|
||||
|
11-15-2008, 06:17 PM | #1 |
All Star Reserve
Join Date: Feb 2007
Posts: 925
|
Hacker possibly targetting OOTP online leagues
This is a notice for all commissioners of OOTP online leagues to keep their ears and eyes open and make sure they have strict control over their websites.
Twice in this past week the website of the league that I commish has been attacked by the same hacker. It's quite a simple attack, and one that I've had no trouble undoing, but now I'm hearing that other leagues have suffered similar recent attacks. The "hacker" simply adds invisible links to your web pages that if browsed to, the invisible links embedded in your site direct the browser to a 2nd website that presumably attempt to load some sort of malware or trojan onto unsuspecting computers. Plain and simple, this is bush league (to use a baseball metaphor). We're all supposedly just trying to enjoy a hobby, right? What purpose does it serve to cause mischief for our websites and GMs, other then to entertain the feeble mind of the attacker, and annoy the hell out of everyone else. Do us all a favor. Go practice your "hacking" somewhere else. |
11-15-2008, 06:30 PM | #2 |
Global Moderator
Join Date: Nov 2002
Location: Vancouver, Canada
Posts: 10,703
|
If it's the same thing as what the CBL went through awhile ago, I don't think it's some fellow OOTPer. I think it's something any website with similar security holes might suffer. I never did figure out exactly how they were doing it (we ended up just going to a bare bones site for a little while), but I did find out that it wasn't limited to OOTP online leagues. Mind giving us more info, maybe a link to a thread on your board talking about it, so I can look into it further?
|
11-15-2008, 06:33 PM | #3 |
Hall Of Famer
Join Date: Jul 2006
Location: Watertown, New York
Posts: 4,567
|
I'm not trying to downplay your completely justified anger, but isn't that the motive behind most vandals? As such, it's very easily understandable — which is not to say forgivable.
|
11-15-2008, 06:40 PM | #4 | |
All Star Reserve
Join Date: Feb 2007
Posts: 925
|
Quote:
Feel free to contact me if you want a couple of sample files I kept that have the edited code. commish(at)ashmaplebaseball.info And yes Curtis, I realize that's why they do it. Just have to vent my frustration and annoyance somehow. |
|
11-15-2008, 07:18 PM | #5 | |
Global Moderator
Join Date: Nov 2002
Location: Vancouver, Canada
Posts: 10,703
|
Quote:
May I ask what host you're using? We were using hostmonster. I see that you're using SMF forums while we were using phpbb2.x forums. I thought that might have been where the hole was, but there have been cases of sites not using the same boards in the past so I doubt it. It looks like you're just using simple html, not php like we and others were, so that's probably not the problem. I'm now thinking it might be folder permissions, but I'll have to look into that topic a bit more. I may end up asking you tell me yours. You can easily check it if you have ftp access. I'll email you for those files, but if anybody else experiences the same problem feel free to email me some sample files at kq76 at hotmail.com. Please point out the offending code for me or at least detail what you see in your browser. I'm no website security expert, but I like to think I know at least a tiny bit about the topic. Regardless, I'll ask in OT if there's anybody that can help us. When I thought it was just one or two leagues I didn't think it was that big of a deal, but if it's more then I'd like to put this down immediately. I would have recommended going to a single page site for awhile, but yours looks so simple (no disrespect, I'm just saying it's likely not the problem) that there's no point. If it does happen again, just re-up your files and sooner or later they'll probably just move on to another site. I know, it's not the best of solutions, but unless we find better that's the only I know of. |
|
11-15-2008, 07:40 PM | #6 | |
Hall Of Famer
Join Date: Jul 2003
Location: College Park, Md.
Posts: 5,024
|
vMLB (in my sig) has been attacked twice this week.
Here's what the commish has to say: Quote:
|
|
11-15-2008, 07:48 PM | #7 | |
Global Moderator
Join Date: Nov 2002
Location: Vancouver, Canada
Posts: 10,703
|
Quote:
If the vMLB's problem was the exact same one that we had then I'm 100% positive it's not to do with Getch's utilities. How am I so sure? Because we didn't have Getch's utilities installed at the time. I didn't install it until well after and we haven't had the problem since. EDIT: I should say, though, that Getch's and whatever the specific cause of ours was could possibly share the same vulnerability. I just don't want everyone going around saying, "oh, it's Getch's" if they don't really know for sure. Could be, but I'd hate for it to get that reputation if it's really not the cause. I'll ask fhomess and Solonor for their input as they seem to know it fairly well. |
|
11-15-2008, 08:19 PM | #8 |
Hall Of Famer
Join Date: Oct 2003
Location: San Diego, California
Posts: 2,737
|
The name rings a bell for me.
