| User |
Message |
unkleanone
Posts: 15
Joined: 01/04/2006
Credibility: 0 pts
|
Hello everyone,
I hate to have to tell you this but for the last few days we have been under attack from a very malicious person. He has been running around embedding code in posts. They appear in the form of lil squares. At first we didn't recognize it for what it was it appeared to not be doing anything so we went to deleting and banning....unfortunately this did not work.
Anyway, today we have awoken to a serious problem. There is a trojan on gameamp. It sounds really bad but know that there are steps you can take to protect yourself from being attacked.
Block the site:
Go to your control panel then do the following:
1. Click "Internet Options"
2. Select the "Security" tab
3. Select "Restricted Sites"
4. Click "Sites"
5. Add the site url (453787.com) into the field and click add
6. Click "OK"
*Image of steps 1-6
7. Switch to the "advanced" tab, scroll to the bottom and find "Security" settings.
8. Check/enable the following two protocols:
"Do not save encrypted pages to disk"
"Empty temporary internet files when browser is closed"
9. Click OK and were done
*Image of steps 7-9
Also if you're intrested in more info on PC security you should read this guide Securing your computer from attacks and check out this guide, Keyloggers and you for help seeing if you may have been infected and on ways to remove it if your virus program does not.
Another way from being hit by keyloggers is to be sure to use the remember username checkbox. That way they will only get your password....wich will do nothing for them without your username. If you have not been running wow in this way I suggest doing it now and changing your password.
Furthermore please be sure to check your comments on your userpages as we do not have the power to delete those...only you do. If you see the lil square in one of your comments be sure to delete it. If you come across the lil square box in a comment somewhere be sure to let both me and thejeni know about it via pm.
Know that we are doing everything in our power to neutralize this threat. But this is something that is going to take your help to fix. STay on the lookout for this lil bugger:
Thank you,
Unkleanone
WoW Site Manager
***THIS POST HAS BEEN EDITED***
|
| 11/13/06 13:16 |
Login to rate this user's post! |
blackphoenix
Posts: 123
Joined: 09/23/2005
Credibility: 0 pts
|
Do you happen to have the name of the trojan? In case anyone would have to remove it, it is much easier when you know what one it is.
|
| 11/13/06 13:33 |
Login to rate this user's post! |
Xaviak
GameAmp Staff
Posts: 1088
Joined: 02/25/2006
Credibility: 4 pts
|
oooh, thanks for that! O.o
AmpWoW<-- Check it out if you need to find something. ^^
WoW@GA is looking for new staffers! More info HERE!
|
| 11/13/06 13:35 |
Login to rate this user's post! |
Xaviak
GameAmp Staff
Posts: 1088
Joined: 02/25/2006
Credibility: 4 pts
|
| QUOTE | | Do you happen to have the name of the trojan? In case anyone would have to remove it, it is much easier when you know what one it is. |
Some info here:
http://guildwars.gameamp.com/forum/showTopic/49574.php
AmpWoW<-- Check it out if you need to find something. ^^
WoW@GA is looking for new staffers! More info HERE!
|
| 11/13/06 13:36 |
Login to rate this user's post! |
thejeni
Posts: 26
Joined: 08/12/2004
Credibility: 0 pts
|
And just an update. We have mass deleted the comments this code as placed it. They should all be gone now. If you do run across that code, please PM me with a link to where you found it.
Siggy created by DeathFetish.
|
| 11/13/06 13:46 |
Login to rate this user's post! |
Unbeatable
Posts: 18
Joined: 09/24/2005
Credibility: 0 pts
|
Thanks for letting us know. I saw one of the threads with the little dot (it has been removed though), opened the thread and replied. Will the trojan be on my computer now?
Anyway gonna scan and such now.
Unb
|
| 11/13/06 16:47 |
Login to rate this user's post! |
MartinTheWarrior
Posts: 25
Joined: 12/10/2005
Credibility: 14 pts
|
Crap. I replied to one of that guys posts...
And, a better question to you guys(or prolly the devs :p) is why do you allow html or even inline frames in a topic area? Kinda dangerous/stupid(no offense :P) becasue someone could baically do that or make a picture come up it the topic.
Just a thought.
|
| 11/13/06 16:51 |
Login to rate this user's post! |
thejeni
Posts: 26
Joined: 08/12/2004
Credibility: 0 pts
|
| QUOTE | Thanks for letting us know. I saw one of the threads with the little dot (it has been removed though), opened the thread and replied. Will the trojan be on my computer now?
Anyway gonna scan and such now.
