Bots attack OpenSim grids

Two OpenSim grids have been attacked — OpenNeuland and Wilder Westen — and the attackers may be going after others, said Kai Ludwig, director of Germany’s TalentRaspel virtual worlds Ltd. and owner of the two grids.

The attack hit Open Neuland yesterday and Wilder Westen today, he told Hypergrid Business.

Red Mountains region on TalentRaspel's Wilder Westen grid. (Image courtesy TalentRaspel.)

“It’s probably bot-based, due to the attack timestamp pattern, he added. “It looks like a possible threat to other grids, so we inform you herewith.”

Kai Ludwig

According to Ludwig, the attacker attempted to place objects on land that was set to “build enabled for everyone.” In addition, the attacker also randomly moved objects that were moveable.

“Due to our region monitoring and backup strategy, we have been able to immediately restore the attacked regions to their original pre-attack state,” Ludwig said.

As a result, the attack was rendered useless, he said, with no permanent damage due to the attack. In addition, Ludwig also took a proactive measure, turning off building and moving options for visitors.

“Users may re-enable them at their own risk when needed,” Ludwig said. “This will protect our users against the bot’s actions.”

According to Ludwig, the attacker registered as  “Jack Marioline” from [email protected], and the attacks came from the following IP addresses, owned by Vodaphone Italy:

  • 109.117.183.105
  • 109.114.87.35
  • 109.116.247.243
  • 109.117.184.197
  • 109.116.143.215
  • 109.114.86.54
  • 109.116.181.210
  • 109.116.255.201

” We already asked the provider for the attacker’s details and issued a cease and desist against Vodafone Italy,” Ludwig said.

Related Posts

maria@hypergridbusiness.com'

Maria Korolov

Maria Korolov is editor and publisher of Hypergrid Business. She has been a journalist for more than twenty years and has worked for the Chicago Tribune, Reuters, and Computerworld and has reported from over a dozen countries, including Russia and China.

  • Any more information available as to the nature of the attacks? What they build, duration of the attack, etc…

    • Douglas —

      From Kai:

      Open Neuland: 2011-08-25 14:27:42 – 2011-08-25 20:21:25 (GMT+1), several seperate single sessions by "Jack Marioline".

      Wilder Westen: 2011-08-26 13:12:34 – 2011-08-26 15:17:57 (GMT+1), several seperate single sessions by "Jack Marioline".

      The attack to Open Neuland stopped after either a) all interesting regions have been targeted or b) all hit region servers stopped temporarly reacting due to heavy physical prim load. The attack to Wilder Westen stopped after we cut off the attacker.

      The attacker build lots of linked primsets (approx. 180 prims each) of type "sphere, default" and in additon rezzed many single physical prims of type "sphere, default". The hit sims got filled until heavy server load made them stop reacting so I suspect the pattern "attack until disconnect, move on".

      Detailed IP list:

      08/25 – Open Neuland
      109.117.183.105 | 2011-08-25 14:27:42
      109.117.183.105 | 2011-08-25 14:28:14
      109.117.183.105 | 2011-08-25 14:28:58
      109.117.183.105 | 2011-08-25 14:29:24
      109.117.183.105 | 2011-08-25 14:30:10
      109.114.87.35 | 2011-08-25 14:58:15
      109.116.247.243 | 2011-08-25 15:18:51
      109.117.184.197 | 2011-08-25 15:37:42
      109.117.184.197 | 2011-08-25 15:52:35
      109.117.184.197 | 2011-08-25 15:53:10
      109.117.184.197 | 2011-08-25 16:10:54
      109.117.184.197 | 2011-08-25 16:20:51
      109.117.184.197 | 2011-08-25 16:21:10
      109.117.184.197 | 2011-08-25 16:21:43
      109.117.184.197 | 2011-08-25 16:22:15
      109.117.184.197 | 2011-08-25 16:23:05
      109.117.184.197 | 2011-08-25 16:28:08
      109.117.184.197 | 2011-08-25 17:28:54
      109.117.184.197 | 2011-08-25 18:22:43
      109.116.143.215 | 2011-08-25 19:23:44
      109.116.143.215 | 2011-08-25 20:21:25
      08/26 – Wilder Westen
      109.114.86.54 | 2011-08-26 13:12:34
      109.116.181.210 | 2011-08-26 13:30:14
      109.116.255.201 | 2011-08-26 14:51:15
      109.116.255.201 | 2011-08-26 15:17:49
      109.116.255.201 | 2011-08-26 15:17:57

  • Torrid Luna

    We had an attack of an Avatar named "John S*ckerbanner" from Vodafone Italy on 2011-07-21. The guy didn't seem to be a bot though. I banned him and blocked the IP space for Vodafone/IT (109.112.0.0/15).

