Quote:
Originally Posted by f.montoya
I just found this in the index.html from an OOTP 6 online league I host...
xxx
OOTP 6 & 6.5 must have the same hole. Don't have time to check right now but we need an emergency patch for 6 and 6.5 too Andreas.
|
First, remove the address of the ****** from your post. It's a malware site.
Second, while the ftp pw can certainly be obtained from the league file without much hassle, I doubt we are dealing with a cracker doing things manually here. Obviously, the ****** hack is appearing because the ftp pw is leaked, but is a program the one that is inserting them (into all those files named "index" or "main") via a trojan on the user side. And no matter what you do if the trojan isn't removed from the machine, because that sofware (MPack, most likely) cycles and runs non-stop. The trojan is sending the cracker the ftp pw; if you change it but don't erase the trojan, he gets the new pw and you get the ****** code again. He may have targeted OOTP leagues, but websites have been infected by the ****** in the thousands since 2007, from CBS to aunti Mildred's cooking forums.
Usually, it goes like this: this bot signs up on the forums (maybe several times); uses a valid email account and writes down a website address in its profile. Joe Curious notices the new guy on board and clicks to check that website. This one, of course, is a malware site, and the moment Joe Curious gets there his firewall and web brownser are checked for security loopholes, and if he has them, the trojan is d/l'ed and installed automatically. The trojan is a keylogger that sends the cracker all sorts of pw, mainly ftp's. Thus, the moment you change the pw, he gets it. The ****** gets inserted in the code and redirects your page to the malware site, thus infecting those who have security loopholes (mostly everyone whose firewall does no block the redirection).
Things to do here are:
1. Scan your machine for malware. Have in mind that the trojan may block the anti-malware, so you might want to online scan (trend micro, for example) and/or install the anti-malware (a-squared, malware bytes, etc.) on a pen drive and scan the pc from there and remove the trojan.
2. Once you have your machine cleaned, take a close look at all the files you have on your site, erasing those you don't recognize.
3. Change your main ftp pw.
4. Create a ftp user and pw with permission to access just the folder where OOTP exports are located. That's the one you have to type down within the game, not the main ftp id and pw.
5. Rename your "index" pages (at least, your frontpage) to a different name (yourleague.html, for example).
6. Authorize every new registration on your forums.
7. Get yourself a malware shield.
8. Make sure that your web brownser is not allowed to d/l anything automatically.
9. Pray that the trojan is not located on the server side, because then your best move is transferring your site to another one.