AOTS Hacked/Infected?!

[Omutb]

As far as we know it is index page aotradeskills.com that has the problem not aotradeskills.com/dnn. I am sorry if anyone had problems from my site but it must be something really nasty if your virus programs did not pick this up, and this dose concern me on how this got on the server in the first place.

Not long ago I had a similar problem on my server.

Although the site didnt actually have anything on it, it did have some index.html pages, and it was those that got modified.

The problem stems from the fact that its just script, nothing malicious, but its what the script does, and that is download from an external site and try and install the malware.

Now, when I discovered the problem, I removed the offending code from the page, it was near the top and should be fairly obvious, but in less than 24hours the files had been modified again.

I contacted my host who told me the files were changed by someone with FTP access to the server, this suprised me since only I know the password and the machine I accessed it from was clean after several scans.

Reading the access logs, it seems that someone from an IP in Singapore was accessing the server to explicitly change any index.html files, but nothing else, leading me to believe it was something automated.

The host changed my account passwords and the file changes stopped.

After doing a bit of searching, it seemed that the version of cPanel, the hosting configuration software the host uses for clients, has bugs in it and people are able to obtain passwords from the domain if they know how to exploit it.

So, assuming its the same problem, its more than likely its just a random hack and modification of the server you are hosting on, rather than someone deliberately out to get you.

Make sure you check all the index.htm, index.html and maybe index.php if you have them and look for some javascript code near the top, if its the same as mine was there will be a long string of "gibberish" that it decodes to construct the malicious code, just remove it and replace the files.

[masterprogram]

Well i have contacted my server providers and asked them to look into it for me, in the mean time i took down and replace with a simple holding index page for aotradeskills.com
i will now look at the php index file. It will probably be better if i replace the Dot-net-nuke information etc.
I might even just upload a new version with out Iframes etc, and with out Dot-Net-Nuke as the code for it confuses me and i would probably not recognise gibberish that was mail ware.
Thank you for giving me a point in the right direction.

Cybershead

[Xyphos]

Well i have contacted my server providers and asked them to look into it for me, in the mean time i took down and replace with a simple holding index page for aotradeskills.com
i will now look at the php index file. It will probably be better if i replace the Dot-net-nuke information etc.
I might even just upload a new version with out Iframes etc, and with out Dot-Net-Nuke as the code for it confuses me and i would probably not recognise gibberish that was mail ware.
Thank you for giving me a point in the right direction.

Cybershead

well, I'm not blaming you directly, but in your case I think you have a major security breach on that site, seeing how you've removed both malicious scripts only to have one of them come back again.

this could mean that you're infected also and your passwords are being used.

also, I'm far from being a professional site developer - while I can code one, my designs often suck badly.

[masterprogram]

Ok , i have replaced all index pages and DNN is no more and replaced with he same index page as aotradeskills. Well i am a good designer but a poor programmer unless its AS2 or AS3, maybe we can help each other . This is a crude and temp way for me to show my tradeskills but i will get V4 up as soon as possible with simple HTML. The only scripts that are on there at this time is for the tab menu as you can see if you view the source. Once again i am sorry that this has effected you.
Just to let you know i am Cybershead and still the original and you can mail me at aotradeskills or leave a PM here or catch me in game if you can find me on a toon.
Also a Huge thank you to Omutb for helping me get rid off this problem, If you are on Dim1 i will have to give you some Phats to say thankyou, Send me a offline tell.


Cybershead

[ZenWon]

Thank you for trying to fix the problem. As Xy said..no one blames you. It's awesome you took the time and effort to put up a site to help players, and its ****ty as hell for these *******s to do this to it.

Props n kudos.

[Omutb]

If you are on Dim1 i will have to give you some Phats to say thankyou, Send me a offline tell.

Im on RK2, but the thought is appreciated, so dont worry about it, just happy that the info was of some use.

Thing is, even if you just just plain HTML and no scripting yourself, these "page injection" attacks can still happen.
Its just one very good reason why browsers should disallow scripts by default.

[masterprogram]

Well i will keep that on board and try not to use any scripts etc. I will try and make it as safe as possible. I will let you Beta it hehe.


Hugz

Cybershead

[Omutb]

Well i will keep that on board and try not to use any scripts etc. I will try and make it as safe as possible.

Not relying on scripting has its advantages in that your site will work regardless of the users browser settings, nothing more annoying than a site that doesnt work at all because javascript is disabled, or worse proudly announces that "this site needs javascript to work" and shows you a very empty page.

[woooom]

Jesus. Thats where I got that freaking virus from.

I even had to format and reinstall everything. Impossible to get rid of!