__________________
|
11-15-2008, 08:53 PM | #9 |
Hall Of Famer
Join Date: Nov 2004
Posts: 6,069
|
Four sites that I host were hit this past week, including vMLB. We use the CMS Mambo along with phpbb2 or phpbb3, depending on how long the league has been around. Actually, on a few of the upgraded sites, the malicious code actually failed in it's purpose. That is to say, instead of the cross site scripting sending you to a different site to download a file, Mambo and phpbb actually quit and displayed an error. But a few other sites were running older versions of Mambo and phpbb. These sites would actually do what the script wanted and a pdf file would open after a few seconds and a browser redirect.
The location of the pdf file was at fany008.net(this is the domain and I don't want to post the whole url to the pdf file here) which I later tracked to a Mr John Mohov. While I don't think this guy would actually be attacking sites himself, he is listed as the owner of fany008.net and has a responsibility to remove the infected pdf file from his server and take appropriate preventative security action. I am listing what is already publicly available on Mr. Mohov here: john mohov Email: bryanlink AT live.com (I will do him the courtesy of protecting his emal address from bots) Organization: mohov ltd Address: 2198 Bernard rd City: New Vienna State: oh ZIP: 45159 Country: US Phone: +7.4955123458 Fax: Usually, these attacks are done via an html web form by wrapping malicious code in php tags in the text fields. Quite simple really. And php code can be used to overwrite append and create files, which is what happened in this case. The script was used to create and overwrite the index.html files in about 50+ locations within Mambo an phpbb and it appended the index.php file to include the redirect command. Easy to find but a major pain to clean out.
__________________
Fidel Montoya Asahi2 Baseball ex-Commissioner(Historical League Since 2004) www.allsimbaseball.com (OOTP web hosting - Customized sites for online leagues - Sign up, Connect OOTP and Play!) Share Your Mods - Free, unlimited and easy to upload to share your Mods instantly(free site registration required) |
11-15-2008, 09:20 PM | #10 |
Hall Of Famer
|
Fidel has basically explained everything I know so far. All I know is I can't keep my forum up for more than 10 minutes without this guy taking it down. I've had some other commisioners contact me as well with this same problem, AMBL commish was one of them. Is this something we should contact Markus, Steve, or Andreas about or can we take care of this ourselves?
__________________
From the wise mind of Davey Eckstein "Now all you need is a signature. A quote or initial, perhaps." [ |
11-15-2008, 09:24 PM | #11 | |
Global Moderator
Join Date: Nov 2002
Location: Vancouver, Canada
Posts: 10,703
|
Quote:
Anyway, to anybody out there who is running outdated forum or CMS or any other kind of website software, I highly recommend doing what fidel did and upgrade it, even if you don't think that's the cause. It very well could prevent the problem. You should probably also notify your webhost as they should take a look at whether their stuff is up-to-date as well, but at the very least update whatever you can. |
|
11-15-2008, 09:27 PM | #12 | |
Global Moderator
Join Date: Nov 2002
Location: Vancouver, Canada
Posts: 10,703
|
Quote:
|
|
11-15-2008, 09:47 PM | #13 |
All Star Starter
Join Date: Mar 2002
Location: Mass.
Posts: 1,963
|
This probably doesn't have anything to do with OOTP at all, and you likely should talk to your service providers or if things get really bad the proper authorities for assistance.
Starting at some point last year, people started heavily using invisible iframes to inject trojans into people's computers. The way it worked is they would use some exploit on the web server or an application on that server to break in enough to post an additional ****** on the site's main page that no one would notice because it is invisible (no picture or anything). Everything that ****** did was behind the scenes by instructing the user who browsed that webpage to go to some other compromised site and download an infected trojan. I know a very common one was to utilize a real player exploit, where the ****** would have the user's browser download a file that would launch realplayer and make use of that exploit. There have been other recent ones that attack flaws in adobe acrobat reader (.pdf files) and other applications. Users who kept their replayer, adobe, OS, and other applications up to date usually were not infected by this, but most users are poor about keeping security patches for their OS or applications and they got infected from it. I work for a company that develops anti-virus software, and there was a memo that went around in the spring that said there were over 200,000 infected sites using this type of attack and that number was growing extremely fast. phpbb was originally one of the targeted services that the attackers would use to put the initial ****** on the site. I am sure they have found other similar vulnerabilities in other scripts or programs. As far as end users go, users that use firefox with noscript for instance is not fully protected, as by default noscript allowed iframes. Those users should go in to the noscript settings and make sure to explicitly say not to allow iframes either (unless they override it). I am less familiar with internet explorer, but I understand there are ways to protect yourself there as well. As for the server admins, that is tougher, you really need to look through the logs and find what they are actually exploiting to put the ****** up in the first place and shut that application down until you can upgrade to a fixed version. Anyhows, I highly doubt this has anything to do with OOTP, and these attackers have just started getting to OOTP sites now. They used to hit MMOPG sites very heavily, especially the heavier played ones (I don't play MMOPGs so can't give which games as specifics I fear), but I know there were reports of this attack being used to steal MMOPG characters in Warcraft to which they would then sell, and other various things. Sorry I don't have more help for you, but hoped by explaining the history of this type of attack, it might be able to provide you direction to fix it. |
11-15-2008, 09:49 PM | #14 | |
All Star Starter
Join Date: Mar 2002
Location: Mass.
