What plugin are you using to prevent Iframe?
What plugin are you using to prevent Iframe?
That's NoScript.
As for Alla, you're much more likely to get infected there than from other places.
Yeah, what makes you think Alla is safer than FFXIClopedia or FFXIAH? You should have AdBlock, and maybe NoScript installed anyway, so you shouldn't be at that much of a risk in the first place.Originally Posted by Therin
alla hasn't been owned by them in over a year atleast, pikko can probably attest to that. as for alla getting hit, they have been known to be attacked by scripters who spam forum posts with illegitimate links, thats about it.Originally Posted by terranova
Please also keep this in mind when installing noscript :
Noscript by default has Iframes UNBLOCKED. Go to the options and turn it on, someone I know got hacked because he thought that just installing noscript would help, unfortunately something he looked over took over him.
Thanks for that, I had no idea it wouldn't block that, what with everything else it blocks >.>Originally Posted by Lordwafik
Yup same here. I'm pretty grateful atm that I haven't been hijacked yet, being that's the case.Originally Posted by Darkhavans
Did a bit of a google fu to see if maybe there were any known winlogon.exe hacks since Prosek mentioned that to be the only oddity, and this thread came up. A post or two down should have someone talking shop about various things related to winlogon and later posts suggest means or removal and reinstallation.
Since I can only assume I'm clean at the moment, perhaps Prosek could look at that and see if winlogon had been recently modified like the infected person mentioned. I just checked the one on this system and it was last modified in 2004, so I think I'm good. If his winds up looking recently tainted, it might help us discern more precise means of identifying and protecting people in the future. Not to mention maybe informing Windows of a security breach that that they could later, hopefully patch.
Edit: Also, since this playon1ine.com thing seems to be consistent, would it be safe to assume we could tweak our HOSTs file to redirect to a null address in the event of being compromised? Hell, I'd go as far as to create null strings for all possible obvious, but easily overlooked to the eye variations of playonline like pIayonline, p1ayonline, etc.
How can I tell what scripts are being blocked? As I'm writing this post, i see 8 scripts have been blocked at the bottom of my screen, but I don't know what they are.
You should be able to click on a tab or icon of the noscript at the bottom in the right corner of the window, it will pop up telling you which scripts it is blocking. Generally unblocking the website you're browsing while blocking the "things you don't know" and/or advertisements on the page will be safe.Originally Posted by Izzy
Unfortunately I have already wiped my gaming boxes, formated, and reinstalled. Though I suppose I could try to get reinfected on a quarantine system.Originally Posted by arus2001
![]()
I know it's a hassle of your time, but it should help us collectively discern a solution with you (unfortunately) having the least to lose at this point unless someone else has some spare machines they could do a base POL install on without any kind of account information entered/stored. Guess someone could volunteer one of those $2 trial accounts for testing purposes, too.
It's telling me this:Originally Posted by Lordwafik
Scripts Currently Forbidden | <SCRIPT>:8 | <OBJECT>:0
Is there anything more detailed? lol
when I go home i'll give you more info, like 1hour or so.
Thanks <3. After I added BG to my Whitelist, the <SCRIPT>: 3 changed to <SCRIPT>: 4 lol.Originally Posted by Lordwafik
its some ADODB internet explorer injection. theoretically you should be safe using firefox...in reality you should probably just avoid the site
Possibly risking my ass having done this, but I decided to try and follow through the directories on that dummy site a bit. Just going straight playon1ine.com only has a forbidden blurb in the page source, and jumping to /pcd does the same. Things get more lively when you jump to where the iframe directly links.
I don't know jack about Java, but that's basically what looks to be fueling the event. It looks like a few variables are set based on your browser settings, and then it looks to be referencing some realplayer stuff like last time. The source looks to reference a couple secondary pages, which I'll just call 10 and 11. 10 had 2 sound files I didn't risk downloading, but I imagine those paired with whatever exploit it's using is the meat of the attack.
I can go back and yoink the code to post if the admins think it'd do any good in the hands of coder types, but I'd rather not for now under the impression some would see it as me trying to jack people.
Edit: And as I typed this, Aurik made his post on his thoughts. I saw the ADODB stuff, and almost wanted to think "adobe exploit" but the real stuff later on kinda deviated that thought.
adodb isn't adobe, it's just a generic exploit
yes there's references to realplayer exploits as well. if the initial vector fails, it falls back on those
how lovely that chinese rmt can find the time to put more malicious I.frames on fansites instead of ohhhhh i don't know maybe helping out with the earthquake aftermath.
Originally Posted by Izzy
Here you go