|
|
JapanGamer
Known Hero
|
posted October 21, 2008 12:28 AM |
|
|
Changes do not occur with no change to begin with so I would say there is "perhaps" a bee on the loose. Maybe not though.
____________
Pictures of god
|
|
Shadowcaster
Honorable
Supreme Hero
Shaded Scribe
|
|
posted October 21, 2008 12:41 AM |
|
|
The script doesn't even show up on NoScript anymore, so I think we can say you fixed it. I turned off NS's restrictions and cleared my cookies and cache then reloaded the page. No pop-up.
____________
>_>
|
|
Valeriy
Mage of the Land
Naughty, Naughty Valeriy
|
|
posted October 21, 2008 12:44 AM |
|
|
Only sensible reports from now on in this thread please:
 what occured for you and on which page.
what exactly this trojan is and how to identify/remove it.
Someone or some bot managed to get root access to the AOH/HC server and executed a hack that added a script into some files of AOH and HC. When a page with this script is viewed, it opens the PDF file on the chinese domain. The opening of this file (which happens in the background) may cause a trojan or virus to get into the user's computer.
From searching on the internet, it seems that other server admins who experience this problem also have their servers hosted by LayeredTech, as AOH/HC server is. I suspect that these server intrusions are somehow connected to security flaws in LayeredTech infrastructure. The root password was secure and not known to anyone other than myself, so I do not know how the attacker managed to get root access to the server.
I will be cleaning up the file edits done by the hack. But as it is currently unclear how the attack happened, it is similarly unclear whether it can happen again. Let's hope something comes from LayeredTech in this discussion.
____________
You can wait for others to do it, but if they don't know how, you'll wait forever.
Be an example of what you want to see on HC and in the world.
http://www.heroesofmightandmagic.com
|
|
mvassilev
Responsible
Undefeatable Hero
|
|
posted October 21, 2008 01:04 AM |
|
|
All right, sensible reports. Here the summary of what happened to me.
Yesterday, as I was loading a page on HC, Norton Firewall told me that prevedvsem was trying to make or access a cookie. I blocked it. I then noticed that Firefox was taking a much longer time to load (but only on HC). I opened Task Manager, and noticed that Acrobat Reader was running in the background. I closed it, and went on with my business. It happened several times again, and I kept closing it.
Then, today, after reading this thread, I ran Kaspersky, and it didn't find anything. I also opened Acrobat Reader, and the file history doesn't have anything it shouldn't have.
My computer seems to be working as usual.
____________
Eccentric Opinion
|
|
Valeriy
Mage of the Land
Naughty, Naughty Valeriy
|
|
posted October 21, 2008 01:15 AM |
|
Edited by Valeriy at 01:16, 21 Oct 2008.
|
Another instance of the script was hiding in the AOH news ticker - removed. HC should be clean, at least for now.
"Prevedvsem" sounds similar to "hello all" in Russian, so it seems someone Russian is behind it rather than Chinese... I looked up the registrar (in China) and web host (in Ukraine) associated with prevedvsem123.cn and wrote to their abuse departments. Hopefully they will suspend the client who is behind this.
____________
You can wait for others to do it, but if they don't know how, you'll wait forever.
Be an example of what you want to see on HC and in the world.
http://www.heroesofmightandmagic.com
|
|
mvassilev
Responsible
Undefeatable Hero
|
|
posted October 21, 2008 01:16 AM |
|
|
Actually, "preved" is a purposeful misspelling of "privet" specific to the Russian version of "teh internets". So it's probably a haxxor. 
____________
Eccentric Opinion
|
|
Nebdar
Promising
Supreme Hero
Generation N
|
|
posted October 21, 2008 01:23 AM |
|
Edited by Nebdar at 01:23, 21 Oct 2008.
|
I will repeat my self but i found that
ModdersWorkshop => The Modding Wiki the link doesn't work(1st page 1st post)
I know it was working a week ago or few days ago or so. And i also expierienced slow downs on HC. They started 3-4 days ago.