Posts: 1,963
|
Quote:
I am not a software engineer, I am a network security engineer so don't really know the specifics on how these attacks are done code-wise.. but I would say if you have an old version of phpbb that is not patched to fix this exploit, it is very likely they used this to insert the ****** to your mainpage. Even if they did not touch the forums at all, that is their normal behavior. They just want the malicious code in the very top level root directory for the webservices on the main index page so it gets hit the most. |
|
11-16-2008, 12:28 AM | #15 |
All Star Reserve
Join Date: Feb 2007
Posts: 925
|
John Mohov indeed appears to be the culprit in my case. The fany08 domain is apparently registered to him, and that's what's embedded into my files.
To MY knowledge, this started a few weeks ago when the Suicide Squeeze league was attacked using a simiar method, although you'd have to contact Lonnie Moody to find out for sure. He had to move his whole site to a new host. My webhost is totalchoicehosting dot com and when I contacted them this morning, they advised me it was that my global permissions were set to allow files to be written, and they fixed the permissions for me. Time will tell if they were right. I've also changed all the website passwords as they directed. Regarding my forum version, I was on SMF 1.16 till this morning. I updated to 1.17 today. |
11-16-2008, 05:26 AM | #16 | |
Hall Of Famer
Join Date: Nov 2004
Posts: 6,069
|
Quote:
In addition, via the process of elimination, it appears that there was some sql injection and such code included a self timer which made the forums self destruct and recreated the iframes, even after cleaning out infected indexes from the directories. I was doing so nonstop for hours at one point. Now that I've removed the forum database, it appears all is calm.
__________________
Fidel Montoya Asahi2 Baseball ex-Commissioner(Historical League Since 2004) www.allsimbaseball.com (OOTP web hosting - Customized sites for online leagues - Sign up, Connect OOTP and Play!) Share Your Mods - Free, unlimited and easy to upload to share your Mods instantly(free site registration required) |
|
11-16-2008, 07:01 AM | #17 |
Hall Of Famer
Join Date: Mar 2003
Posts: 9,004
|
New Vienna is about 50 minutes from here. I have a consulting visit to make in Harveysburg, just North of New Vienna, this week. I could Make a criminal complaint.
Clinton County Sheriff Home Nothing quite like having the local sheriff show up and ask a few questions. If someone would like me to drive to the office and make the complaint, I could. |
11-16-2008, 08:18 AM | #18 | |
Hall Of Famer
Join Date: Mar 2003
Posts: 9,004
|
Quote:
The street address is to a farm. Here's a picture. 2198 Bernard rd New vienna OH - Google Maps The country code on the phone number listed is 7, which is Russia, and area code is 495, which is Moscow, Russia. Mohov is a Russian name. A person in the state of Ohio would probably use a LLC to protect assets, not a limited partnership. Last edited by Raidergoo; 11-16-2008 at 08:19 AM. |
|
11-16-2008, 08:33 AM | #19 |
All Star Reserve
Join Date: Feb 2007
Posts: 925
|
Fidel: Can you explain more about the sql injection? How do I find it? If it exists, what do I remove? I have no idea if I have anything like this or not. And I haven't run accross any erroneous .pdf files on my site, so apparently I didn't get that part of the attack.
Raidergoo: While the attack on my site so far has been pretty minor and easy to fix, it certainly wouldn't upset me if a cop knocked on this guy's door. And by what Fidel is describing has happened to his sites, he'd probably drive the cop himself. |
11-16-2008, 08:38 AM | #20 |
Hall Of Famer
Join Date: Mar 2003
Posts: 9,004
|
Sadly, this does not seem to be a Clinton County script kiddie anymore.
I just contacted sysadmin AT cari.net, who hosts fany008. One of the points behind using an email address like bryanlink AT live.com is that they are disposable. Last edited by Raidergoo; 11-16-2008 at 08:43 AM. |
Bookmarks |
|
|