Heroes of Might and Magic Community
visiting hero! Register | Today's Posts | Games | Search! | FAQ/Rules | AvatarList | MemberList | Profile


Age of Heroes Headlines:  
5 Oct 2016: Heroes VII development comes to an end.. - read more
6 Aug 2016: Troubled Heroes VII Expansion Release - read more
26 Apr 2016: Heroes VII XPack - Trial by Fire - Coming out in June! - read more
17 Apr 2016: Global Alternative Creatures MOD for H7 after 1.8 Patch! - read more
7 Mar 2016: Romero launches a Piano Sonata Album Kickstarter! - read more
19 Feb 2016: Heroes 5.5 RC6, Heroes VII patch 1.7 are out! - read more
13 Jan 2016: Horn of the Abyss 1.4 Available for Download! - read more
17 Dec 2015: Heroes 5.5 update, 1.6 out for H7 - read more
23 Nov 2015: H7 1.4 & 1.5 patches Released - read more
31 Oct 2015: First H7 patches are out, End of DoC development - read more
5 Oct 2016: Heroes VII development comes to an end.. - read more
[X] Remove Ads
LOGIN:     Username:     Password:         [ Register ]
HOMM1: info forum | HOMM2: info forum | HOMM3: info mods forum | HOMM4: info CTG forum | HOMM5: info mods forum | MMH6: wiki forum | MMH7: wiki forum
Heroes Community > Turban Tribunal > Thread: Warning
Thread: Warning This thread is 14 pages long: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 · «PREV / NEXT»
JapanGamer
JapanGamer


Known Hero
posted October 25, 2008 03:13 AM

Killa Bee is mad and blaming me for hacking him, and I tried to redirect him to this thread for awnsers.. Maybe he will redeem himself by killing the hacker.
____________
Pictures of god

 Send Instant Message | Send E-Mail | View Profile | Quote Reply | Link
Cepheus
Cepheus


Honorable
Legendary Hero
Far-flung Keeper
posted October 26, 2008 09:46 PM

Ngaaaagh, it's happening again.  I opened the front page about thirty seconds ago and immediately closed my browser when the dreaded Adobe Reader logo showed up.

 Send Instant Message | Send E-Mail | View Profile | Quote Reply | Link
Geny
Geny


Responsible
Undefeatable Hero
What if Elvin was female?
posted October 26, 2008 09:48 PM

The same happened to me just now.
____________
DON'T BE A NOOB, JOIN A.D.V.E.N.T.U.R.E.

 Send Instant Message | Send E-Mail | View Profile | Quote Reply | Link
JapanGamer
JapanGamer


Known Hero
posted October 26, 2008 09:51 PM

No new server alterations on this end, as far as noscript can see.. I got HC blocked anyways.

 Send Instant Message | Send E-Mail | View Profile | Quote Reply | Link
Asheera
Asheera


Honorable
Undefeatable Hero
Elite Assassin
posted October 26, 2008 09:54 PM

Poor Val, he'll have to fix these again

Blasted hackers
____________

 Send Instant Message | Send E-Mail | View Profile | PP | Quote Reply | Link
Adrius
Adrius


Honorable
Undefeatable Hero
Stand and fight!
posted October 26, 2008 09:55 PM

Guess I'll let HC stay blocked then...
____________

 Send Instant Message | Send E-Mail | View Profile | PP | Quote Reply | Link
OmegaDestroyer
OmegaDestroyer

Hero of Order
Fox or Chicken?
posted October 26, 2008 10:01 PM

Got it again.
____________
The giant has awakened
You drink my blood and drown
Wrath and raving I will not stop
You'll never take me down

 Send Instant Message | Send E-Mail | View Profile | Quote Reply | Link
Valeriy
Valeriy

Mage of the Land
Naughty, Naughty Valeriy
posted October 26, 2008 11:24 PM

Hacked again, cleaned again...
____________
You can wait for others to do it, but if they don't know how, you'll wait forever.
Be an example of what you want to see on HC and in the world.
http://www.heroesofmightandmagic.com

 Send Instant Message | Send E-Mail | View Profile | Quote Reply | Link
Asheera
Asheera


Honorable
Undefeatable Hero
Elite Assassin
posted October 27, 2008 10:43 PM

Hi Val, I don't know much about networking and servers, but I did follow a forum discussion about this hack which I found with Google. There is an interesting post by someone who seems rather knowledgeable about stuff like this. Maybe his post will help you out, so I'll post it here:
Quote:
We were also hit by this

We are also hosted by layered technologies.

