PDA

View Full Version : Wtf!!


razer0000
12-02-2007, 05:43 AM
I have tried to download a few newly updated UI's and they are all infected with the same virii. It seems someone has just packaged the original .zips and turned them into infected .exe's. This needs to be addressed ASAP and everyone that has downloaded them needs to know! This is horrible!

Brygard2007
12-02-2007, 06:46 AM
UI that are infected is in the complete sets UI section from Jappme to K'ramel so far 12 Ui are infeccted with Winrar.exe it has a hidden program ie.exe 13kb.
Scan the files before you unrar the file at.

http://www.virustotal.com/

Who ever is doing this is POS infecting the UI.So far the Compilations sections are not infected.

razer0000
12-02-2007, 06:59 AM
http://virusscan.jotti.org/

Is another good site to use. This really needs to be addressed, and I wonder how many people are infected and don't even know.

Aalwein
12-02-2007, 07:51 AM
I just downloaded K'Ramel Metal 2.00 and there was no infected files, nor any sort of .exe files at all.

You guys might be infected from another source. Have you downloaded anything from any other sites that are giving you virus alerts?

razer0000
12-02-2007, 07:57 AM
A lot of them have been fixed, thanks. However I would like to know what happened and how long these infected .exe's were on here. Kind of discouraging knowing this kind of thing can happen so easily, and I am afraid for the computer illiterate that don't know any better that use this site.

Aalwein, the infected files were/are repacked zipped files with only the one file name as an .exe, no other files.

Cairenn
12-02-2007, 01:35 PM
We're looking into it guys. As soon as we have something definitive to give you, we'll let you know.

In future, though, please don't just post a thread. Send us an email via the contact us or report options. That'll help make sure we are aware of a problem as quickly as possible, so we can get it dealt with.

Brygard2007
12-02-2007, 02:11 PM
This thread had vanished for awhile and now its back along all the post of Razer0000.Im a noob about how to contact the admins.I was looking for a link couldnt find it so I just replied to Razer0000 posts.The files were infected when I checked around 4am CT. And were cleaned around 7am CT or so.

Cairenn
12-02-2007, 02:28 PM
Aye, we know, that's part of what we're looking into (how the thread disappeared). I wasn't faulting you for posting the thread, don't get me wrong at all. It helped alert us to the fact that there was a problem. Just saying that an email or PM helps make sure we're aware of any problems as quickly as possible. There's a little "contact us" link at the bottom of every page, for future reference. :)

razer0001
12-02-2007, 03:04 PM
Well I have been watching football all day after this happened so I am unsure as to what happened this afternoon with my account and my posts. As you can see I had to make a new account to respond.

Cairenn, I was unaware of the best possible route to take to notify the website as I am just one of many troll/leechers that don't bother to post but like play with the different UI's skins:)
At the time I was just very very upset(to say the least) that this was able to happen. I really hope no one was infected and these files were not up long enough to do much harm.

Though I am curious as to why my account was deleted and all my subsequent posts. This makes me think these forums aren't safe either, or you possibly didn't want the public to know what had happened. I hope there is a better answer, but I guess we will never know.

Cairenn
12-02-2007, 03:11 PM
Of course you were upset and rightfully so. We're upset about it too.

However, that's completely unfair of you to suggest that we deleted the posts or your account. The post was restored (obviously, since we're posting in it right now) as soon as we found out that there was a problem and I just looked and your account is still there and active, as well. If we "didn't want the public to know what had happened", would this thread be here right now? That was unfair and undeserved. We don't play that way. I was asleep when all of this went down. I woke up, saw the other thread by Brygard2007, went "huh?" (as you can see in that thread itself) and we moved on from there.

As I said above, we're looking into it and as soon as we know what happened and how, you guys will know.

razer0001
12-02-2007, 03:22 PM
I am sorry if I offended you with that statement, and I was not claiming that you personally "moderated" my account/posts.
Its just one of two possibilities that I could think of, and that is why it was suggested.
I can not log into my razer0000 account and my password retrieval to the email address linked to that account did not work. I had to recreate a new account with the same email address I used for my first account, which probably shouldn't be able to be done if I have an account tied to the email address already. Anyway, I hope you all get things figured out and let us know what happened soon.

Cairenn
12-02-2007, 03:42 PM
Anyway, I hope you all get things figured out and let us know what happened soon.Count on it.

If you want, I can manually reset your password on your original account. Send me an email: [email protected] if you want it reset and I'll fix you up.

Aalwein
12-02-2007, 06:16 PM
Sounds like either someone either hacked an admin account or went straight for the files via ftp/ssh.