Unb |
I would strongly recommend running a virus scanner. I have not received any virus or keyloggers and I've been handling these things for about a week now. It seems it depends on what browser you are using (Opera seems to keep you safe).
Siggy created by DeathFetish.
|
| 11/13/06 16:52 |
Login to rate this user's post! |
MartinTheWarrior
Posts: 25
Joined: 12/10/2005
Credibility: 14 pts
|
I use Firefox and nothing bad has happened yet...I don't think anyways.
Im running a full virus & spyware scan tonight though, just in case.
|
| 11/13/06 17:16 |
Login to rate this user's post! |
thejeni
Posts: 26
Joined: 08/12/2004
Credibility: 0 pts
|
| QUOTE | I use Firefox and nothing bad has happened yet...I don't think anyways.
Im running a full virus & spyware scan tonight though, just in case. |
If you do find anything, I would strongly suggest following the Guide Cyrix posted.
Siggy created by DeathFetish.
|
| 11/13/06 17:24 |
Login to rate this user's post! |
Unbeatable
Posts: 18
Joined: 09/24/2005
Credibility: 0 pts
|
I just finished a full virus and spyware scan and everything seems fine.
I also seem to recall that the thread I replied to had some broken HTML codes in it (Space between < and the actual code). That might have 'saved' me.
Btw, I'm running Firefox
***THIS POST HAS BEEN EDITED***
|
| 11/13/06 17:34 |
Login to rate this user's post! |
thejeni
Posts: 26
Joined: 08/12/2004
Credibility: 0 pts
|
| QUOTE | I just finished a full virus and spyware scan and everything seems fine.
I also seem to recall that the thread I replied to had some broken HTML codes in it (Space between < and the actual code). That might have 'saved' me.
Btw, I'm running Firefox |
It seems that using IE is what has made people vaunerable. Check out that thread to the GW site, they got into some technical discussion (most of which I don't understand).
|
| 11/13/06 17:46 |
Login to rate this user's post! |
MartinTheWarrior
Posts: 25
Joined: 12/10/2005
Credibility: 14 pts
|
Why did the devs even let people post html code, much less post inline frames, on the forums? Strange to let frames work on a forums.
|
| 11/13/06 20:15 |
Login to rate this user's post! |
unkleanone
Posts: 15
Joined: 01/04/2006
Credibility: 0 pts
|
not sure I guess it just wasn't expected....Though it seems that thejeni is right if you run firefox or opera you are "safe" from the keylogger. Though you never know it may change so if you haven't already done a scan be sure to do so...and to answer the above question about the name of the keylogger cyrix reported that it was max.exe though no idea if it will always be this there are ways of making programs change there process name randomly.
Artistic Expressions, My new shop, purchase various items featuring original work and ideas from your's truly! Hell...It's about time.
The early bird may get the worm, but the second mouse gets the cheese.
|
| 11/14/06 03:07 |
Login to rate this user's post! |
blackphoenix
Posts: 123
Joined: 09/23/2005
Credibility: 0 pts
|
The exploit was actually a vulnerability in Windows. The fix for it was actually released by Microsoft way back in April - see here. So it's possible it would work in firefox if the code was written to work properly there. It's just another reason to make sure you keep your computer up to date on the security patches.
http://windowsupdate.microsoft.com
You can check to see if you've already got that update installed by going to Add Remove Programs, make sure the Show Updates box is checked, then look through the list for and update that says Security Update for Windows XP (KB911562).
***THIS POST HAS BEEN EDITED***
|
| 11/14/06 07:53 |
Login to rate this user's post! |
thejeni
Posts: 26
Joined: 08/12/2004
Credibility: 0 pts
|
| QUOTE | | Why did the devs even let people post html code, much less post inline frames, on the forums? Strange to let frames work on a forums. |
I don't know what inline frames are, but I know that they Dev's allowed the html (that is past tense as you can't do it any more) for those people who used html rather than BB Code.
Siggy created by DeathFetish.
|
| 11/14/06 10:50 |
Login to rate this user's post! |
blackphoenix
Posts: 123
Joined: 09/23/2005
Credibility: 0 pts
|
They did disable it? I just used HTML in a post today.
see
<![CDATA[<a href=http://wow.gameamp.com/forum/showTopic/49623.php>see</a>]]>
^ that's what I put in the post content box
I don't know if it matters, but the bbcode tag for code doesn't work. It still parsed the HTML just like the tags weren't there. Had to use the xmp html tag to get the code to show.
***THIS POST HAS BEEN EDITED***
|
| 11/14/06 10:57 |
Login to rate this user's post! |
thejeni
Posts: 26
Joined: 08/12/2004
Credibility: 0 pts
|
| QUOTE | They did disable it? I just used HTML in a post today.
see |
Hum.... let me give them a poke.