What we can tell you from our experience from this:

We have multiple servers hosted by LT

Only 2 of our servers with LT were affected by this.

Server 1 - All accounts affected (register_globals enabled)
Server 2 - Only around 5 accounts affected (register_globals enabled)

NOTE: On both of these servers that were affected we have logged that new clients have signed up very recently and requested that php function: fopen be enabled on the server for a "Ebay listing" script to work. So we went ahead and enabled it

All other servers: fopen never requested to be enabled

Now on server1 we realized that all accounts were affected once we received emails from our customers. We then immediately turned of register_globals on all servers as we realized what was going on.

Now as you can see on "server 2" only around 5 accounts were affected. We believe this is because we turned off register_globals just in time.

This is what has happened on the servers that were affected:
1. All accounts in the /home directory were chowned to a different user. Now as we are running suphp this screws up all php applications as they have to be run under the actual account owner. (big headache)

2. many files in ALL user directories with extensions such as .php and .html were injected with the code many of you are talking about
(ALSO NOTE: that even files completely written in php code and even some zend/ioncube encrypted files had the code injected to them seamlessly. We have even seen the code injected into complex php code, not just at the last line of every file.

Then after a while the entire php/apache structure on "server 1" complete became corrupt.

Basically all php sites came up with 500 errors. We checked the error log and it displayed absolutely no error logs and reasons why.

So we went ahead and tried to recompile the entire apache system and php configuration.

What happened? After every recompile it would compile entirely back to the version that we were running before that was corrupt.

After checking the configuration files it showed that somehow it was edited to make it always go back to the version that was corrupted.

Once we got this fixed we recompiled and everything was back to normal. But then we still had the 500 errors. This is because of all of the files by the users had been chowned to a different user.

Now if you host many users on a server thats going to be a headache to chown every single file. So here is a script that you can use to have all ownerships set back to normal.

1. log in to ssh
2. touch perm
3. chmod 777 perm
4. pico perm
5. Insert this code

#!/bin/bash
cd /var/cpanel/users
for user in *
do
chown -R $user.$user /home/$user/public_html/*
done

6. Then save file
7. execute the file: ./perm

That should fix all permissions of your users.

We then also went ahead and re-hardened our php.
We are currently running with register_globals disabled and fopen disabled.
Heres a list of other php functions that we recommend disabling also:

exec, shell_exec, system, passthru, shell_exec, popen,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate

You are then going to want to install mod_security as this will really help against web based attacks if it is configured well.

Everything is now back to normal on the affected servers

Hope this helps other web hosts out there. Wish we could submit more information but as you can see we are bogged down with security issues.

____________

 Send Instant Message | Send E-Mail | View Profile | PP | Quote Reply | Link
sith_of_ziost
sith_of_ziost


Promising
Supreme Hero
Scouting the Multiverse
posted October 28, 2008 02:36 AM

I recall these blips, and I don't believe I did anything about them. How far back did they extend? I have about six AV programs working simultaneously though, so the virus has to go through a Phalanx to get to me.

 Send Instant Message | Send E-Mail | View Profile | PP | Quote Reply | Link
broadstrong
broadstrong


Promising
Known Hero
Level 20 Vassal of Light
posted October 29, 2008 12:23 PM

It seems like the three attacks were made on weekends (either saturday or sunday), I hope this is not indicative of a worm or something in the HC servers.
____________
The queer part of the Carcity/Broadstrong/Zamfir[
/b] threeway, equipped with sailing, summon allies, spatial travel and supermover.
Many current projects on hand.

 Send Instant Message | Send E-Mail | View Profile | Quote Reply | Link
TheDeath
TheDeath


Responsible
Undefeatable Hero
with serious business
posted October 29, 2008 12:41 PM

Quote:
I have about six AV programs working simultaneously though, so the virus has to go through a Phalanx to get to me.
LOL that's bad practice dude, they might conflict or not do they job well, because most of AV programs need almost full access to your comp, and you can't have that with more than one without conflict, so basically only one of them is the one "active".

If you really want to scan a file (not actively) with a lot of anti-viruses, try Virus Total.
____________
The above post is subject to SIRIOUSness.
No jokes were harmed during the making of this signature.

