Hacker possibly targetting OOTP online leagues

[Getch]

While in the end it was not the culprit, I finally got around to patching OOTPOU with the security hole I found. The patch link is in my sig.

[gollum65]

Thanks very much Getch! I'll be patching right away.

[Getch]

Quote:

Originally Posted by gollum65

Thanks very much Getch! I'll be patching right away.

Eh... make sure it says patch 3.0.1. I screwed up the links and it was my old files. I just fixed it.

[f.montoya]

Quote:

Originally Posted by Getch

Eh... make sure it says patch 3.0.1. I screwed up the links and it was my old files. I just fixed it.

BIG thank you!!

[gollum65]

Thanks Getch. I didn't even notice until someone had posted in the mods forum thread that it was the wrong version.

[molarmite]

Patch was not as successful as I would've liked. Less than a week after it's released, our site was hacked again. I'm not sure what to do anymore.

[Bluenoser]

Quote:

Originally Posted by molarmite

Patch was not as successful as I would've liked. Less than a week after it's released, our site was hacked again. I'm not sure what to do anymore.

All the patch does is prevent hacking of the game. OOTP will never release a patch that prevents hacking of your website.

Your website has nothing to do with the game of OOTP, other than the fact you are hosting a league there. If your site is being hacked, you need to be talking to your site host.

[Alan T]

Quote:

Originally Posted by molarmite

Patch was not as successful as I would've liked. Less than a week after it's released, our site was hacked again. I'm not sure what to do anymore.

If the attempt just occured, you should have log files available to you that are very recent. My suggestion is still the same as originally mentioned. Those log files will tell the site admin exactly what was hacked on the server and how the attempt occurred. If it was exploiting some other site script, it will say so. If it was by knowing the FTP account/password that gives full site access then I would still suggest what I said before about using an account solely for team exports on the site that has no HTML access.

No matter what, the logs will easily provide the site admin a set of footprints that can be followed to know exactly how they got in so you can fix it for next time.

[f.montoya]

Guys more on hacked websites. I've started another thread to get commissioners attention here: http://www.ootpdevelopments.com/boar...ml#post2638254

[molarmite]

I have Firefox. Do all the owners need to be using a different browser or just certain people?

[Alan T]

Quote:

Originally Posted by f.montoya

Guys more on hacked websites. I've started another thread to get commissioners attention here: http://www.ootpdevelopments.com/boar...ml#post2638254

Fidel, not trying to be disrespectful here, but I think you are putting the cart before the horse here.

Generally what occurs is the following process:

1) Hacker exploits website code or application in a way to gain access to the webserver.
2) Hacker uploads specific infected code (such as invisible ****** exploits) to the webserver to target more users computers to infect
3) Users using insecure browsers, or systems not patched to protect against such infections have their browser try to load the invisible ****** and thus instead load a trojan of some specific intent.
4) Once the trojan is loaded onto the user's system, it could do endless number of things depending on what it is programmed to do. Some "call home" and go to a different web server where it downloads new code or "instructions" Those instructions often are then told to set up key loggers or password stealers or endless other things. Other times it will actually launch a worm to try to infect other systems on the same network, etc.


So the link you posted is good advice, but incomplete. Users do need to be smart about what browser they use and how they use it, but they also need to have proper antivirus protection as well as making sure their system regularly stays patched to protect against many of these type of attacks.

That doesn't address the original cause of the attack however, where people's websites are being hacked or attacked.

[f.montoya]

Quote:

Originally Posted by Alan T

Fidel, not trying to be disrespectful here, but I think you are putting the cart before the horse here.

Generally what occurs is the following process:

1) Hacker exploits website code or application in a way to gain access to the webserver.
2) Hacker uploads specific infected code (such as invisible ****** exploits) to the webserver to target more users computers to infect
3) Users using insecure browsers, or systems not patched to protect against such infections have their browser try to load the invisible ****** and thus instead load a trojan of some specific intent.
4) Once the trojan is loaded onto the user's system, it could do endless number of things depending on what it is programmed to do. Some "call home" and go to a different web server where it downloads new code or "instructions" Those instructions often are then told to set up key loggers or password stealers or endless other things. Other times it will actually launch a worm to try to infect other systems on the same network, etc.


So the link you posted is good advice, but incomplete. Users do need to be smart about what browser they use and how they use it, but they also need to have proper antivirus protection as well as making sure their system regularly stays patched to protect against many of these type of attacks.

That doesn't address the original cause of the attack however, where people's websites are being hacked or attacked.

Thanks Alan T.

Not intending to 'put the cart before the horse'. Just intending to pass along information that may have something to do with the recent attacks. If IE is deemed less safe than other browsers and specific evidence, such as the existence of security holes as the article states prove it, then we should probably think about the advice given by the security experts, you being one of them. In fact, in light of the fantastic information you gave us previously in this very thread, I was hoping that you would weigh in as well. Picking your brain helps us all.

[Treches]

Molarmite,

I posted step-by-step instructions on Andreas' thread to fix the issue.

