

… mate, it’s a terminal, any person can just waltz on over to the project web page, and run rm -rf *

2 Likes
7

that would work only on /t/t/t not the /app directory and it wouldnt show up on the rewinds and ; and && were disabled.

8

unless you somehow manage to make the perfect anti-grief function in php, it will always be that way.

10

I’m gonna remix the project, gimme a min, i’ll try to provide ya with a solution to your predicament

1 Like
11

well 1: image

it needs to be ~/t/t/t/

Ya know what, instead of me just trouble shootin the whole thing, I’ll join de project to help ya

1 Like
12

@mayank1234cmd you don’t want to say who you think did it because that could come off as rude :confused:

1 Like
13

@mayank1234cmd, before your posts gets flagged for name-shaming (which is not allowed on this forum), I advise you to remove the part where you accuse other users.

5 Likes
14

The only way someone can “hack” you is if they got your git url. This was most likely a staff member. If your project is warned too many times, staff may take a look inside your project. But not to jump to conclusions. This could happen for a lot of things. The probability of you being hacked is not that big. It is really small.

15

Ok i get it but still they removed the “security feature” that disabled some commands, i don’t see why that would happen

16

The projects are hosted on AWS. It would be a lot easier to look at it from a project view than a terminal.

1 Like
17

Your project is at a big risk for bash injections, you should review user input before it is entered.

4 Likes
18

If this feature was seen as ‘social engineering’ it means that Glitch needs to remove under the rules set by their hosting provider, AWS. Could you tell us exactly how the feature worked? Did it contain anything that could be against Glitch or AWS ToS?

19

Here;s the code:

<?php
// Lemme think here for a bit, defending an online terminal from the directory commands is atrocious work
// idea: idea! convert command to array and check if array[1] is == cd, rm, or array contains > or >>
//hmm, could be doable, but at the same time, maybe not
s=_GET[‘command’];
$s=explode(" ", $s);
echo $s; 
if (array_values($s)[0] == "cd"){
  echo "restricted";
} elif (array_values($s)[0] == "rm"){
  echo "restricted";
} elif (array_values($s)[0] == "rmdir"){
  echo "restricted";
} elif (array_values($s)[0] == "cat"){
  echo "restricted";
} 
else {
  echo nl2br(htmlspecialchars(shell_exec("cd ~/t/t/t/ && echo " . $_GET['command'] . "")));;; 
}
?>

These were replaced with:
</p><?php echo nl2br(htmlspecialchars(shell_exec("cd /t/t/t; " . $_GET['command'] . "")));;; ?> </div>

20

You probably shouldn’t be accepting user input as users could obfuscate their input.

4 Likes
21

I don’t think you even need to obfuscate your input.

echo "deleteing your project now" | rm -rfv /app
3 Likes
22

Well once my code is debugged rm and rmdir would be restricted also I think that would show access denied

23

I wasn’t able to really get much from the current state of the project, but if the above mentions of accepting user input and running it as a terminal command is true, then that’s a serious security issue that you can’t really work around.

Escaping input or detecting certain malicious commands is not enough, as people have already mentioned. I’d advise against making any app that takes user input and runs it as a terminal command within your app’s container.

6 Likes
24

mate, I’d suggest make it clonable, and if the project url is not equal to “onlinux.glitch.me” actually show the terminal, that way the core project can’t be deletable

25

did it!‎‎‎‎‎

26

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.