|
||||
|
|
Earlier versions of OOTP: Commissioner's Corner Want to run an online league? Want to learn about the 'ins' and 'outs' of being a commish? This is the place! |
|
Thread Tools |
12-23-2008, 10:04 PM | #21 |
Hall Of Famer
Join Date: Dec 2001
Posts: 3,326
|
Sorry if I missed in on all the forum pages dedicated to this issue but can anyone here mention what happens when users click on the hacked OOTP web site pages with the embedded ****** link? I know it's been described as "a malware site" and it "usually" results in a local box scan and a possible key logger, but do we know exactly what this one does?
Also, I guess there is no action we can take using our ftp logs:/. |
12-24-2008, 07:05 AM | #22 | |
Hall Of Famer
Join Date: Dec 2001
Location: Damned Hell
Posts: 2,147
|
Quote:
If you have good and updated security, the redirection to the malware site would be simply blocked (unless, of course, you authorize it), so that's about it. Now, if the redirection is successful you enter the universe of the server that hosts MPack (or similar), which performs in cascade. To do so first it would try to install a downloader trojan to check the system, web brownser and firewall for vulnerabilities. Then, depending on the outcome, goes another trojan, and then another, and another. Pretty much all the family, from keyloggers to spammers to backdoors to downloaders. The more outdated the security and unpatched the operational system and brownser, the more chances has MPack to be successful. That's all in short.
__________________
The Computer Baseball League |
|
12-25-2008, 02:41 AM | #23 |
Hall Of Famer
Join Date: Dec 2001
Posts: 3,326
|
Thanks Treches - that was pretty helpful. I understand that means there is an additional step after clicking the bad link. My browser blocked the ****** but because these links are on our own sites, I suspect many will not have pop ups etc blocked.
Regarding the hacker... the ****** link insert is being done by a script based on the time of the file updates and the specific target files, but it does not seem likely that a script is look for encrypted OOTP online league files. That seems like a manual job by someone who is at least aware of this game (enough to know it has an online league mode to it). |
05-19-2009, 11:43 AM | #24 |
Major Leagues
Join Date: Sep 2005
Location: Chicago, IL
Posts: 361
|
apparently this issue is back, at least for me. my sites that use the FTP info from OOTP are getting hacked on a daily basis, and its getting ridiculous.
__________________
Phil Zuber Beyond the Ivy - Commish, Twins GM Stars and Stripes Baseball League - Cubs GM Bricks and Ivy - Orioles GM Sim Coalition - co-founder |
05-19-2009, 12:05 PM | #25 |
Hall Of Famer
Join Date: Apr 2002
Location: Ft Smith AR
Posts: 2,681
|
|
05-19-2009, 12:07 PM | #26 |
Major Leagues
Join Date: Sep 2005
Location: Chicago, IL
Posts: 361
|
this has definitely been going on longer than a week for me...but i thought it was a server problem and not with me. but it turns out its OOTP again, as the only sites that get affected on my server (and i have multiple sites) are the ones that share the ootp ftp info.
what can we do about this?????
__________________
Phil Zuber Beyond the Ivy - Commish, Twins GM Stars and Stripes Baseball League - Cubs GM Bricks and Ivy - Orioles GM Sim Coalition - co-founder |
05-19-2009, 12:21 PM | #27 | |
Administrator
Join Date: Jun 2002
Location: Hollern/Stade/Germany
Posts: 8,992
|
Quote:
On our server we got 3 sites hacked last week and it had nothing to do with OOTP online leagues at all. It's either security issues with forum software or a Trojan/Virus/Worm on your computer (or on a GM's computer) which "reads" your FTP login info from the network connection while you (or a GM) uploads or downloads the league file using OOTP. Last edited by Andreas Raht; 05-19-2009 at 12:27 PM. |
|
05-19-2009, 12:26 PM | #28 |
Major Leagues
Join Date: Sep 2005
Location: Chicago, IL
Posts: 361
|
we are not using any CMS software. its all hand coded html and php pages.
we are using vbulletin, and it is using the latest version. as i mentioned earlier, i host several websites on my server. all of the ootp leagues are housed under 1 domain using subdomains. they all share the same ftp info, and the ftp info gets them into the main domain and then branches from there. the only sites i am having a problem with are those under the main ootp domain. and the only place that ftp info is stored is in the game.