Read what Alan T has written down because that's exactly what's happening to you. You (or whoever has access to your site) have a keylogger trojan on your machine that's sending the ftp pw to the hacker. Until the trojan is removed it's pointless to change the pw, 'cause the moment you change it he gets it. Then a piece of software called Mpack inserts the ****** that redirects your "index" or "main" pages to a malware site. Mpack cycles and runs non-stop as long as it has the pw. Thus, you can clean up the code today but will get the ****** again next week.

[f.montoya]

Thanks Treches. Excellent and valuable information. You have shed better light on why the same 5 clients of mine keep getting hit while the rest have not.

Molarmite, see his post here: http://www.ootpdevelopments.com/boar...y-problem.html

For the most part I have you covered as far as the server side. You need to be absolutely sure to clear your machine of the trojan using his instructions. Then, contact me and we'll go forward with new FTP accounts and passwords. Also, if you have any co-commissioners or anyone else with FTP access, they need to scan their machines as well.

[Alan T]

Quote:

Originally Posted by f.montoya

Thanks Treches. Excellent and valuable information. You have shed better light on why the same 5 clients of mine keep getting hit while the rest have not.

Molarmite, see his post here: http://www.ootpdevelopments.com/boar...y-problem.html

For the most part I have you covered as far as the server side. You need to be absolutely sure to clear your machine of the trojan using his instructions. Then, contact me and we'll go forward with new FTP accounts and passwords. Also, if you have any co-commissioners or anyone else with FTP access, they need to scan their machines as well.

Molarmite, does the FTP account used in the league file have full website access, or only access to the export upload directory?

If you are 100% confident that whomever is hacking has the logon/password and not using any site scripts to hack the server, then you probably have an account that has too much access. Restrict the account in the league file to only having ftp rights to the export/import directory and that should also help keep people from hacking your webpage.

[f.montoya]

Quote:

Originally Posted by Alan T

Molarmite, does the FTP account used in the league file have full website access, or only access to the export upload directory?

If you are 100% confident that whomever is hacking has the logon/password and not using any site scripts to hack the server, then you probably have an account that has too much access. Restrict the account in the league file to only having ftp rights to the export/import directory and that should also help keep people from hacking your webpage.

Alan T, Molarmite currently has an all access FTP account. However, his most recent infiltration was only to his forum. Being his webhost, I'd like him to follow your advice in getting his machine scanned for any malware/trojan before we go on to the next steps(such as limited FTP accounts for the game only, etc.). His main site has been untouched since the attacks from last month, but that is not to say it is safe.

That said, I continue to see that the hacker is also placing iframes directly into the league reports as well. So I'm afraid that even a restricted FTP account for the game will not stop this cycle.

[f.montoya]

Quote:

Originally Posted by Alan T

If you are 100% confident that whomever is hacking has the logon/password and not using any site scripts to hack the server, then you probably have an account that has too much access. Restrict the account in the league file to only having ftp rights to the export/import directory and that should also help keep people from hacking your webpage.

I am 100% sure that the servers are clean. I spent a month and a half making sure, but what I've seen is that the same clients of mine keep getting hit, even though we made FTP password changes and cleared out every single infected file more than once...in some cases replaced with clean installations and removed databases as well. Why almost all of my clients continue to escape infection seems to be due to the fact that their login info hasn't been obtained by "the bad guys".

[Alan T]

Quote:

Originally Posted by f.montoya

Alan T, Molarmite currently has an all access FTP account. However, his most recent infiltration was only to his forum. Being his webhost, I'd like him to follow your advice in getting his machine scanned for any malware/trojan before we go on to the next steps(such as limited FTP accounts for the game only, etc.). His main site has been untouched since the attacks from last month, but that is not to say it is safe.

That said, I continue to see that the hacker is also placing iframes directly into the league reports as well. So I'm afraid that even a restricted FTP account for the game will not stop this cycle.

My recommendation is the ftp account/password that is put in the league file does not have access to the folders where the html league reports go. It only has access to ftp to the exports upload directory where the league file also goes.

This means that extra work is required in uploading the league html reports, but in this case where a site is compromised several times, I don't think you really have an option here.

[Treches]

"That said, I continue to see that the hacker is also placing iframes directly into the league reports as well. So I'm afraid that even a restricted FTP account for the game will not stop this cycle."
--
Correct. Restricted FTP accounts (say the one you place on the downloadable league file) is just to avoid the casual cracker from fooling around, but restrictions don't block Mpack, as it will gain access to the root nevertheless, bypassing the permissions. The only way to block it is erasing the trojan on the user side and then, and only then, changing the pw.

[gollum65]

I hate to dig up a sore old subject, but it looks like my OOTP Online League website has been attacked again. Yesterday morning a large number of my php files were edited to include the following:

"eval(base64_decode(" with a bunch of gibberish after it.

It has caused our SMF forum to start complaining about things, our Wordpress Blog to have problems, and our ootpsqlou utility suite to break.

Might want to check your ftp folders for recently updated files. No idea how they gained access this time, although I suspect it was through the forum.