 Send Instant Message | Send E-Mail | View Profile | Quote Reply | Link
Fauch
Fauch


Responsible
Undefeatable Hero
posted November 05, 2008 02:10 PM

yesterday, when I tried refreshing a page, I got a page full of sql errors. then I couldn't access the site during a few minutes, because I got the errors page each time.

it's ok now, you only have to hope no hackers saw it

 Send Instant Message | Send E-Mail | View Profile | Quote Reply | Link
Asheera
Asheera


Honorable
Undefeatable Hero
Elite Assassin
posted November 05, 2008 02:10 PM

Yes it happened to me as well... I was afraid HC got hacked.
____________

 Send Instant Message | Send E-Mail | View Profile | PP | Quote Reply | Link
Mamgaeater
Mamgaeater


Legendary Hero
Shroud, Flying, Trample, Haste
posted November 05, 2008 08:42 PM

who would want to hack hC?
____________
Protection From Everything.
dota

 Send Instant Message | Send E-Mail | View Profile | Quote Reply | Link
RedSoxFan3
RedSoxFan3


Admirable
Legendary Hero
Fan of Red Sox
posted November 05, 2008 08:42 PM

Another really good thread by Asheera.

I haven't been coming here often enough to see this happen.
____________
Go Red Sox!

 Send Instant Message | Send E-Mail | View Profile | PP | Quote Reply | Link
OmegaDestroyer
OmegaDestroyer

Hero of Order
Fox or Chicken?
posted November 05, 2008 08:50 PM

Take that Radar!
____________
The giant has awakened
You drink my blood and drown
Wrath and raving I will not stop
You'll never take me down

 Send Instant Message | Send E-Mail | View Profile | Quote Reply | Link
Valeriy
Valeriy

Mage of the Land
Naughty, Naughty Valeriy
posted November 06, 2008 07:07 AM

SQL errors for a minute or so were my doing Attacks havent recurred since but I'm yet to look into prevention further.
____________
You can wait for others to do it, but if they don't know how, you'll wait forever.
Be an example of what you want to see on HC and in the world.
http://www.heroesofmightandmagic.com

 Send Instant Message | Send E-Mail | View Profile | Quote Reply | Link
Lexxan
Lexxan


Honorable
Undefeatable Hero
Unimpressed by your logic
posted November 06, 2008 09:09 AM

Quote:
who would want to hack hC?


Do I really have to make a list on people who would?
____________
Coincidence? I think not!!!!

 Send Instant Message | Send E-Mail | View Profile | PP | Quote Reply | Link
friendofgunnar
friendofgunnar


Honorable
Legendary Hero
able to speed up time
posted November 10, 2008 10:49 PM
Edited by friendofgunnar at 23:58, 10 Nov 2008.

This morning I noticed that my modem was processing some information even though I didn't have any browsers open.

I used the netstat program to find out what was going on.  (to use netstat, open up the run function on windows, and type in
netstat -a 5
It will show you a list of all the connections that your computer is running and it will update every few seconds)

I found a connection with a computer with an isp of 91.203.93.51, worse I found a syn_sent signal.  

Q: What does a SYN_SENT connection mean?  [Back to top]

A: It isn't technically a connection, but one waiting to be born. SYN_SENT means that a program on your PC has made a request for TCP communication to another computer, but has not yet received an acknowledgment (SYN_ACK).   It can be indicative (but not always) of a network problem somewhere between you and the remote computer.




If you do an isp lookup on this you'll find it belongs to the "RIPE Network Coordination Centre", which is I believe a masking service.  

If you lookup that isp on the RIPE network lookup, you will find it belongs to Mark Liberman.  Google that and you will find


I had (have) a keystroke logger on my computer.  

I'm almost certain this is from when HC was infected.  I used that Unhackme program that Shadow linked to but it didn't remove it.  Also, I have my firewall on, and a rounter so it's impervious to both of those.  Also, when I first logged onto HC that day, Internet Explorer gave me a pop-up that said "IE has blocked some active content blahblah", all of which led me to believe that I was safe.  I was not.

I encourage everybody to use netstat frequently and check if they're still infected. If you're computer is trying to open up a connection with anybody from RIPE (91.0.0.0 - 91.255.255.255) it means you probably have a keystroke logger.

Meanwhile, I'm going to have to reset all my passwords, call my credit card companies for some new numbers, bomb my hard drive and reinstall windows



 Send Instant Message | Send E-Mail | View Profile | PP | Quote Reply | Link
Jump To: « Prev Thread . . . Next Thread » This thread is 14 pages long: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 · «PREV / NEXT»
Post New Poll    Post New Topic    Post New Reply

Page compiled in 0.0494 seconds