[masterprogram]

Well it was not a virus but a mail-wear script. all has been removed and if there was a virus then that has all gone as well. I have the all clear from the server company and i have scanned all files and re-uploaded and deleted all old files, so cross fingers no one leave some nasty mail-wear again, but once i have V4 running i will keep an eye out for this sought of thing. Most computer virus protection will see this anyway. I do hope it was not my site that gave you the virus. Please tell me the name of the virus you have got.

Cybershead

[sirmalak]

Herpies.

[Toxor]

If someone has a ZIP of that virus, like that guy from earlier who uses Linux I'd be happy to test it on a VM and see if I can find a way to fix it without this "reinstall the world" stuff...
I consider this a worthy test for myself! (Too persistent/too stupid.)

[masterprogram]

Well i have found that if i use any script files such as a Tab menu it dose get infected. Thus i have not script files on the temporary page or the linked pages. This is not good and i might even have to change servers if this problem is about. If anyone has super duper Virus protected PC then please go to my site and see if it flags anything because i have tried on 4 pc's with all virus protection and nothing flags up.



Cybershead

[schloops]

Sorry to tell ya mate, but youre probably infected then. One of the main problems I had with these is that as soon as antivirus picked it up, the values would change and it could not be fixed, it would pop up again in another location son after to change yet again once detected. Hence the wipe of partition and HD and reinstallation of my OS and everything else

To xyphos, WTG in being more of a techie than me and pinpointing the nasty, damn j00 linux! (More like damn j00 BILL GATES for giving us such easily exploitable software ) heh

Btw yes, the first one is easily looked up google/eldergeek/etc/etc..its not even a "virus" per se, its listed as very bad malware and GFL getting rid of it (Antivirus XP 2008), but as I said that is the LEAST of the problem at the site, its the worms it installs with that one that will absolutely slay your PC, I was so busy trying to repair/fix/restore/etc that I didnt write all their names down. Update your antivirus/anti-malware/Adaware/SpybotSD/etc and hope it'll pick em up.

At the VERY LEAST I'd suggest changing every single password you've used since going there!!!

Thx for the info... although I blame you for making me worry^^.

Just all remember... if you encounter a schluups toon with a huge ego, that would be me... otherwise I've been hacked .

[masterprogram]

Well i have tried to get rid off this mail-wear and virus but it would seam the sever is getting attacked or something, i uploaded clean files to a empty server but they still got infected. So the best thing is for me to take AOTS off-line.
I am not sure if it will ever be back online but i guess 6 years is not bad running, it is sad as it started such a little site and grew and grew and helped thousands off people in Anarchy-online to make there stuff and stop engineers from making mistakes of expensive items.
I may get another server and re-build the site from scratch but i do not get much time for that, so i doubt you will ever see it. I do apologise if any off you got a virus or something from my site but its been clean for 6 years only now it has been attacked so i am sorry if you did. I did end up redoing it on my mac after it was scanned on an external drive, i just think that the server has hidden agenda, anyway sorry if you had problems from this site but the sever is cancelled and no more AOTS.

[schloops]

Got information on the trojan

http://www.paretologic.com/resources...ove=Win32.RBot

Picked up with XoftSpy

Well that tool didn't find anything serious here \o/... maybe the fixer/hacker ran away after seing my cyberdeck and grumpy mood? .

[schloops]

Well i have tried to get rid off this mail-wear and virus but it would seam the sever is getting attacked or something, i uploaded clean files to a empty server but they still got infected. So the best thing is for me to take AOTS off-line.
I am not sure if it will ever be back online but i guess 6 years is not bad running, it is sad as it started such a little site and grew and grew and helped thousands off people in Anarchy-online to make there stuff and stop engineers from making mistakes of expensive items.
I may get another server and re-build the site from scratch but i do not get much time for that, so i doubt you will ever see it. I do apologise if any off you got a virus or something from my site but its been clean for 6 years only now it has been attacked so i am sorry if you did. I did end up redoing it on my mac after it was scanned on an external drive, i just think that the server has hidden agenda, anyway sorry if you had problems from this site but the sever is cancelled and no more AOTS.

Bleh; that site has always been the only way for me to make towers XD... now I'll have to buy them again.

Thx for the good work during those years^^.

[masterprogram]

If you do want this site up again then if there is enough posts of the site helping people then i will re-build and with a new server.


http://forums.anarchy-online.com/sho...73#post5260073



Cybershead

[Xyphos]

i just think that the server has hidden agenda,

1) you might be infeted yourself
2) what hosting provider(s), so we can know not to use

[Chrioset]

I just wanted to give a kudo's shout to Xypho's. I wish i was a Military Commander or something so i can send a Arty battalion at your lat and longs to repay those guys for their efforts. Really good work man im actually astonished you even able to find out where they came from. Im sorry about the website, i never used it but by just the sound of it it sounds really cool