__________________
Phil Zuber Beyond the Ivy - Commish, Twins GM Stars and Stripes Baseball League - Cubs GM Bricks and Ivy - Orioles GM Sim Coalition - co-founder |
05-19-2009, 12:46 PM | #29 |
Hall Of Famer
Join Date: Apr 2002
Location: Ft Smith AR
Posts: 2,681
|
A trojan can read my FTP login info from the OOTP connection to my server, on a GM's computer? Maybe that's what's happened. It's going to be tough to keep everyone in my league trojan-free, I don't know if I can manage that.
|
05-19-2009, 01:14 PM | #30 |
Major Leagues
Join Date: Sep 2005
Location: Chicago, IL
Posts: 361
|
to go another step further with this...a league i used to commish that i am still an active member of that is on a different server, thus obviously not sharing the same ftp info or anything like that for that matter...
has also been hacked. site also uses php and html coding.
__________________
Phil Zuber Beyond the Ivy - Commish, Twins GM Stars and Stripes Baseball League - Cubs GM Bricks and Ivy - Orioles GM Sim Coalition - co-founder |
05-19-2009, 01:44 PM | #31 | |
Global Moderator
Join Date: Nov 2002
Location: Vancouver, Canada
Posts: 10,703
|
Quote:
I think the best a commish can do in such a situation is ask everyone to scan their computers for virii and other malware asap, even suggesting say some scanning programs (I use avast and superantispyware), and telling everyone that in a few days they'll be changing all the ftp info which will mean everyone will have to install a full file. Or is there a better way? |
|
05-22-2009, 10:19 AM | #32 |
All Star Reserve
Join Date: Mar 2002
Location: Buffalo, NY
Posts: 635
|
My league was hacked over night and a good majority of the files in my league domain's folder were deleted. I run a similar hosting setup as Zubes described and none of my other domains were touched.
This is the second hack job (the first being very minor - one page that had a malware ****** inserted), but given the constant attacks other folks are seeing, I'm not even sure it's worth doing a league any longer. Prior to the FBL, I ran an OOTP league for 5 years (using versions 3 thru 6) and never got hacked. I started the FBL back up a few months ago and have been hacked twice that I know of... very frustrating.
__________________
NPBL Idaho Spuds GM Former Federal Baseball League and JOBL Commish (2002 - 2011) |
05-22-2009, 06:59 PM | #33 |
Hall Of Famer
Join Date: Jan 2003
Location: Frankfort, Kentucky
Posts: 3,739
|
I have now been hacked twice each in the past three weeks on two different sites. If it happens a third time, I probably will end what has been a fun online experience as commissioner with some great GMs. Very unfortunate.
__________________
Charlie Root won more games for the Cubs than any pitcher (201), yet was remembered for one pitch to Babe Ruth. Find out more about the 1929 World Series in my book, "Root for the Cubs: Charlie Root and the 1929 Chicago Cubs." See the web site at www.rootforthecubs.com. The book is at http://www.amazon.com/Root-Cubs-Char...t+for+the+cubs. Beta tester, OOTP 2007-2023 and iOOTP 2011-2014. |
05-24-2009, 07:16 PM | #34 |
Hall Of Famer
Join Date: Apr 2002
Location: Ft Smith AR
Posts: 2,681
|
Anyone have any ideas on how to stop this?
Is the problem that a trojan can pick up the FTP login info, off of any owner's machine, when he exports? |
05-24-2009, 07:40 PM | #35 | |
All Star Starter
Join Date: Mar 2002
Location: Mass.
Posts: 1,963
|
Quote:
The way I get around this is a pain in the butt, however since OOTP doesn't do anything to protect against this (my suggestion to the developers was to allow a seperate ftp account in the ootp configuration for webpage uploads and a different account for owner exports), you have to do it manually. This is what I do: I have two ftp logon accounts on my server. 1) account is for owner exports. This is input into your OOTP online configuration in the file that you upload. It ONLY has rights to read and write to the exports folder on your ftp sever. 2) account for web reports. You do not put this into OOTP anywhere. It has the rights to the rest of the webserver file structure. When you upload files for other owners in the league , you have account #1 configured in OOTP. When you upload webpages to your server, you do it outside of OOTP and don't use OOTP for that. An alternate is that you can still use OOTP to do so, but you have to manually change the account settings back and forth in OOTP which is a pain. If this is confusing, I would be happy to help explain it further, just drop me a pM. Ideally I think this is something that should be fixed in OOTP, but was told that was not going to be done, so a manual work around from commishes is the only other solution. Let me know if you have questions, I am happy to help.
__________________
- Front Office Offseason League. (Fast Paced OOTP-X and OOTP11 leagues, sims one season every week) |
|
05-24-2009, 08:43 PM | #36 |
Hall Of Famer
Join Date: Nov 2004
Posts: 6,069
|
I agree with both Andreas and Alan T. Update your scripts and separate your game FTP accounts. I had some hacked websites myself two were running Mambo, from which we migrated to Joomla 1.5 as a result. But that alone will not assure security.
