Hacker possibly targetting OOTP online leagues

[f.montoya]

Forgot to mention that 3 sites of mine got hit. Spent 3+ hours cleaning up the mess.

[canadiancreed]

Sorry if I've missed this, but how is OOTP9 files linked to being able to upload and comprimise sites? The only things that OOTP9 would have on a site is a zip or rar for the league file and basic html pages correct?

[f.montoya]

Quote:

Originally Posted by Tony M

...

Until the emergency patch comes out there's nothing that can be done to prevent this potential way in, unless you are able to set up a separate FTP user that only has access to the OOTP directories and no access to forums...

Even that doesn't solve this issue. I've seen 2 of my sites with altered (OOTP generated) index.html pages with an ****** inserted. The hole you saw is EXACTLY how the bad guy is getting in. He either plays OOTP or spent enough time around here to get enough info on how to do this.

Even if you use a limited FTP account, the ****** can still get into the OOTP reports. If this happens, you run the risk of allowing a trojan type virus to get into several league members' computers.

[gollum65]

It's the actual OOTP league file that GMs download and install into OOTP.

[Tony M]

Quote:

Originally Posted by f.montoya

Even that doesn't solve this issue. I've seen 2 of my sites with altered (OOTP generated) index.html pages with an ****** inserted. The hole you saw is EXACTLY how the bad guy is getting in. He either plays OOTP or spent enough time around here to get enough info on how to do this.

Even if you use a limited FTP account, the ****** can still get into the OOTP reports. If this happens, you run the risk of allowing a trojan type virus to get into several league members' computers.

OK. I didn't realise that. I got the impression that the forums were being compromised by the access. Certainly Gollum's attacker was going at the forums but had done it all by FTP.

I don't think I've ever used an ****** - is it something you can get browsers to not show as it seems quite a big security risk on any site?

I think point 2 is still valid though.

[f.montoya]

If you just want to make sure your index files are clean, download them to your hard drive and open them with a text editor. If you see anything in any of your index files like...

Code:

< ****** ...BLAH, Blah, BLAH.../******>

Remove it. Scour your files for anything like this and remove it.

[Tony M]

Quote:

Originally Posted by f.montoya

If you just want to make sure your index files are clean, download them to your hard drive and open them with a text editor. If you see anything in any of your index files like...

Code:

< ****** ...BLAH, Blah, BLAH.../******>

Remove it. Scour your files for anything like this and remove it.

Obviously ignore the space between the < and ****** - for some reason the forum wants to do iframes!!! (security risk)

[f.montoya]

Thanks Tony.

I thought I was going to get banned for knocking off the OOTP forums with an ****** sample.

[ericm26]

Does anyone know if 2007/2008 have the same security issues as 2009. I run a league that is getting hacked also but we run 2007/2008 not 2009.

[Tony M]

Quote:

Originally Posted by ericm26

Does anyone know if 2007/2008 have the same security issues as 2009. I run a league that is getting hacked also but we run 2007/2008 not 2009.

Without access to a 2007/2008 game I couldn't say. I'll just go and have a look in the 2008 forum and find a random online league to see if it's still on the previous version.

[Mike44126]

Is there a patch out? Someone emailed a league I'm in with a patch...please confirm this

[molarmite]

Well considering I was the one who emailed you, you probably won't believe that I confirm it but I'm sure someone else will soon.

[cnield]

Quote:

Originally Posted by molarmite

Well considering I was the one who emailed you, you probably won't believe that I confirm it but I'm sure someone else will soon.

The link that was sent to us was for the 9.2.7 patch (?). However, that patch was put up on November 17, which was before you guys figured out what the hole was. So I'm a bit dubious that the patch would solve anything.

[Tony M]

Quote:

Originally Posted by cnield

The link that was sent to us was for the 9.2.7 patch (?). However, that patch was put up on November 17, which was before you guys figured out what the hole was. So I'm a bit dubious that the patch would solve anything.

I told Andreas about this hole a couple of days after this thread started so this patch does cover this hole.

[Corsairs]

Is there a Mac version of the patch available? The mailing I received only pointed to a PC version. Several of my owners use Macs.

[kq76]

Is this patch going to be publicly announced? It sounds like it is only being spread privately and I don't understand why that would be. If it fixes an exploit surely it should be announced like any other patch so as many people can know about it as possible rather than just talked about here and in private.

EDIT: I was just passed the link to the aforementioned patch. I don't know why it wasn't publicly posted, but unless someone can tell me why it shouldn't be I'll be linking to it here and in the online league board's stickied thread.

[kq76]

Quote:

Originally Posted by Tony M

I don't think I've ever used an ****** - is it something you can get browsers to not show as it seems quite a big security risk on any site?

See:

Quote:

Originally Posted by Alan T

As far as end users go, users that use firefox with noscript for instance is not fully protected, as by default noscript allowed iframes. Those users should go in to the noscript settings and make sure to explicitly say not to allow iframes either (unless they override it). I am less familiar with internet explorer, but I understand there are ways to protect yourself there as well.

People should know, however, that there are legitimate uses for iframes. For example, a number of online leagues use them quite effectively to display league standings on their websites. However, iframes are usually not needed and if a web designer has them as necessary parts of their website then they should probably re-think that. I'd like to keep iframes enabled myself as they can add to a site, but I think for now I'm going to disable them as Alan T explained above. I imagine every web browser probably has a way to disable, except maybe ie.

[mikev]

Quote:

Originally Posted by kq76

Is this patch going to be publicly announced? It sounds like it is only being spread privately and I don't understand why that would be. If it fixes an exploit surely it should be announced like any other patch so as many people can know about it as possible rather than just talked about here and in private.

EDIT: I was just passed the link to the aforementioned patch. I don't know why it wasn't publicly posted, but unless someone can tell me why it shouldn't be I'll be linking to it here and in the online league board's stickied thread.

Why the hell would that not be publicly announced?

[gollum65]

I've kept my toungue privately on this all morning. I cannot for the life of me understand why a patch was made to address a security hole in OOTP without being released to the public. I'm not stupid. I'm not going to say that I know 100% for sure that my site was hacked due to an exploit of this security hole, but I'd say it's a good bet that it was. And even if it wasn't, for the OOTP developers to sit there and watch as numerous sites were hacked over the past month and not do anything to circulate this patch file is inexcusable to me, and it's causing me serious doubts as to whether I want to buy OOTP 10 when it comes out.

It's one thing to fix an issue that isn't a major security hole and wait to release it in a cummulative patch. It's quite another to fix a major security hole and not release an "emergency patch" when you know your customers are being victimized, regardless if you think the security hole is the problem or not.

[Cooleyvol]

So, can all commishes get this patch or is there a select few that are worthy of being protected against this?