OOTP Online League Security Problem

[Killebrew]

Sorry if I missed in on all the forum pages dedicated to this issue but can anyone here mention what happens when users click on the hacked OOTP web site pages with the embedded ****** link? I know it's been described as "a malware site" and it "usually" results in a local box scan and a possible key logger, but do we know exactly what this one does?

Also, I guess there is no action we can take using our ftp logs:/.

[Treches]

Quote:

Originally Posted by Killebrew

Sorry if I missed in on all the forum pages dedicated to this issue but can anyone here mention what happens when users click on the hacked OOTP web site pages with the embedded ****** link? I know it's been described as "a malware site" and it "usually" results in a local box scan and a possible key logger, but do we know exactly what this one does?

Also, I guess there is no action we can take using our ftp logs:/.

It's a bit complex to explain the process in detail, but I'll try to simplify it somehow. The moment you get redirected to the malware site a rogue is installed automatically in a hidden mode. Your firewall, anti-virus or anti-malware shields may not be able to block the download and installation, but some of them are capable to detect and remove the rogue afterwards. This rogue is the one you described: the one that goes scanning your PC, claiming it to be highly compromised and telling you about this great piece of software that can put you out of your misery for a few bucks. Those who bite and buy it are awarded with a free highway for trojans.

If you have good and updated security, the redirection to the malware site would be simply blocked (unless, of course, you authorize it), so that's about it. Now, if the redirection is successful you enter the universe of the server that hosts MPack (or similar), which performs in cascade. To do so first it would try to install a downloader trojan to check the system, web brownser and firewall for vulnerabilities. Then, depending on the outcome, goes another trojan, and then another, and another. Pretty much all the family, from keyloggers to spammers to backdoors to downloaders. The more outdated the security and unpatched the operational system and brownser, the more chances has MPack to be successful.

That's all in short.

[Killebrew]

Thanks Treches - that was pretty helpful. I understand that means there is an additional step after clicking the bad link. My browser blocked the ****** but because these links are on our own sites, I suspect many will not have pop ups etc blocked.

Regarding the hacker... the ****** link insert is being done by a script based on the time of the file updates and the specific target files, but it does not seem likely that a script is look for encrypted OOTP online league files. That seems like a manual job by someone who is at least aware of this game (enough to know it has an online league mode to it).

[Zubes]

apparently this issue is back, at least for me. my sites that use the FTP info from OOTP are getting hacked on a daily basis, and its getting ridiculous.

[satchel]

Quote:

Originally Posted by Zubes

apparently this issue is back, at least for me. my sites that use the FTP info from OOTP are getting hacked on a daily basis, and its getting ridiculous.

I started having problems a week ago.

[Zubes]

Quote:

Originally Posted by satchel

I started having problems a week ago.

this has definitely been going on longer than a week for me...but i thought it was a server problem and not with me. but it turns out its OOTP again, as the only sites that get affected on my server (and i have multiple sites) are the ones that share the ootp ftp info.

what can we do about this?????

[Andreas Raht]

Quote:

Originally Posted by Zubes

this has definitely been going on longer than a week for me...but i thought it was a server problem and not with me. but it turns out its OOTP again, as the only sites that get affected on my server (and i have multiple sites) are the ones that share the ootp ftp info.

what can we do about this?????

Update all the software which you run on that site, especially Joomla, SMF forum and other CMS or forum software. It's essential that you use the latest version.
On our server we got 3 sites hacked last week and it had nothing to do with OOTP online leagues at all. It's either security issues with forum software or a Trojan/Virus/Worm on your computer (or on a GM's computer) which "reads" your FTP login info from the network connection while you (or a GM) uploads or downloads the league file using OOTP.

[Zubes]

we are not using any CMS software. its all hand coded html and php pages.

we are using vbulletin, and it is using the latest version.

as i mentioned earlier, i host several websites on my server. all of the ootp leagues are housed under 1 domain using subdomains. they all share the same ftp info, and the ftp info gets them into the main domain and then branches from there.

the only sites i am having a problem with are those under the main ootp domain. and the only place that ftp info is stored is in the game.

[satchel]

Quote:

Originally Posted by Andreas Raht

...a Trojan/Virus/Worm on your computer (or on a GM's computer) which "reads" your FTP login info from the network connection while you (or a GM) uploads or downloads the league file using OOTP.

A trojan can read my FTP login info from the OOTP connection to my server, on a GM's computer? Maybe that's what's happened. It's going to be tough to keep everyone in my league trojan-free, I don't know if I can manage that.

[Zubes]

to go another step further with this...a league i used to commish that i am still an active member of that is on a different server, thus obviously not sharing the same ftp info or anything like that for that matter...

has also been hacked. site also uses php and html coding.

[kq76]

Quote:

Originally Posted by satchel

A trojan can read my FTP login info from the OOTP connection to my server, on a GM's computer? Maybe that's what's happened. It's going to be tough to keep everyone in my league trojan-free, I don't know if I can manage that.

I hadn't thought of it before, but now that I do it probably is possible. They can apparently transmit website login info so why not ftp connection info.

I think the best a commish can do in such a situation is ask everyone to scan their computers for virii and other malware asap, even suggesting say some scanning programs (I use avast and superantispyware), and telling everyone that in a few days they'll be changing all the ftp info which will mean everyone will have to install a full file.

Or is there a better way?

[jdettbarn]

My league was hacked over night and a good majority of the files in my league domain's folder were deleted. I run a similar hosting setup as Zubes described and none of my other domains were touched.