Or maybe Kuvasie was just mad USC beat UCLA so he went rogue on the site, lol!

Cairenn
12-02-2007, 06:27 PM
Or maybe Kuvasie was just mad USC beat UCLA so She went rogue on the site, lol!Fixed it for you.

And ... rofl!

Brygard2007
12-03-2007, 01:06 AM
There was a moderator on that night around 3am last time I checked I know this cause was looking who was online but didnt bother who the name was,just saw a red name.after an hour or so I saw Razer0000 named came up as new member.Anyways just saw your post Cairenn at wow interfae,the only files I can see that virus are printfpool.exe hidden.I have blocked it on my firewall .Im gonna restore from my back up.AVG antivirus doesnt detect any viruses neither from the ie.exe that was on the mods.Later..

P.s Ok I see the contact button on very bottom of the post,thanks.

razer0001
12-03-2007, 04:08 AM
http://www.wowinterface.com/

Wowinterface got attacked the same way it looks like. Hopefully you are taking the same precautions as they are, and everyone knows better than to ever click an .exe that do not trust.

daimon
12-03-2007, 11:07 AM
Any news from the staff ?

I assume this is affecting our uploads at the time .. at least I can't update even the pictures on my UI page.

I am not trying to be a smartass but shouldn't you take down the downloads etc till you have confirmed that all the files are uninfected so the possible trojans/keyloggers won't spread any further? And at least warn your users at the main page about this (I don't think they All read these forums) so they realize to run their anti trojan softwares and change their passwords before someone sherdz r pruplez ?

Dolby
12-03-2007, 12:55 PM
Hello all,

Sorry I've been working 24/7 to try and undo everything the attackers did. The downloads are safe, if that were in question we would close the site. We have found how they entered our server and wowinterface's server and are working to make sure all the holes are plugged.

If you think you have been infected you can visit wowinterface.com and read the front page news. The same steps can be used to clean off the trojan that was uploaded here. To be infected you had to have run the exe file contained in the hacked files.

I or Cairenn will post more news soon. Sorry for not keeping you guys up to date.

Cleitanious
12-03-2007, 01:13 PM
Any news on this situation?

daimon
12-03-2007, 01:16 PM
Thanks Dolby for the update.

I know that your hands are full and you're doing everything you know but mind that information is essential for us users too so we know where we stand. Without the facts there will be rumors.

To live in doubt is to live in fear.

Cairenn
12-03-2007, 01:56 PM
You're right. We should have copied the post over from WoWInterface. That's my fault, dolby has been busy trying to make sure everything is locked down and I'm the one that has been keeping everyone posted. I didn't keep you guys apprised of where we were with it all. I'm sorry.

Dolby
12-03-2007, 02:15 PM
I assume this is affecting our uploads at the time .. at least I can't update even the pictures on my UI page.

Should be working now.

Kuvasie
12-03-2007, 02:55 PM
.....Or maybe Kuvasie was just mad USC beat UCLA so he went rogue on the site, lol!

ROFLMAO - nope not me.

Kuv

Aalwein
12-03-2007, 04:55 PM
I had to get my USC vs UCLA reference involved <-- huge USC fan.

Well anyway, good job cracking down fast on the attacks guys. Hackers are always bad news, but the bright side of this is that it confirms the mainstream status of the sites. The interface.coms are no longer just a "little site for ui mods" like it was back in the first eqinterface days. And it has been a long run without so much as a broken gear in the cogs of maintenance - that's a lot to be said about Dolby's work.

Not to be a fanboi, but keep up the damn fine work.




And Frosty ... GIMMIE MA XML DANGIT!

Brygard2007
12-04-2007, 12:20 AM
Thanks for the update on main page.I see..So they are the one deleted Razer0000 posts.
P.S It most likely happen at night Nov 30,cause before the files were infected I had downloaded Jappme UI at 1:26Pm CT it wasn't infected.

Cairenn
12-04-2007, 12:27 AM
Yeah, it was an attempt by them to help cover their tracks so that we wouldn't be aware of it and thus potentially more people would get infected. No way we'd delete something like this, we don't play that way.

Thank you for the additional time stamp, that helps us in being able to confirm when it happened.

Frosty
12-04-2007, 05:14 PM
And Frosty ... GIMMIE MA XML DANGIT!

No thread hijacking!

Good work guys, we all know how frustrating it can be with "service outages".

-P

Aalwein
12-05-2007, 08:12 AM
You know Frosty, it is probably the fact that we don't have XML control over our UI that is causing the Turbine SAN to be spitting out hardware! You should tell the team that the only logical fix for the recent outages is to give us XML!

*rubs his hands together and smiles as diabolically as the Cheshire Cat*