Regular Forum / Site Users Beware

Eorzea Time
 
 
 
Language: JP EN FR DE
users online
Forum » FFXI » General » Regular Forum / Site Users Beware
Regular Forum / Site Users Beware
 Garuda.Wooooodum
Offline
Server: Garuda
Game: FFXI
user: Wooooodum
Posts: 6310
By Garuda.Wooooodum 2009-02-10 21:26:44
Link | Quote | Reply
 
Hello Everyone.

This morning I woke up and tried to open up one of my websites to work on it a little, and I was prompted by the following warning message from Google:

Link to the Warning Message

I'm sure some people have encountered this problem before. I know I have, and I never thought this would happen to one of my own websites.

Essentially, through some unconventional means, hackers have placed a very discrete piece of code onto many of my websites. It seems that whoever has been spreading this about has done so by entering through some sort of previously unknown back door. Of all the sites I have so far found with this exact code on, every single one has been running some kind of dynamic PHP script (Wordpress, PHPBB3, VB, etc.)

It is alarming just how many pages have been affected by this. Wordpress have recently released a patched version to combat this, with over 20,000 reported cases coming in from users of their blogs and their software. PHPBB3 and VB have had similar reports, though in far less numbers.

I have not identified what the code actually does, other than attempting to ping a protocol on another address. The address is masked and I'm not ashamed to say I'm too much of a n00b with these kinds of things to unmask it. However, allow me to get onto the point of my post:

The vast majority of the sites affected were gaming related, with a good half of them being based on an MMORPG. This includes WoW, FFXI, EQ, etc. A similar problem happened with Somepage awhile back, which subsequently led to it being blacklisted by the community.

If you are yourself a moderately low-key web designer and have a few websites hosted, go and check them now. You might have this code on your page and not realise. For obvious reasons I can not cut and paste it here. Please private message me if you want to know what it looks like.

Since we are all gamers and may have unknowingly strayed onto one of these websites, I urge every single person who has recently browsed a community website, especially the lesser known, lesser updated pages, to perform a full security check on their computers and any websites they themselves may host. Whilst I have zero evidence to suggest this is a Final Fantasy XI "keylogger" based incident, you can never be too careful. Any virus on your system is unwanted, I hope that this warning is not too late for some.

Everyone should delete their recently browsed pages, saved offline pages, private data, saved passwords, cookies, and any other offline data that saves to your computer to be as safe as possible. Make sure that after doing this you run a full virus scan on your entire system with an updated antivirus scanner. It's an absolute pain in the arse, I know, but I'm sure all of us would prefer to keep our accounts intact.

I don't mean to panic anyone, I wouldn't say this is serious enough to warrant a panic. Just be precautious, I would hate to hear of anyone's account being compromised.

Any questions, please Private Message me.

PS. I have deleted the site in question (the one linked on the Google Warning page) from my server.
 Carbuncle.Sterling
Offline
Server: Carbuncle
Game: FFXI
user: Sterling
Posts: 1050
By Carbuncle.Sterling 2009-02-10 21:45:14
Link | Quote | Reply
 
I know FFXIAtlas has had problems like this for ages.
 Pandemonium.Luignata
Offline
Server: Pandemonium
Game: FFXI
user:
Posts: 505
By Pandemonium.Luignata 2009-02-10 21:55:23
 Delete | Edit  | Link | Quote | Reply
 
Quote:
I have not identified what the code actually does, other than attempting to ping a protocol on another address. The address is masked and I'm not ashamed to say I'm too much of a n00b with these kinds of things to unmask it. However, allow me to get onto the point of my post:


Sounds like the hacker setting up for a DoS attack. My server crashed about a week ago after my hosting company had a DoS attack on their network.

While I don't use free forums on my website, I code it all from scratch by hand, I'll still keep an eye out for anything suspicious.