Error Message:
Parse error: syntax error, unexpected '<' in /home/aoheroes/public_html/heroes5/modding_wiki/inc/html.php on line 1246
____________
|
|
JapanGamer
Known Hero
|
|
posted October 21, 2008 01:26 AM |
|
|
Just so everyone knows, since I took asheeras advice it hasnt happened to me. I dont think its required to block HC, but its not required to not block HC either.
____________
Pictures of god
|
|
william
Responsible
Undefeatable Hero
LummoxLewis
|
|
posted October 21, 2008 01:32 AM |
|
|
Nebdar, that error you showed doesn't have anything to do with this site being hacked since the thread works fine for me. I sometimes get that when I want to view certain threads. Try to open the thread a few times and it should work.
____________
~Ticking away the moments that
make up a dull day, Fritter and
waste the hours in an off-hand
way~
|
|
Valeriy
Mage of the Land
Naughty, Naughty Valeriy
|
|
posted October 21, 2008 02:02 AM |
|
|
Recovered the modding wiki. If there are any errors with it, report here.
____________
You can wait for others to do it, but if they don't know how, you'll wait forever.
Be an example of what you want to see on HC and in the world.
http://www.heroesofmightandmagic.com
|
|
Aculias
Responsible
Undefeatable Hero
Pretty Boy Angel Sacraficer
|
|
posted October 21, 2008 03:38 AM |
|
|
I am glad I came in just now after a big day at work.
I came in with no problems at all.
Seems normal until I read this.
I think it might be safe to say it might be ok.
I heard this was not the only place this hacking happened in.
|
|
emilsn
Legendary Hero
|
|
posted October 21, 2008 07:05 AM |
|
|
I got no error this time 
____________
Don't walk behind me; I may not
lead. Don't walk in front of me;
I may not follow. Just walk
beside me and be my friend.
|
|
william
Responsible
Undefeatable Hero
LummoxLewis
|
|
posted October 21, 2008 10:34 AM |
|
|
Not sure if this is just me or if this has to do with this recent event, but when I view a thread and a person has a Personal Page, the link is not there. I have to click the profile link and then the Personal Page appears. It's not big or anything but I just thought I should mention it.
____________
~Ticking away the moments that
make up a dull day, Fritter and
waste the hours in an off-hand
way~
|
|
Geny
Responsible
Undefeatable Hero
What if Elvin was female?
|
|
posted October 21, 2008 10:47 AM |
|
|
I can view your Personal Page right from the thread.
____________
DON'T BE A NOOB, JOIN A.D.V.E.N.T.U.R.E.
|
|
Valeriy
Mage of the Land
Naughty, Naughty Valeriy
|
|
posted October 21, 2008 11:00 AM |
|
|
You can only see a "PP" if it's long enough 
____________
You can wait for others to do it, but if they don't know how, you'll wait forever.
Be an example of what you want to see on HC and in the world.
http://www.heroesofmightandmagic.com
|
|
TitaniumAlloy
Honorable
Legendary Hero
Professional
|
|
posted October 21, 2008 11:28 AM |
|
|
My computer keeps trying to open a nonexistant PDF file whenever I click HC (sometimes)
Question mark?
____________
John says to live above hell.
|
|
Mytical
Responsible
Undefeatable Hero
Chaos seeking Harmony
|
|
posted October 21, 2008 11:31 AM |
|
|
It is a virus going by the name bloodhound (I think). Think if you are using windows there is an update (you have to search for bloodhound on like google or something) that supposedly blocks it. Most antivirus will cure it also.
____________
Message received.
|
|
TitaniumAlloy
Honorable
Legendary Hero
Professional
|
|
posted October 21, 2008 11:59 AM |
|
|
what does it do?
____________
John says to live above hell.
|
|
Mytical
Responsible
Undefeatable Hero
Chaos seeking Harmony
|
|
posted October 21, 2008 12:09 PM |
|
|
It tries to open a .pdf file. Don't know what else, because my computer always stopped it there. However, I heard it can lock up a lot of systems.
____________
Message received.
|
|
Lexxan
Honorable
Undefeatable Hero
Unimpressed by your logic
|
|
posted October 21, 2008 12:21 PM |
|
|
Is it fixed already? :S
____________
Coincidence? I think not!!!!
|
|
|
|
This thread is pages long: 
