Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MrData spamming the channels #6

Open
Nos78 opened this issue May 22, 2019 · 2 comments
Open

MrData spamming the channels #6

Nos78 opened this issue May 22, 2019 · 2 comments
Assignees
@Nos78
Labels
bug Something isn't working

Comments

@Nos78
Copy link
Owner

Nos78 commented May 22, 2019

Someone was able to misappropriate MrData, and use it to send spam.

Initial investigation reveals that it was probably via the discord API bot token, which is used to verify the bot's identity. With this token, any malicious piece of code can log in as the bot and run its own code.

So I have changed the token. The token should not be stored in version control (and indeed, it isn't...) but there was a version of config-secret.json and the initial version of config.json that had the bot's token in it.

It is no coincidence that the spam started occuring on the same day and not five minutes after I made the repository public!

Check the code base to ensure there is nothing compromised, and additionally, add some logging for every command being executed.
Nos78 added a commit that referenced this issue May 23, 2019
@Nos78
This addresses issue #6 by adding a log file to the main bot.js scrip…
6af68b3 
…t, allowing for every command executed to be logged in a file, with a timestamp. This will allow the sysadmin to view the log file and see what commands have been issued.
@Nos78
Copy link
Owner Author

Nos78 commented Aug 24, 2020

The bot token was again published by mistake to github.

Discord has been improved since this issue last arose, and so, within the discord software, I was instantly notified that my bot token had been published to the Internet. What a cool feature! They automatically rotated my secret key, so I had to modify the config.

I need a way of stopping config-secret.json from accidentally being uploaded.

@Nos78 Nos78 added the bug Something isn't working label Aug 24, 2020
@Nos78 Nos78 self-assigned this Aug 24, 2020
@Nos78
Copy link
Owner Author

Nos78 commented Aug 24, 2020

Okay, having done a few Google searches, it appears that whilst there are ways to lock a particular file from being changed, the most sensible method appears to use a template file (which is effectively what I am doing) with the extension .TMPL, and in the install instructions or script, you rename the file to its correct name.

So:

  1. Rename the blank config-secret.json to be config-secret.json.TMPL
  2. Remove config-secret.json from the repository so that it is untracked. That should prevent the file being accidentally committed, since I'm not going to manually add it back!

Nos78 added a commit that referenced this issue Aug 25, 2020
@Nos78
resolves issue #17
936e174 
!removeuser allows the removal of redundant users - this requires further testing as it is a complicated query

Resolves issue #6
config-secret.json.TMPL is now seperate from the actual json file, which can now be untracked. This will prevent further accidental commits of sensitive database passwords and bot tokens! The README.md should be updated to provide instructions on renaming this file during installation.

There are new library functions, including some admin functions (isPrivileged, hasPermission, getGuild, getMember) which replace duplicated code.  These duplications will be refactored in later commits.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Nos78 Nos78

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Nos78