  • Yes, same guy. He used the same Email address at our site, and the realname "John Marioline" (not Jack) on the virtyou MainGrid. He seemed to use a client that was able to circumvent Copy/Mod permissions, since he copied some of our builds until the Sim was quite full (I counted 85.000 prims in one instance). 😉

    He used a client with a normal Hippo signature in our instance.

  • coyled

    Vodafone Italy? It’s Salad Boy! (We called him “Salad Boy” on OSGrid because he’d often attach trees to his av before running around and shouting at people. He looked like a giant salad.) He was running around OSGrid for several months, but his troublemaking was minor and pretty basic, and wasn’t too difficult to block him for weeks at a time.

    If any grid operators need a hand figuring out how to deal with troublemakers feel free to drop me a note. You can find my contact info at http://coyled.com

    • Deviant Reader

      you all called him salad boy for other reasons that are rude and dissgusting

  • Friti

    I'm an avid OpenSim user, and i do not condone the actions of this person.
    However, if you leave the house, and leave your front door open, don't be surprised to find your house full of dogs when you return.
    As annoying as this event may have been, i feel that this person (guy?) is trying to send the same kind of message. If anyone can build on a land, then that will be the fist vulnerability. In fact, it's an invitation to build there, Like a bowl of bonbons. Granted, this person gorged himself on the bonbons, and showed gross disrespect to the landowners, which is why i do not condone these actions of Jack/John, or whatever other name the person goes by. However, at the same time, i feel that the landowners are debit to the situation themselves. If building had been disabled, or group-only, this would not have been possible at all. Just blaming Jack/John would not be fair, no matter how wrong he was for abusing build rights.

    One other complaint was that Jack/John moved some stuff around that was supposed to be movable by anyone in the first place. I'm sorry, but complaining about that is too ridiculous for words, and that's the only part of the story that i can not take seriously. If you don't want your items moved around by anyone who feels like it, don't make it movable, period.

    Thing is, landowners need to think. Think like a griefer, but never be one. Take reasonable measures to prevent problems like there from arising. Unless you own a sandbox, NEVER set build enabled for everyone. Check permissions on your items and make sure that people can not move them if you don't want them moved, or copied by people if you don't want them copied. If you don't want copies of your items to pop up on other grids, enable the gatekeeper in your GridCommon.ini (only works if the Grid's management did enabled the gatekeeper on their ROBUST servers at well, though)

    If then, in spite of these relatively simple measures, you STILL get people who circumvent these measures, THEN you will have reason for calling what Jack/John an attacker. Even though i do condemn his method, i do support his message, which is a loud and clear "close your front door!".

    • Friti —

      Just because something is allowed doesn't mean that people have to do it. For example, anyone can visit this website. But if they visit it a million times all at once, they will shut the site down. The only way to 100 percent protect a site from a DDOS is to run the site on your local computer without any Internet access at all.

      Similarly, it's legal to walk into a store. But if you take a thousand people in with you at the same time, you will shut down the store's operations. Yes, the store could station a guard at the door and only allow in those who are members of the store's shopping club — but this would severely hurt business.

      I personally think TalentRaspel did exactly the right thing here. Spotted the attack, shut it down, and restored all the builds. If you have a good hosting provider that takes regular backups and monitors the grid for suspicious activity, then you can afford to do that, especially if the attacks are very infrequent.

      After all, security overkill can do just as much damage as a hacking attack, by making it difficult for folks to try on new clothes, for amateur builders to use sandboxes, and for region owners to bring in outside help to help them get their builds started.

      And we all forget to lock up after ourselves once in a while. You're in the middle of building, and you're called away. Your computer crashes and you give up for the night. Any grid that operates under the assumption that the victim is at fault for not being 100% secure 100% of the time isn't being very realistic — or particularly customer-friendly.

  • Friti

    I'm afraid you didn't completely understand what i meant to say. I am not putting all the blame with the land owner, nor with the grid owner. Jack/John is wrong for abusing build rights. Plain and simple. But at the same time, landowners do have the responsibility to make a reasonable effort to prevent abuse.
    The comparison to a RL store is a valid one, but all stores have security measures in place in an effort to try and withhold less honest people from running off with the merchandise. If a store chooses to forego on these measures, then what will their insurance company say when after closing time, someone tries the door, finds it unlocked, then proceeds to plunder the store? How will the judge rule, if it ever came to a court case? I am sure that the verdict will be rather disappointing to the plaintiffs.

    As for the security overkill, the tools are already in place, and if it is not absolutely necessary to have building enabled for everyone (one such case would be a sandbox) then simply do not allow all visitors to build.
    This is not an extreme security measure, it's common sense on every grid out there.
    You can do a lot without immediately going to extremes.

