Site hacked

Announcements that go here will appear on the front page.

Moderators: Bob the Hamster, marionline, SDHawk

User avatar
Mogri
Super Slime
Posts: 4678
Joined: Mon Oct 15, 2007 6:38 pm
Location: Austin, TX
Contact:

Site hacked

Post by Mogri »

Slime Salad was hacked today. Malicious scripts were inserted throughout the site. I am in the process of correcting it, but until further notice, do not browse the site with JavaScript enabled. You should also run a malware scan to determine if you have been affected.
User avatar
Mogri
Super Slime
Posts: 4678
Joined: Mon Oct 15, 2007 6:38 pm
Location: Austin, TX
Contact:

Post by Mogri »

I've removed the malicious scripts across the entire site. It is now just as safe as it ever is to run with JavaScript enabled. Let this be a reminder of the dangers of incautious web browsing.

As far as I can tell, the included script had no effect, because it included HTML that would have prevented parsing of the JS code. Many browsers would have blocked the script due to cross-domain policy anyway. I have no way of knowing whether the contents of the malicious include have changed. Even so, it is not a bad idea to change your password, both here and on any other sites that share a password with your SS account.
User avatar
Meowskivich
Blubber Bloat
Posts: 2199
Joined: Tue Mar 06, 2012 12:38 am
Location: Earth
Contact:

Post by Meowskivich »

joy...
dOn'T MiNd mE! i'M jUsT CoNtAgIoUs!!!
Play Orbs CCG: http://orbsccg.com/r/4r6x :V
User avatar
Bob the Hamster
Lord of the Slimes
Posts: 7684
Joined: Tue Oct 16, 2007 2:34 pm
Location: Hamster Republic (Ontario Enclave)
Contact:

Post by Bob the Hamster »

Ouch! Well I am glad you were able to solve it quickly.

I remember a few years back when something like that happened to all the php files on hamsterrepublic.com.

After that I wrote a script that checks daily to see which files have changed since yesterday and mails me the results. Far from a perfect defence, but it would be good early-detection for a thing like this.
User avatar
Mogri
Super Slime
Posts: 4678
Joined: Mon Oct 15, 2007 6:38 pm
Location: Austin, TX
Contact:

Post by Mogri »

Bob the Hamster wrote:After that I wrote a script that checks daily to see which files have changed since yesterday and mails me the results. Far from a perfect defence, but it would be good early-detection for a thing like this.
This is more or less how I ended up checking what had changed. It was a really unsophisticated script someone had run; every file with ".js" in the name had been appended with a few lines. This included ".json" files, for example.

I'm not sure how soon I would've noticed it, except I was getting malware alerts. In the end, I don't think the hacking actually accomplished anything. Seems like a lot of effort for the payoff (well, except that I'm sure it was all automated somewhere).
Last edited by Mogri on Tue Mar 04, 2014 4:11 pm, edited 1 time in total.
User avatar
Meowskivich
Blubber Bloat
Posts: 2199
Joined: Tue Mar 06, 2012 12:38 am
Location: Earth
Contact:

Post by Meowskivich »

Why in the world, and how in the world, is slime salad such a prime target for hackers and spambots? It's not like this place is ultra famous or anything.
dOn'T MiNd mE! i'M jUsT CoNtAgIoUs!!!
Play Orbs CCG: http://orbsccg.com/r/4r6x :V
User avatar
Sparoku
Metal Slime
Posts: 309
Joined: Tue Jun 18, 2013 3:19 pm
Location: Dairy Queen
Contact:

Post by Sparoku »

Mogri wrote:Even so, it is not a bad idea to change your password, both here and on any other sites that share a password with your SS account.
Done.
Meowskivich wrote:Why in the world, and how in the world, is slime salad such a prime target for hackers and spambots? It's not like this place is ultra famous or anything.
Maybe someone gave their game a bad review? XD
"One can never improve enough nor should one stop trying to improve."
User avatar
Mogri
Super Slime
Posts: 4678
Joined: Mon Oct 15, 2007 6:38 pm
Location: Austin, TX
Contact:

Post by Mogri »

Meowskivich wrote:Why in the world, and how in the world, is slime salad such a prime target for hackers and spambots? It's not like this place is ultra famous or anything.
It's no more a target than anywhere else. This is the first time that the site was actually hacked, and spambots are ubiquitous, especially on phpBB.
User avatar
Gizmog
Metal King Slime
Posts: 2622
Joined: Tue Feb 19, 2008 5:41 am

Post by Gizmog »

I don't handle anonymous, outside threats very well... can we all agree to blame Spoonweaver for this?
User avatar
Spoonweaver
Liquid Metal King Slime
Posts: 6516
Joined: Mon Dec 08, 2008 7:07 am
Contact:

Post by Spoonweaver »

:v:
User avatar
Meowskivich
Blubber Bloat
Posts: 2199
Joined: Tue Mar 06, 2012 12:38 am
Location: Earth
Contact:

Post by Meowskivich »

He admits it! Let's go down to Floride and string him up at town rectangle for all to ignore!
dOn'T MiNd mE! i'M jUsT CoNtAgIoUs!!!
Play Orbs CCG: http://orbsccg.com/r/4r6x :V
User avatar
FyreWulff
Slime Knight
Posts: 107
Joined: Wed Mar 13, 2013 9:16 pm
Location: The Internet
Contact:

Post by FyreWulff »

Meowskivich wrote:Why in the world, and how in the world, is slime salad such a prime target for hackers and spambots? It's not like this place is ultra famous or anything.
I can almost 90% guarantee it was an automated attack. Just a bot searching for phpbb installs and then using a suite of attacks against it until something works.

phpBB has gotten so bad with this lately, we don't allow phpBB anywhere in deployments or on any servers. Not worth the headache anymore.
User avatar
jcenterprises
Slime Knight
Posts: 132
Joined: Sun Aug 21, 2011 7:30 pm
Contact:

Post by jcenterprises »

Hate to update this topic, but it appears superwalrusland has been compromised in a similar manner. More specifically, the C. Kane wiki page had the same redirector virus that hit Slime Salad, although the page with the C. Kane pdf manual did not trigger the virus alert and I downloaded the manual safely.(I probably should delete it anyway just to be safe.) I have no idea if parts of this virus still linger within Slime Salad's hyperlinks or is on Superwalrusland itself. (I clicked on the links on Slime Salad's C. Kane page and got the virus.)
User avatar
Mogri
Super Slime
Posts: 4678
Joined: Mon Oct 15, 2007 6:38 pm
Location: Austin, TX
Contact:

Post by Mogri »

That doesn't sound like the same thing. There was probably no virus involved with the earlier attack.
TMC
Metal King Slime
Posts: 4310
Joined: Sun Apr 10, 2011 9:19 am

Post by TMC »

Did you contact Surlaw?

It looks like a link to a nonexistent page on a Spanish travel site is getting inserted on every page. That site itself isn't suspicious but the link obviously is. I am almost certain that that site (viajespirineoainsa.com) was also broken into and used to host a malicious script, which has now been removed (hence the almost-clean rating). I also ran the C.Kane .zip and Windows installer .exe files through Virus Total, and they are clean, and haven't been modified. (Interestingly someone else ran them through VT in the past).

These kinds of attacks usually exploit some flaw in popular software like Mediawiki in order to modify the webpages, but don't actually allow directly modifying files on the compromised site. Sadly, hosting a blog, site, or forum can be a big hassle...
Last edited by TMC on Tue Sep 16, 2014 12:27 pm, edited 1 time in total.
Post Reply