My project was hacked.
When I closed my computer this random anonymous guy detected i wasn’t active and edited the code.
Its called onlinux.glitch.me.
Clarification: Well i did cd /t/t/t;, && was disabled, ; was also disabled. That meant he would be stuck in the /t/t/t directory. And he acessed the project that’s different from someone abusing the terminal.
I just saw a anonymous person logging stuff in assets/some random file name which could contain private data. He also was able to see my previous terminal history :0 and recover the file while i was inactive after a rewind. gosh he even disabled my restrictions that restrict commands but I added them back and rebackupped it.
mate, you realise the project is a literal terminal? there aren’t some nice people on here, tbh, You should’ve expected someone to do somethin like that.
2 Likes
Well i did cd /t/t/t;, && was disabled, ; was also disabled. That meant he would be stuck in the /t/t/t directory.
And he acessed the project that’s different from someone abusing the terminal.
mate, just roll back the project, or get glitch support to roll it back to a set time you know it was last working…
It’s rewinded but that doesnt mean we should let the hackers hack us.
… mate, it’s a terminal, any person can just waltz on over to the project web page, and run rm -rf *
2 Likes
that would work only on /t/t/t not the /app directory and it wouldnt show up on the rewinds and ; and && were disabled.
unless you somehow manage to make the perfect anti-grief function in php, it will always be that way.
I’m gonna remix the project, gimme a min, i’ll try to provide ya with a solution to your predicament
1 Like
well 1: 
it needs to be ~/t/t/t/
Ya know what, instead of me just trouble shootin the whole thing, I’ll join de project to help ya
1 Like
@mayank1234cmd you don’t want to say who you think did it because that could come off as rude 
1 Like
@mayank1234cmd, before your posts gets flagged for name-shaming (which is not allowed on this forum), I advise you to remove the part where you accuse other users.
5 Likes
The only way someone can “hack” you is if they got your git url. This was most likely a staff member. If your project is warned too many times, staff may take a look inside your project. But not to jump to conclusions. This could happen for a lot of things. The probability of you being hacked is not that big. It is really small.
Ok i get it but still they removed the “security feature” that disabled some commands, i don’t see why that would happen
The projects are hosted on AWS. It would be a lot easier to look at it from a project view than a terminal.
1 Like
Your project is at a big risk for bash injections, you should review user input before it is entered.
4 Likes
If this feature was seen as ‘social engineering’ it means that Glitch needs to remove under the rules set by their hosting provider, AWS. Could you tell us exactly how the feature worked? Did it contain anything that could be against Glitch or AWS ToS?
Here;s the code:
<?php
// Lemme think here for a bit, defending an online terminal from the directory commands is atrocious work
// idea: idea! convert command to array and check if array[1] is == cd, rm, or array contains > or >>
//hmm, could be doable, but at the same time, maybe not
s=_GET[‘command’];
$s=explode(" ", $s);
echo $s;
if (array_values($s)[0] == "cd"){
echo "restricted";
} elif (array_values($s)[0] == "rm"){
echo "restricted";
} elif (array_values($s)[0] == "rmdir"){
echo "restricted";
} elif (array_values($s)[0] == "cat"){
echo "restricted";
}
else {
echo nl2br(htmlspecialchars(shell_exec("cd ~/t/t/t/ && echo " . $_GET['command'] . "")));;;
}
?>
These were replaced with:
</p><?php echo nl2br(htmlspecialchars(shell_exec("cd /t/t/t; " . $_GET['command'] . "")));;; ?> </div>
You probably shouldn’t be accepting user input as users could obfuscate their input.
4 Likes
I don’t think you even need to obfuscate your input.
echo "deleteing your project now" | rm -rfv /app
3 Likes