This is the second hack job (the first being very minor - one page that had a malware ****** inserted), but given the constant attacks other folks are seeing, I'm not even sure it's worth doing a league any longer.

Prior to the FBL, I ran an OOTP league for 5 years (using versions 3 thru 6) and never got hacked. I started the FBL back up a few months ago and have been hacked twice that I know of... very frustrating.

[rasnell]

I have now been hacked twice each in the past three weeks on two different sites. If it happens a third time, I probably will end what has been a fun online experience as commissioner with some great GMs. Very unfortunate.

[satchel]

Anyone have any ideas on how to stop this?

Is the problem that a trojan can pick up the FTP login info, off of any owner's machine, when he exports?

[Alan T]

Quote:

Originally Posted by satchel

Anyone have any ideas on how to stop this?

Is the problem that a trojan can pick up the FTP login info, off of any owner's machine, when he exports?

I mentioned this previously, but Since OOTP shares the ftp login for both web exports and owner exports, this puts your websites at risk. This means that all it takes is for someone to have OOTP and your league file and they can find your ftp password to upload pages to your website (and thus hack your site).


The way I get around this is a pain in the butt, however since OOTP doesn't do anything to protect against this (my suggestion to the developers was to allow a seperate ftp account in the ootp configuration for webpage uploads and a different account for owner exports), you have to do it manually.

This is what I do:

I have two ftp logon accounts on my server.

1) account is for owner exports. This is input into your OOTP online configuration in the file that you upload. It ONLY has rights to read and write to the exports folder on your ftp sever.

2) account for web reports. You do not put this into OOTP anywhere. It has the rights to the rest of the webserver file structure.

When you upload files for other owners in the league , you have account #1 configured in OOTP. When you upload webpages to your server, you do it outside of OOTP and don't use OOTP for that. An alternate is that you can still use OOTP to do so, but you have to manually change the account settings back and forth in OOTP which is a pain.

If this is confusing, I would be happy to help explain it further, just drop me a pM. Ideally I think this is something that should be fixed in OOTP, but was told that was not going to be done, so a manual work around from commishes is the only other solution.

Let me know if you have questions, I am happy to help.

[f.montoya]

I agree with both Andreas and Alan T. Update your scripts and separate your game FTP accounts. I had some hacked websites myself two were running Mambo, from which we migrated to Joomla 1.5 as a result. But that alone will not assure security.

To go a step further, I will map out what I recommend(some of it reflects what Alan T. and Andreas have already stated above)...

1. Delete ALL infected files from the server
2. Restore a backup(ALWAYS make periodic backups of your site files and databases!!)
3. Change all of your passwords, FTP, forum and CMS logins, etc.
4. Update your scripts to the latest versions(ASB now uses Joomla 1.5.10 and phpbb 3.0.4 on all sites)
5. Create a sub-sub-directory for your reports and league file(for example yoursite.com/game/exports). You can add more security by making the name of the directory more cryptic as well. DO NOT publish a "public" link to download your league file on your website.
6. Create an FTP account that has access to /game ONLY, and use this for your in-game FTP settings. You can go a step further as Alan T. suggests if you want to separate the league file from the reports but, in my opinion, if someone hacks my /game folder, FTP info and directories need to be changed again anyway and reports and league files are easily restored.
7. Remove any 3rd party Online forms components from your website, or use forms that are being supported and updated regularly.
8. Disable site registration and manually create accounts for new league members.
9. Use a no-proxy code in any online forms you have published. At least a good % of hackers will be discouraged.
10. Use an .htaccess file for your site that keeps a large portion of the bad-guy population from even seeing your website.

For number 9 and 10, I have info in another thread. I'll see if I can find it and post it here.

Still, even with the above precautions, nothing is 100% safe. Backup your site and databases regularly to save yourself some headaches.

[satchel]

Thanks guys. In the past, I've experimented with a special limited-access ftp account for my owners' exports. I'll give it another shot.

[Andreas Raht]

Thanks guys for your help! Let me just add one thing: Each day thousands of servers and sites get hacked without any OOTP involved at all. Just because they used old versions of message board, gguest book scripts or content management systems, which had security issues. Always update this software when there's an update available!!!
I'm sure and it's obvious that a big part of the hacked OOTP sites have been hacked just because of those outdated versions.
Anyway, a Trojan could get your FTP login info when you (or a GM!) uploads/downloads league or team files, so there's a security issue there as well, just don't forget to keep your software up-to-date and also follow the great instructions above.

[rasnell]

What is the easiest way to continue a league without using a web site? How do you export the league file to all owners and then have them update?

Is there a way to send a file and the game updates or do you have to go through all the manual steps of zipping the league file, sending it via email to all gms and then they would have to unzip and manually overwrite in saved_games folder?

It is easy to understand how to include their team exports from the manual, but I'm not sure about the league file workaround.

Any help?

[f.montoya]

Just an update...

Andreas has been actively discussing with beta testers security measures that can be put in place in the game. Some good ideas are being brought up and I am very encouraged by what I've been reading so far. For those of you that I don't host at AllSimBaseball, here is pretty much what has been my website security bible: How to prevent your website from getting hacked. Repair damaged site.

I know it's a lot of reading and most may not want to be bothered, but on the odd chance that some commissioners have some interest in knowing a little more about website security, there it is.

Roger, I've sent you and your league members an email. Thanks to Randy, I found what had been eluding us all this time.