    • Friti — Sounds like we're in agreement then and civility triumphs. I feel… a little disappointed. All jazzed up for a big fight, and nowhere to go. Maybe I can head over to the SpotON3D discussions… or just lay off the caffeine! 🙂

  • Friti

    I'm afraid i sent off my last comment incomplete, because i have neglected to say that i feel that banning this Jack/John was the right thing to do. It's a griefer, and had he not been banned, who knows how his actions and griefing would have escalated? A person like that should have no place on any grid, anywhere. Period. What he did was wrong, and banning him is what he deserved.

    Still, griefers will use whatever opening they will get, and landowners should at all times be aware of this, and anticipate this. Not matter how nice and peaceful their favorite grid is. There is a bad apple in every basket.

  • This guy, that registered in Craft many times with several names (Pork One, Jack Marioline, Pieddiporc etc.) for many months has attacked Craft, he has a mobile connection with Vodafone Italy, but he is not a serious hacker, he just move the objects that have permissions for that or fills sandboxes with physical balls. What we did has been to move sandboxes in isolated island and to close all sandboxes in mainland, and check all object permissions.
    They are not bots, we have met him several times, he is just a disturbed brain who has nothing better to do in his life, and says what he makes is art… well, there are also people like this.
    Licu Rau (Raffaele Macis) Craft-World

  • Jack Marioline has also attacked 3DMee (formally Openlife Grid).

    He's found regions where even a small area has build turned on (for operational reasons) and has created non-phantom linked objects (you can link up to 256 on the grid) and therefore in at least 1 instance I encountered, almost entirely covered the region. This is regardless of the fact that the vast majority of the region was set to no build.

    He wouldn't be able to get a bot operating in 3DMee, so it's an avatar with an anti-social individual behind it. It's more annoying than anything else – no big deal to remedy. I suppose while these sad little people are doing harmless damage in virtual worlds, they're not out doing serious damage in the real one – something that may have far more than annoying consequences.

  • fabrice

    Just for you info: Jack marioline has aslo attacked ( adrans-world ) by using hypergrid from francogrid. TAKE care this guy is named “pork marioline” now and the email extension is .it ( from italie ) ip – IP 37.182.89.234 

  • just had him in Metropolis. Annoying little fart-)) Jack.Marioline @virtualrealmsgrid.com:8002

  • Aha. So that’s it. Aye, I get this ‘bot (or real user, whatever) every other month or so. He just does something actually funny: “blowing up” buildings, so that its parts are floating all over the place. Except for one region, now lost forever, I had backups of all others, so it’s just a question of patience to restore it as soon as I see the ‘bot entering the grid. I’m blocking the addresses though, even if I suspect that this guy will quickly subvert the protections by finding other addresses to log in through.

    • I can add two further IP addresses for “Jack.Marioline”: 71.183.218.108 “(Verizon) and 139.153.253.214 (University of Stirling, UK).

      One of these days, we’ll need something like Spamhaus for OpenSimulator 🙁 You know what I mean: a central database, where griefer’s IP addresses/usernames are submitted, and then distributed to be part of the “AllowExcept” list under Robust.HG.ini (should be easy to tweak the module so that the list is fetched from a remote server).

      The problem, of course, is to set up a legitimate service… because that’s always the trouble, when such anti-spam/anti-griefing services are run by “black box” organisations, used by thousands, and accept all kinds of submissions without a way to easily revert “false positives”.

      Alas, we live in a sad world.

      • Hannah

        As you pointed out, any centralized service like that would end up being hijacked in pretty short order to serve someone’s commercial or political interests. That tends to be the problem with any sort of “filtering” service, whether you’re talking spam filters or “family filters” -they end up filtering things that are outside of their scope for the sake of fulfilling whatever their agenda is.

        It might be possible to set up either one in an open-source manner, using a subscription-based model where users could look over a list of blocked site in order to ensure the integrity of the list themselves (no mean feat, of course!) before loading it into the filtering software. Since we’ve only had the one (admittedly persistent) griefer hit the metaverse I don’t believe that there’s a huge urgent need to set up a spamhaus style operation quite yet.

        In the end, I’d prefer to use my tools to filter out annoyances than to trust the benevolence of someone handing me a biased filter.

        • You’re right, @Hannah. It would only make sense if this grows out of proportion… but, fortunately for now, it simply isn’t the case: the OpenSimulator community is too small to attract many griefers, I guess. That’s good!

  • Joe Builder

    pork marioline is all over the place, he hit aviworlds on many occasions

  • Nick Zwart

    He still is active. Just visited my 3DLES grid and left some balls. And still uses his own name. Jack.Marioline @198.50.148.93