To go a step further, I will map out what I recommend(some of it reflects what Alan T. and Andreas have already stated above)... 1. Delete ALL infected files from the server 2. Restore a backup(ALWAYS make periodic backups of your site files and databases!!) 3. Change all of your passwords, FTP, forum and CMS logins, etc. 4. Update your scripts to the latest versions(ASB now uses Joomla 1.5.10 and phpbb 3.0.4 on all sites) 5. Create a sub-sub-directory for your reports and league file(for example yoursite.com/game/exports). You can add more security by making the name of the directory more cryptic as well. DO NOT publish a "public" link to download your league file on your website. 6. Create an FTP account that has access to /game ONLY, and use this for your in-game FTP settings. You can go a step further as Alan T. suggests if you want to separate the league file from the reports but, in my opinion, if someone hacks my /game folder, FTP info and directories need to be changed again anyway and reports and league files are easily restored. 7. Remove any 3rd party Online forms components from your website, or use forms that are being supported and updated regularly. 8. Disable site registration and manually create accounts for new league members. 9. Use a no-proxy code in any online forms you have published. At least a good % of hackers will be discouraged. 10. Use an .htaccess file for your site that keeps a large portion of the bad-guy population from even seeing your website. For number 9 and 10, I have info in another thread. I'll see if I can find it and post it here. Still, even with the above precautions, nothing is 100% safe. Backup your site and databases regularly to save yourself some headaches.
__________________
Fidel Montoya Asahi2 Baseball ex-Commissioner(Historical League Since 2004) www.allsimbaseball.com (OOTP web hosting - Customized sites for online leagues - Sign up, Connect OOTP and Play!) Share Your Mods - Free, unlimited and easy to upload to share your Mods instantly(free site registration required) Last edited by f.montoya; 05-24-2009 at 08:45 PM. |
05-24-2009, 09:10 PM | #37 |
Hall Of Famer
Join Date: Apr 2002
Location: Ft Smith AR
Posts: 2,681
|
Thanks guys. In the past, I've experimented with a special limited-access ftp account for my owners' exports. I'll give it another shot.
|
05-25-2009, 04:06 AM | #38 |
Administrator
Join Date: Jun 2002
Location: Hollern/Stade/Germany
Posts: 8,992
|
Thanks guys for your help! Let me just add one thing: Each day thousands of servers and sites get hacked without any OOTP involved at all. Just because they used old versions of message board, gguest book scripts or content management systems, which had security issues. Always update this software when there's an update available!!!
I'm sure and it's obvious that a big part of the hacked OOTP sites have been hacked just because of those outdated versions. Anyway, a Trojan could get your FTP login info when you (or a GM!) uploads/downloads league or team files, so there's a security issue there as well, just don't forget to keep your software up-to-date and also follow the great instructions above. |
05-25-2009, 12:16 PM | #39 |
Hall Of Famer
Join Date: Jan 2003
Location: Frankfort, Kentucky
Posts: 3,739
|
What is the easiest way to continue a league without using a web site? How do you export the league file to all owners and then have them update?
Is there a way to send a file and the game updates or do you have to go through all the manual steps of zipping the league file, sending it via email to all gms and then they would have to unzip and manually overwrite in saved_games folder? It is easy to understand how to include their team exports from the manual, but I'm not sure about the league file workaround. Any help?
__________________
Charlie Root won more games for the Cubs than any pitcher (201), yet was remembered for one pitch to Babe Ruth. Find out more about the 1929 World Series in my book, "Root for the Cubs: Charlie Root and the 1929 Chicago Cubs." See the web site at www.rootforthecubs.com. The book is at http://www.amazon.com/Root-Cubs-Char...t+for+the+cubs. Beta tester, OOTP 2007-2023 and iOOTP 2011-2014. |
05-26-2009, 12:39 AM | #40 |
Hall Of Famer
Join Date: Nov 2004
Posts: 6,069
|
Just an update...
Andreas has been actively discussing with beta testers security measures that can be put in place in the game. Some good ideas are being brought up and I am very encouraged by what I've been reading so far. For those of you that I don't host at AllSimBaseball, here is pretty much what has been my website security bible: How to prevent your website from getting hacked. Repair damaged site. I know it's a lot of reading and most may not want to be bothered, but on the odd chance that some commissioners have some interest in knowing a little more about website security, there it is. Roger, I've sent you and your league members an email. Thanks to Randy, I found what had been eluding us all this time.
__________________
Fidel Montoya Asahi2 Baseball ex-Commissioner(Historical League Since 2004) www.allsimbaseball.com (OOTP web hosting - Customized sites for online leagues - Sign up, Connect OOTP and Play!) Share Your Mods - Free, unlimited and easy to upload to share your Mods instantly(free site registration required) |
Bookmarks |
|
|