|
||||
|
12-12-2008, 10:46 AM | #121 |
All Star Reserve
Join Date: Jan 2006
Posts: 868
|
While in the end it was not the culprit, I finally got around to patching OOTPOU with the security hole I found. The patch link is in my sig.
__________________
Get the OOTP Online Utilities for online leagues! Includes Gamecast, Development, Live Sims, Voting and more. Check here for more details |
12-12-2008, 10:49 AM | #122 |
All Star Reserve
Join Date: Feb 2007
Posts: 925
|
Thanks very much Getch! I'll be patching right away.
|
12-12-2008, 05:04 PM | #123 |
All Star Reserve
Join Date: Jan 2006
Posts: 868
|
Eh... make sure it says patch 3.0.1. I screwed up the links and it was my old files. I just fixed it.
__________________
Get the OOTP Online Utilities for online leagues! Includes Gamecast, Development, Live Sims, Voting and more. Check here for more details |
12-12-2008, 11:59 PM | #124 |
Hall Of Famer
Join Date: Nov 2004
Posts: 6,069
|
BIG thank you!!
__________________
Fidel Montoya Asahi2 Baseball ex-Commissioner(Historical League Since 2004) www.allsimbaseball.com (OOTP web hosting - Customized sites for online leagues - Sign up, Connect OOTP and Play!) Share Your Mods - Free, unlimited and easy to upload to share your Mods instantly(free site registration required) |
12-13-2008, 06:45 AM | #125 |
All Star Reserve
Join Date: Feb 2007
Posts: 925
|
Thanks Getch. I didn't even notice until someone had posted in the mods forum thread that it was the wrong version.
|
12-16-2008, 06:38 PM | #126 |
Hall Of Famer
|
Patch was not as successful as I would've liked. Less than a week after it's released, our site was hacked again. I'm not sure what to do anymore.
__________________
From the wise mind of Davey Eckstein "Now all you need is a signature. A quote or initial, perhaps." [ |
12-16-2008, 06:57 PM | #127 | |
Hall Of Famer
Join Date: Mar 2002
Location: In The Moment
Posts: 13,682
|
Quote:
Your website has nothing to do with the game of OOTP, other than the fact you are hosting a league there. If your site is being hacked, you need to be talking to your site host. |
|
12-16-2008, 07:03 PM | #128 | |
All Star Starter
Join Date: Mar 2002
Location: Mass.
Posts: 1,963
|
Quote:
No matter what, the logs will easily provide the site admin a set of footprints that can be followed to know exactly how they got in so you can fix it for next time. |
|
12-16-2008, 07:05 PM | #129 |
Hall Of Famer
Join Date: Nov 2004
Posts: 6,069
|
Guys more on hacked websites. I've started another thread to get commissioners attention here: http://www.ootpdevelopments.com/boar...ml#post2638254
__________________
Fidel Montoya Asahi2 Baseball ex-Commissioner(Historical League Since 2004) www.allsimbaseball.com (OOTP web hosting - Customized sites for online leagues - Sign up, Connect OOTP and Play!) Share Your Mods - Free, unlimited and easy to upload to share your Mods instantly(free site registration required) |
12-16-2008, 07:14 PM | #130 |
Hall Of Famer
|
I have Firefox. Do all the owners need to be using a different browser or just certain people?
__________________
From the wise mind of Davey Eckstein "Now all you need is a signature. A quote or initial, perhaps." [ |
12-16-2008, 07:36 PM | #131 | |
All Star Starter
Join Date: Mar 2002
Location: Mass.
Posts: 1,963
|
Quote:
Generally what occurs is the following process: 1) Hacker exploits website code or application in a way to gain access to the webserver. 2) Hacker uploads specific infected code (such as invisible ****** exploits) to the webserver to target more users computers to infect 3) Users using insecure browsers, or systems not patched to protect against such infections have their browser try to load the invisible ****** and thus instead load a trojan of some specific intent. 4) Once the trojan is loaded onto the user's system, it could do endless number of things depending on what it is programmed to do. Some "call home" and go to a different web server where it downloads new code or "instructions" Those instructions often are then told to set up key loggers or password stealers or endless other things. Other times it will actually launch a worm to try to infect other systems on the same network, etc. So the link you posted is good advice, but incomplete. Users do need to be smart about what browser they use and how they use it, but they also need to have proper antivirus protection as well as making sure their system regularly stays patched to protect against many of these type of attacks. That doesn't address the original cause of the attack however, where people's websites are being hacked or attacked. |
|
12-16-2008, 08:08 PM | #132 | |
Hall Of Famer
Join Date: Nov 2004
Posts: 6,069
|
Quote:
Not intending to 'put the cart before the horse'. Just intending to pass along information that may have something to do with the recent attacks. If IE is deemed less safe than other browsers and specific evidence, such as the existence of security holes as the article states prove it, then we should probably think about the advice given by the security experts, you being one of them. In fact, in light of the fantastic information you gave us previously in this very thread, I was hoping that you would weigh in as well. Picking your brain helps us all.
