Site hacked
Moderators: Bob the Hamster, marionline, SDHawk
Site hacked
Slime Salad was hacked today. Malicious scripts were inserted throughout the site. I am in the process of correcting it, but until further notice, do not browse the site with JavaScript enabled. You should also run a malware scan to determine if you have been affected.
I've removed the malicious scripts across the entire site. It is now just as safe as it ever is to run with JavaScript enabled. Let this be a reminder of the dangers of incautious web browsing.
As far as I can tell, the included script had no effect, because it included HTML that would have prevented parsing of the JS code. Many browsers would have blocked the script due to cross-domain policy anyway. I have no way of knowing whether the contents of the malicious include have changed. Even so, it is not a bad idea to change your password, both here and on any other sites that share a password with your SS account.
As far as I can tell, the included script had no effect, because it included HTML that would have prevented parsing of the JS code. Many browsers would have blocked the script due to cross-domain policy anyway. I have no way of knowing whether the contents of the malicious include have changed. Even so, it is not a bad idea to change your password, both here and on any other sites that share a password with your SS account.
- Meowskivich
- Blubber Bloat
- Posts: 2199
- Joined: Tue Mar 06, 2012 12:38 am
- Location: Earth
- Contact:
- Bob the Hamster
- Lord of the Slimes
- Posts: 7684
- Joined: Tue Oct 16, 2007 2:34 pm
- Location: Hamster Republic (Ontario Enclave)
- Contact:
Ouch! Well I am glad you were able to solve it quickly.
I remember a few years back when something like that happened to all the php files on hamsterrepublic.com.
After that I wrote a script that checks daily to see which files have changed since yesterday and mails me the results. Far from a perfect defence, but it would be good early-detection for a thing like this.
I remember a few years back when something like that happened to all the php files on hamsterrepublic.com.
After that I wrote a script that checks daily to see which files have changed since yesterday and mails me the results. Far from a perfect defence, but it would be good early-detection for a thing like this.
This is more or less how I ended up checking what had changed. It was a really unsophisticated script someone had run; every file with ".js" in the name had been appended with a few lines. This included ".json" files, for example.Bob the Hamster wrote:After that I wrote a script that checks daily to see which files have changed since yesterday and mails me the results. Far from a perfect defence, but it would be good early-detection for a thing like this.
I'm not sure how soon I would've noticed it, except I was getting malware alerts. In the end, I don't think the hacking actually accomplished anything. Seems like a lot of effort for the payoff (well, except that I'm sure it was all automated somewhere).
Last edited by Mogri on Tue Mar 04, 2014 4:11 pm, edited 1 time in total.
- Meowskivich
- Blubber Bloat
- Posts: 2199
- Joined: Tue Mar 06, 2012 12:38 am
- Location: Earth
- Contact:
Why in the world, and how in the world, is slime salad such a prime target for hackers and spambots? It's not like this place is ultra famous or anything.
dOn'T MiNd mE! i'M jUsT CoNtAgIoUs!!!
Play Orbs CCG: http://orbsccg.com/r/4r6x
Play Orbs CCG: http://orbsccg.com/r/4r6x
Done.Mogri wrote:Even so, it is not a bad idea to change your password, both here and on any other sites that share a password with your SS account.
Maybe someone gave their game a bad review? XDMeowskivich wrote:Why in the world, and how in the world, is slime salad such a prime target for hackers and spambots? It's not like this place is ultra famous or anything.
"One can never improve enough nor should one stop trying to improve."
It's no more a target than anywhere else. This is the first time that the site was actually hacked, and spambots are ubiquitous, especially on phpBB.Meowskivich wrote:Why in the world, and how in the world, is slime salad such a prime target for hackers and spambots? It's not like this place is ultra famous or anything.
- Spoonweaver
- Liquid Metal King Slime
- Posts: 6516
- Joined: Mon Dec 08, 2008 7:07 am
- Contact:
- Meowskivich
- Blubber Bloat
- Posts: 2199
- Joined: Tue Mar 06, 2012 12:38 am
- Location: Earth
- Contact:
He admits it! Let's go down to Floride and string him up at town rectangle for all to ignore!
dOn'T MiNd mE! i'M jUsT CoNtAgIoUs!!!
Play Orbs CCG: http://orbsccg.com/r/4r6x
Play Orbs CCG: http://orbsccg.com/r/4r6x
I can almost 90% guarantee it was an automated attack. Just a bot searching for phpbb installs and then using a suite of attacks against it until something works.Meowskivich wrote:Why in the world, and how in the world, is slime salad such a prime target for hackers and spambots? It's not like this place is ultra famous or anything.
phpBB has gotten so bad with this lately, we don't allow phpBB anywhere in deployments or on any servers. Not worth the headache anymore.
- jcenterprises
- Slime Knight
- Posts: 132
- Joined: Sun Aug 21, 2011 7:30 pm
- Contact:
Hate to update this topic, but it appears superwalrusland has been compromised in a similar manner. More specifically, the C. Kane wiki page had the same redirector virus that hit Slime Salad, although the page with the C. Kane pdf manual did not trigger the virus alert and I downloaded the manual safely.(I probably should delete it anyway just to be safe.) I have no idea if parts of this virus still linger within Slime Salad's hyperlinks or is on Superwalrusland itself. (I clicked on the links on Slime Salad's C. Kane page and got the virus.)
Did you contact Surlaw?
It looks like a link to a nonexistent page on a Spanish travel site is getting inserted on every page. That site itself isn't suspicious but the link obviously is. I am almost certain that that site (viajespirineoainsa.com) was also broken into and used to host a malicious script, which has now been removed (hence the almost-clean rating). I also ran the C.Kane .zip and Windows installer .exe files through Virus Total, and they are clean, and haven't been modified. (Interestingly someone else ran them through VT in the past).
These kinds of attacks usually exploit some flaw in popular software like Mediawiki in order to modify the webpages, but don't actually allow directly modifying files on the compromised site. Sadly, hosting a blog, site, or forum can be a big hassle...
It looks like a link to a nonexistent page on a Spanish travel site is getting inserted on every page. That site itself isn't suspicious but the link obviously is. I am almost certain that that site (viajespirineoainsa.com) was also broken into and used to host a malicious script, which has now been removed (hence the almost-clean rating). I also ran the C.Kane .zip and Windows installer .exe files through Virus Total, and they are clean, and haven't been modified. (Interestingly someone else ran them through VT in the past).
These kinds of attacks usually exploit some flaw in popular software like Mediawiki in order to modify the webpages, but don't actually allow directly modifying files on the compromised site. Sadly, hosting a blog, site, or forum can be a big hassle...
Last edited by TMC on Tue Sep 16, 2014 12:27 pm, edited 1 time in total.