Hacker
Hi
Someone's hacked the forum and is using the IP addresses to send trojans. I suggest you all patch your version of windows or linux, and double your firewall strength. The trojan appears to be taking advantage of bugs in IE6, and AOL Browser, but as of yet I'm not totally sure. It should just look like a mish-mash of webpage graphics, covering up icons and buttons. (it reloads the program graphics and replaces them with webpage graphics) The only way to stop the attack once it starts, is to cut your internet connection. So back up all your writing. I'm still checking all open ports on OWF's server for anomalous use, but it looks like a hit-and-run. Stay safe everyone. |
Images appearing in the wrong places has been occuring for months. My computer is fine. Very slow, but fine. The mish-mash of webpages is a result of IE6 and Javascript being used in conjunction.
Abe Babe has found the reason, it was our SMTP Mail System being used from the outside for thousands of emails. Getting in contact with the Server Operator has been tough, and I haven't recieved a response as of yet from him :( Alcar... |
Save us, Alcar! :crying: Save us!
-oddguy:eek: |
Thankyou Alcar.
:
I'm in the process of disconnecting them right now. If you get kicked offline it's because of me, so apologies for inconvenience in advance. They're onscreen now, I can see their IP, just haven't got their operating system... If anyone notices a sudden increase in speed let me know, I want to see if this works. |
:
Alcar... |
Here is the current list:
TraceRoute to host www.oddworldforums.net Timeout 5 Start from hop 1 Maximum Hops 15 195.93.35.238 rt-lohtg19.proxy.aol.com 195.93.35.251 accessl1-loh-G6-0-1.proxy.aol.com 66.185.136.229 pop1-loh-P2-0.atdn.net 66.185.136.224 bb1-loh-P5-0.atdn.net 66.185.152.33 bb1-nyc-P0-0.atdn.net 66.185.152.83 bb1-nye-P6-0.atdn.net 66.185.151.65 pop2-nye-P0-0.atdn.net 66.185.141.42 SBC.atdn.net 151.164.189.61 bb1-p4-0.nycmny.sbcglobal.net 151.164.243.18 bb2-p15-0.nycmny.sbcglobal.net 151.164.188.94 core2-p6-0.crnyny.sbcglobal.net 151.164.188.198 core2-p3-0.crhnva.sbcglobal.net I'm doing a 50 hop right now, I'll post that if you want it. |
Hmmm ... so it could be a combination of a hacker and also the open relay mail server problem that I found out about? Or maybe the hacker has allowed the mail ports to be publicly accessible. I'm no expert in this area, so simply speculating.
This really doesn't sound like good news for the server and forums at all. Thank you for the info Death. I just hope that Alcar can get in touch w/ our server operator soon. It's kind of tough, as Alcar's the only one who can contact him, and which sounds like it takes time. Abe Babe... |
Are those the offending IPs? Or a mixture of offending, and innocent browsers? I'm not good at this traceroute stuff, and to tell you the truth I only heard of a "hop" two days ago - but I still don't get it.
Alcar... |
what if has got a ’broadband’, and I can't cut the internet connection?
:eek: |
I honestly wouldn't worry that much, everyone including me who has had this affect their browser hasn't suffered any computer problems :)
Alcar... |
A "hop" is the maximum number of IP's to be searched in a traceroute. A traceroute is a server query, asking for all the IP's of every user accessing that server.
It's mostly AOL pipelines, and SBC stuff on an AOL pipeline. (ATDN) The AOL proxy's were AOL users accessing the forum. EDIT: Close off all mail ports to any incoming traffic. Or restrict maintenance port access so that only certain IP's can access it. |
Death, I hope you know that us forumers really appreciate you helping out the OWF. I hope you and Alcar can figure out how to fix the problem. Again, thanks.:fuzgrin:
-oddguy:fuzcool: |
:
BTW Alcar I've just thought of something. Do you have any way of performing a port usage traceroute ping? Say 50 hops? That way we could figure out who has what IP, and which port they are using. |
Unfortunately no one except the Server Operator has access to the server control panel.
Alcar... |
:
|
:
I'll do everything I can to help - but any solutions would be out of my league. I can get you IP lists, scan ports, make suggestions but actually solving the problem will have to be down to Alcar, Abe Babe and Pilot. (I am right in thinking that Pilot is the guy that runs the server aren't I?) This is just one of those things, hopefully the weak points will be watched more closely in the future. Thanks again for the Kudos. |
:
Alcar... |
Its been a long time since I talk with Pilot. Well its very generous for him to still host the server. BTW, is he still paying to host the server, etc.?
|
:
Alcar... |
:
Also, you might have read this, but the spam emails that were being sent through, came from Hong Kong somewhere when I did an reverse DNS on the IP that they were originating from. :
Again your assistance is much appreciated. Hopefully Peter can pass all of this info on accordingly. Abe Babe... |
Servers shouldn't have slow connections like ADSL, they need stuff like 2 - 8 megabit cable.
Interestingly, the attack doesn't seem to've worried Pilot at all. Usually servers have security programs and firewalls that watch over ports like that. I wonder if Pilot dropped dead... |
Pete have you have any luck getting a hold of Justin yet? Well I guess if you want to and havent tried it yet, I believe he left his cell phone number in one of the old threads over in the Employee Lounge. Plus, I recall him mentioning to call him on that number in case of an emergency. So thats just a thought if we would call this an "emergency" type situation.
|
:
He hasn't responded yet, so we have to wait. Also, he did mention that he'd moved out of his parent's house, and I believe that number is his parent's house number :p Alcar... |
You might notice that the forums have sped up a tiny little bit.
You (partially) have me to thank for that. I got in contact with Jelsoft about this issue, and they gave me the "your call means alot to us" treatment, so I decided to try and break my way past the problem. I sat there all night doing traceroute pings, just to get IP's to kick off the server. In total I think I disconnected about 18 IP addresses, and only 2 or 3 came back on. So hopefully that showed them who's boss. But if they want to they can still come back again. Apologies if I accidentally kicked anyone off. |
:
I guess this means the main server moved with him as well? (I know its a stupid question but as they say, "The only stupid question is the one that is not asked."):fuzwink: |
:
That would've caused downtime, and Pilot should've had the brains to tell Alcar about it in advance. So if there was no downtime, we can safely assume that the server is still at his parents house. If there was a short (or long) downtime however, then we can safely assume that Pilot did move the server too. |
The Server was never at his parent's house. The server has always, and I still think it does, reside in his parent's workshop.
I know that he checks in on it every month or so :) Alcar... |
:
"bit odd" being an understatement I think. |
The server was originally designed to run the website of his parent's jewlery store. Because he had a lot of room on it, he offered me the space for Oddworld-Web and eventually Oddworld Forums (back then I was using some webspace on a NFL fan server, and the forums were on some web host Sydney had, but they told him he was exceeding either storage or data transfer, so we had to move).
That's probably also the reason it isn't on a standard server speed internet connection, as was originally meant to be a server for a small business use. Abe Babe... |
I still find it intriguing that Pilot's parents decided to go for their own server instead of a premium server.
|