__________________
Fidel Montoya Asahi2 Baseball ex-Commissioner(Historical League Since 2004) www.allsimbaseball.com (OOTP web hosting - Customized sites for online leagues - Sign up, Connect OOTP and Play!) Share Your Mods - Free, unlimited and easy to upload to share your Mods instantly(free site registration required) |
|
12-17-2008, 04:50 AM | #133 |
Hall Of Famer
Join Date: Dec 2001
Location: Damned Hell
Posts: 2,147
|
Molarmite,
I posted step-by-step instructions on Andreas' thread to fix the issue. Read what Alan T has written down because that's exactly what's happening to you. You (or whoever has access to your site) have a keylogger trojan on your machine that's sending the ftp pw to the hacker. Until the trojan is removed it's pointless to change the pw, 'cause the moment you change it he gets it. Then a piece of software called Mpack inserts the ****** that redirects your "index" or "main" pages to a malware site. Mpack cycles and runs non-stop as long as it has the pw. Thus, you can clean up the code today but will get the ****** again next week.
__________________
The Computer Baseball League |
12-17-2008, 07:28 AM | #134 |
Hall Of Famer
Join Date: Nov 2004
Posts: 6,069
|
Thanks Treches. Excellent and valuable information. You have shed better light on why the same 5 clients of mine keep getting hit while the rest have not.
Molarmite, see his post here: http://www.ootpdevelopments.com/boar...y-problem.html For the most part I have you covered as far as the server side. You need to be absolutely sure to clear your machine of the trojan using his instructions. Then, contact me and we'll go forward with new FTP accounts and passwords. Also, if you have any co-commissioners or anyone else with FTP access, they need to scan their machines as well.
__________________
Fidel Montoya Asahi2 Baseball ex-Commissioner(Historical League Since 2004) www.allsimbaseball.com (OOTP web hosting - Customized sites for online leagues - Sign up, Connect OOTP and Play!) Share Your Mods - Free, unlimited and easy to upload to share your Mods instantly(free site registration required) |
12-17-2008, 08:18 AM | #135 | |
All Star Starter
Join Date: Mar 2002
Location: Mass.
Posts: 1,963
|
Quote:
If you are 100% confident that whomever is hacking has the logon/password and not using any site scripts to hack the server, then you probably have an account that has too much access. Restrict the account in the league file to only having ftp rights to the export/import directory and that should also help keep people from hacking your webpage. |
|
12-17-2008, 08:28 AM | #136 | |
Hall Of Famer
Join Date: Nov 2004
Posts: 6,069
|
Quote:
That said, I continue to see that the hacker is also placing iframes directly into the league reports as well. So I'm afraid that even a restricted FTP account for the game will not stop this cycle.
__________________
Fidel Montoya Asahi2 Baseball ex-Commissioner(Historical League Since 2004) www.allsimbaseball.com (OOTP web hosting - Customized sites for online leagues - Sign up, Connect OOTP and Play!) Share Your Mods - Free, unlimited and easy to upload to share your Mods instantly(free site registration required) |
|
12-17-2008, 08:37 AM | #137 | |
Hall Of Famer
Join Date: Nov 2004
Posts: 6,069
|
Quote:
__________________
Fidel Montoya Asahi2 Baseball ex-Commissioner(Historical League Since 2004) www.allsimbaseball.com (OOTP web hosting - Customized sites for online leagues - Sign up, Connect OOTP and Play!) Share Your Mods - Free, unlimited and easy to upload to share your Mods instantly(free site registration required) Last edited by f.montoya; 12-17-2008 at 08:38 AM. |
|
12-17-2008, 08:55 AM | #138 | |
All Star Starter
Join Date: Mar 2002
Location: Mass.
Posts: 1,963
|
Quote:
My recommendation is the ftp account/password that is put in the league file does not have access to the folders where the html league reports go. It only has access to ftp to the exports upload directory where the league file also goes. This means that extra work is required in uploading the league html reports, but in this case where a site is compromised several times, I don't think you really have an option here. |
|
12-17-2008, 09:02 AM | #139 |
Hall Of Famer
Join Date: Dec 2001
Location: Damned Hell
Posts: 2,147
|
"That said, I continue to see that the hacker is also placing iframes directly into the league reports as well. So I'm afraid that even a restricted FTP account for the game will not stop this cycle."
-- Correct. Restricted FTP accounts (say the one you place on the downloadable league file) is just to avoid the casual cracker from fooling around, but restrictions don't block Mpack, as it will gain access to the root nevertheless, bypassing the permissions. The only way to block it is erasing the trojan on the user side and then, and only then, changing the pw.
__________________
The Computer Baseball League |
02-06-2010, 11:20 AM | #140 |
All Star Reserve
Join Date: Feb 2007
Posts: 925
|
I hate to dig up a sore old subject, but it looks like my OOTP Online League website has been attacked again. Yesterday morning a large number of my php files were edited to include the following:
"eval(base64_decode(" with a bunch of gibberish after it. It has caused our SMF forum to start complaining about things, our Wordpress Blog to have problems, and our ootpsqlou utility suite to break. Might want to check your ftp folders for recently updated files. No idea how they gained access this time, although I suspect it was through the forum.
__________________
OOTP X Beta Team |
Bookmarks |
|
|