OOTP Developments Forums - View Single Post - Hacker possibly targetting OOTP online leagues

Alan T · 11-15-2008, 09:47 PM

This probably doesn't have anything to do with OOTP at all, and you likely should talk to your service providers or if things get really bad the proper authorities for assistance.

Starting at some point last year, people started heavily using invisible iframes to inject trojans into people's computers. The way it worked is they would use some exploit on the web server or an application on that server to break in enough to post an additional ****** on the site's main page that no one would notice because it is invisible (no picture or anything). Everything that ****** did was behind the scenes by instructing the user who browsed that webpage to go to some other compromised site and download an infected trojan.

I know a very common one was to utilize a real player exploit, where the ****** would have the user's browser download a file that would launch realplayer and make use of that exploit. There have been other recent ones that attack flaws in adobe acrobat reader (.pdf files) and other applications.

Users who kept their replayer, adobe, OS, and other applications up to date usually were not infected by this, but most users are poor about keeping security patches for their OS or applications and they got infected from it.

I work for a company that develops anti-virus software, and there was a memo that went around in the spring that said there were over 200,000 infected sites using this type of attack and that number was growing extremely fast. phpbb was originally one of the targeted services that the attackers would use to put the initial ****** on the site. I am sure they have found other similar vulnerabilities in other scripts or programs.

As far as end users go, users that use firefox with noscript for instance is not fully protected, as by default noscript allowed iframes. Those users should go in to the noscript settings and make sure to explicitly say not to allow iframes either (unless they override it). I am less familiar with internet explorer, but I understand there are ways to protect yourself there as well.

As for the server admins, that is tougher, you really need to look through the logs and find what they are actually exploiting to put the ****** up in the first place and shut that application down until you can upgrade to a fixed version.

Anyhows, I highly doubt this has anything to do with OOTP, and these attackers have just started getting to OOTP sites now. They used to hit MMOPG sites very heavily, especially the heavier played ones (I don't play MMOPGs so can't give which games as specifics I fear), but I know there were reports of this attack being used to steal MMOPG characters in Warcraft to which they would then sell, and other various things.

Sorry I don't have more help for you, but hoped by explaining the history of this type of attack, it might be able to provide you direction to fix it.

11-15-2008, 09:47 PM	#13
Alan T All Star Starter Join Date: Mar 2002 Location: Mass. Posts: 1,963	This probably doesn't have anything to do with OOTP at all, and you likely should talk to your service providers or if things get really bad the proper authorities for assistance. Starting at some point last year, people started heavily using invisible iframes to inject trojans into people's computers. The way it worked is they would use some exploit on the web server or an application on that server to break in enough to post an additional **** on the site's main page that no one would notice because it is invisible (no picture or anything). Everything that ** did was behind the scenes by instructing the user who browsed that webpage to go to some other compromised site and download an infected trojan. I know a very common one was to utilize a real player exploit, where the ** would have the user's browser download a file that would launch realplayer and make use of that exploit. There have been other recent ones that attack flaws in adobe acrobat reader (.pdf files) and other applications. Users who kept their replayer, adobe, OS, and other applications up to date usually were not infected by this, but most users are poor about keeping security patches for their OS or applications and they got infected from it. I work for a company that develops anti-virus software, and there was a memo that went around in the spring that said there were over 200,000 infected sites using this type of attack and that number was growing extremely fast. phpbb was originally one of the targeted services that the attackers would use to put the initial ** on the site. I am sure they have found other similar vulnerabilities in other scripts or programs. As far as end users go, users that use firefox with noscript for instance is not fully protected, as by default noscript allowed iframes. Those users should go in to the noscript settings and make sure to explicitly say not to allow iframes either (unless they override it). I am less familiar with internet explorer, but I understand there are ways to protect yourself there as well. As for the server admins, that is tougher, you really need to look through the logs and find what they are actually exploiting to put the **** up in the first place and shut that application down until you can upgrade to a fixed version. Anyhows, I highly doubt this has anything to do with OOTP, and these attackers have just started getting to OOTP sites now. They used to hit MMOPG sites very heavily, especially the heavier played ones (I don't play MMOPGs so can't give which games as specifics I fear), but I know there were reports of this attack being used to steal MMOPG characters in Warcraft to which they would then sell, and other various things. Sorry I don't have more help for you, but hoped by explaining the history of this type of attack, it might be able to provide you direction to fix it.