Siggy created by DeathFetish.
|
| 11/14/06 11:52 |
Login to rate this user's post! |
MartinTheWarrior
Posts: 25
Joined: 12/10/2005
Credibility: 14 pts
|
Inline frames are basically displaying a whole page inside of another page. It would be like placing, lets say, http://worldofwarcraft.com, and placing it on a webpage so you can see the whole worldofwarcraft.com page inside the page the tag was embedded inside of.
Here is what I mean in an example...
http://jeffriddle.info/inlineframe.html
|
| 11/14/06 16:27 |
Login to rate this user's post! |
thejeni
Posts: 26
Joined: 08/12/2004
Credibility: 0 pts
|
| QUOTE | Inline frames are basically displaying a whole page inside of another page. It would be like placing, lets say, http://worldofwarcraft.com, and placing it on a webpage so you can see the whole worldofwarcraft.com page inside the page the tag was embedded inside of.
Here is what I mean in an example...
http://jeffriddle.info/inlineframe.html |
Ohhhhh so that's what an inline frame is. Thanks for the example.
Siggy created by DeathFetish.
|
| 11/14/06 17:07 |
Login to rate this user's post! |
unkleanone
Posts: 15
Joined: 01/04/2006
Credibility: 0 pts
|
Yea jeni it's like the news links page...you know the one.
Artistic Expressions, My new shop, purchase various items featuring original work and ideas from your's truly! Hell...It's about time.
The early bird may get the worm, but the second mouse gets the cheese.
|
| 11/15/06 03:38 |
Login to rate this user's post! |
thejeni
Posts: 26
Joined: 08/12/2004
Credibility: 0 pts
|
| QUOTE | | Yea jeni it's like the news links page...you know the one. |
Ohhhhhh. I would assume pages like that one, and a few other admin pages are why they had allowed them on the site. They have done some major tweeking so far this week. Here's hoping it takes care of the problem.
Siggy created by DeathFetish.
|
| 11/15/06 10:24 |
Login to rate this user's post! |
MartinTheWarrior
Posts: 25
Joined: 12/10/2005
Credibility: 14 pts
|
Yeah that news page is a nice example of inline frames, though it does kinda go really slow the time I looked at it...Oh well. It happens if it has to load all those page everytime I'd guess.
Was the trojan actually a keylogger or was keylogger something assumed? Just wondering.
[/CODE]
|
| 11/16/06 15:33 |
Login to rate this user's post! |
Drucila
Posts: 47
Joined: 08/23/2006
Credibility: 0 pts
|
I think it was assumed, but I did coincidentally get hacked that same weekend. So update, run a virus scan, malicious software scan (can be downloaded from microsofts website) and an adaware SE (can also be downloaded free) scan. If these do not pick anything up your probably fine.
My hack might have been a genuine hack attempt because it seemed like the person had a clear agenda of what they wanted off our network, but it could have all started with this guy, who knows. Id run scans and update to be safe though, it screwed with my router and firewalls. Resetting up an entire wireless/bluetooth network is NOT a fun time...FYI.
Laters
Druz
|
| 11/17/06 08:58 |
Login to rate this user's post! |
unkleanone
Posts: 15
Joined: 01/04/2006
Credibility: 0 pts
|
It was in facty a keylogger as that is how cyrix got hit...unfortunately it came from gameamp. That's how we became fully aware of the danger of the embedded code.
Artistic Expressions, My new shop, purchase various items featuring original work and ideas from your's truly! Hell...It's about time.
The early bird may get the worm, but the second mouse gets the cheese.
|
| 11/17/06 16:41 |
Login to rate this user's post! |
VinceVoltage
Posts: 1
Joined: 07/14/2005
Credibility: 0 pts
|
Its a good thing we've got all these computer smarties like Unklean to help us out. Hip hip hooray for the Dirrrty 1! (get it?...Unklean?...lame, yeah I know)
Image Gallery (CoH, CoV, GW, PS, etc.)
|
| 11/30/06 13:38 |
Login to rate this user's post! |
unkleanone
Posts: 15
Joined: 01/04/2006
Credibility: 0 pts
|
yea don't worry your not the first one to turn my name on me to mean dirty one lol.....but damn it's refering to a mental state......lol :)
Artistic Expressions, My new shop, purchase various items featuring original work and ideas from your's truly! Hell...It's about time.
The early bird may get the worm, but the second mouse gets the cheese.
|
| 11/30/06 14:28 |
Login to rate this user's post! |
