Bmrf.us hijack?

Regarding bmrf.us, a website related to the arg.

[attach=5555,none,1680][/attach]

Maybe they finally realized their ARG was poorly designed and let the domain expire

The bmrf.us domain was recently renewed. It’s still registered to Josh Hubi, Crowbar Collective, now with an expiration date of 2018-09-19.

At some point (I believe in 2015 in conjunction with the Steam Release) they started using Cloudflare for the bmrf.us site, which they were already using for “www.blackmesasource.com” and “forums.blackmesasource.com”. Cloudflare is a service that accelerates and protects websites by redirecting traffic to the original server hosting the site to their vast array of endpoint servers located in datacenters across the globe. This means that the original server is completely hidden and protected behind Cloudflare’s network. In order for this to work, the authoritative name server (DNS) records for the domain must be set up to point to designated DNS servers assigned to your account by Cloudflare, after the initial setup, as part of the process of setting up your website with Cloudflare.

Based on past “investigations”, I know the real IP address of the actual server hosting the bmrf.us site. I’ve checked it out, and it’s still serving the bmrf.us and terminal.bmrf.us pages from October, 2016. The same server also seems to be the one hosting the forum. So, obviously, it’s not the server that’s been hacked.

The problem lies in the Cloudflare side of things. Either the Cloudflare account for bmrf.us was compromised, or it expired (maybe due to a delinquent payment if they were using a paid plan). If it expired, then someone else could in theory have registered bmrf.us with Cloudflare and set it up to point to their server. However, this shouldn’t be possible since Cloudflare has a system of name servers encoded with names where you have to confirm ownership of the domain by changing your domain’s DNS records to point to the name servers assigned to your account by Cloudflare. But maybe there’s a grace period. The bmrf.us domain registration still points to the name servers tom.ns.cloudflare.com and erin.ns.cloudflare.com, and if you ask the nameservers responsible for the .us TLD, they correctly state that the ‘tom’ and ‘erin’ name servers are the authoritative name servers for bmrf.us.

A week ago, ‘tom’ and ‘erin’ stopped responding to requests about bmrf.us. That’s when the bmrf.us site became unreachable and seemed offline. That changed a few days later. If you now query ‘tom’ or ‘erin’ about bmrf.us, they say that nora.ns.cloudflare.com and trey.ns.cloudflare.com are the authoritative name servers for bmrf.us, and if you query those name servers for the IP address of “bmrf.us” or “www.bmrf.us”, they return two Cloudflare IP-addresses which serve the hijacker’s site. I don’t know how this is possible since the hijackers clearly can’t prove ownership of bmrf.us. If there’s a grace period, I would expect Cloudflare to delete the bmrf.us records from their name servers when the grace period has expired. But what’s to stop the hijackers from exploiting the grace period by registering another fake account and do it over and over again. In any case, it’s indicative of a serious security flaw in Cloudflare’s systems which allows anyone to hijack the websites of expired Cloudflare accounts, until the true owners of the domains re-activate their accounts or change the name server records in their domain registration to something other than Cloudflare’s name servers.

Have no devs responded on this?

I know the response, “Xen is the priority.”
Amirite :wink:

Yeah, your right. Xen is a higher priority than the arg.

especially when you consider that no one has been able to figure out the ARG.

Thank you so very much for reporting this issue. Without going into detail, there was an issue over at CloudFlare that resulted in the domain in question being attached to an unauthorized account. The issue has since been resolved.

Hubicorn to the rescue again!

Founded in 2004, Leakfree.org became one of the first online communities dedicated to Valve’s Source engine development. It is more famously known for the formation of Black Mesa: Source under the 'Leakfree Modification Team' handle in September 2004.