-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MrData spamming the channels #6
Comments
…t, allowing for every command executed to be logged in a file, with a timestamp. This will allow the sysadmin to view the log file and see what commands have been issued.
The bot token was again published by mistake to github. Discord has been improved since this issue last arose, and so, within the discord software, I was instantly notified that my bot token had been published to the Internet. What a cool feature! They automatically rotated my secret key, so I had to modify the config. I need a way of stopping config-secret.json from accidentally being uploaded. |
Okay, having done a few Google searches, it appears that whilst there are ways to lock a particular file from being changed, the most sensible method appears to use a template file (which is effectively what I am doing) with the extension .TMPL, and in the install instructions or script, you rename the file to its correct name. So:
|
!removeuser allows the removal of redundant users - this requires further testing as it is a complicated query Resolves issue #6 config-secret.json.TMPL is now seperate from the actual json file, which can now be untracked. This will prevent further accidental commits of sensitive database passwords and bot tokens! The README.md should be updated to provide instructions on renaming this file during installation. There are new library functions, including some admin functions (isPrivileged, hasPermission, getGuild, getMember) which replace duplicated code. These duplications will be refactored in later commits.
Someone was able to misappropriate MrData, and use it to send spam.
Initial investigation reveals that it was probably via the discord API bot token, which is used to verify the bot's identity. With this token, any malicious piece of code can log in as the bot and run its own code.
So I have changed the token. The token should not be stored in version control (and indeed, it isn't...) but there was a version of config-secret.json and the initial version of config.json that had the bot's token in it.
It is no coincidence that the spam started occuring on the same day and not five minutes after I made the repository public!
Check the code base to ensure there is nothing compromised, and additionally, add some logging for every command being executed.
The text was updated successfully, but these errors were encountered: