Item Search
     
BG-Wiki Search
Page 23 of 47 FirstFirst ... 13 21 22 23 24 25 33 ... LastLast
Results 441 to 460 of 931
  1. #441
    Hydra
    Join Date
    Jul 2008
    Posts
    103
    BG Level
    3
    FFXI Server
    Unicorn

    Also, there's been a rash of hackings just like this in World of Warcraft, so I wouldn't necessarily ignore those ads just because they're unrelated to FFXI or gil selling sites. One of them could easily be hiding the malicious code, and it's possible the rmt could be trained to log in to any game that uses the tokens, not just WoW.

    About to reformat though and probably upgrade to 7

  2. #442
    Cerberus
    Join Date
    Dec 2004
    Posts
    469
    BG Level
    4
    FFXI Server
    Quetzalcoatl

    Could one of the hacking victims upload their pol.exe and polboot.exe files to an online AV scanner such as VirSCAN.org - Free Multi-Engine Online Virus Scanner v1.02, Supports 37 AntiVirus Engines! or Jotti's malware scan

  3. #443
    Hydra
    Join Date
    Jul 2008
    Posts
    103
    BG Level
    3
    FFXI Server
    Unicorn

    Also, a friend of mine wanted me to post this in case anyone wants extra protection against google ads. Might turn out to be a good resource for keeping yourself safe.

    http://www.keyvan.net/2006/11/remove-ads/ google ad remover

  4. #444
    E. Body
    Join Date
    Mar 2006
    Posts
    2,333
    BG Level
    7

    can we even rule out the possibility that it won't affect anything on the disk? if it's memory resident only (it would be destroyed on reboot tho, idk if that's in the behavior or not) it would be even nastier to find.

  5. #445
    Cerberus
    Join Date
    Jun 2007
    Posts
    409
    BG Level
    4

    Quote Originally Posted by Spekkio View Post
    can we even rule out the possibility that it won't affect anything on the disk? if it's memory resident only (it would be destroyed on reboot tho, idk if that's in the behavior or not) it would be even nastier to find.
    Been on FFXIAH, ALLAH, BG, and WIKI for the past couple hours just refreshing and checking for file/registry changes and the ever elusive proxy setting. Thinking the proxy setting might be something added during/after the hacking attempt has taken place.

    This is without POL installed, so going to give it a shot in a bit.

  6. #446
    E. Body
    Join Date
    Mar 2006
    Posts
    2,333
    BG Level
    7

    might be worth running ethereal too filtering on anything that routes to a chinese IP block. dollars to donuts, that's where the attacks are happening. or even log anything that's not going to an ip block owned by ffxiah/allah/bg/wiki.

  7. #447
    Melee Summoner
    Join Date
    Jun 2009
    Posts
    29
    BG Level
    1
    FFXI Server
    Quetzalcoatl

    pol crash with microsoft error

    Just had a POL crash with microsoft error, send to microsoft thingy.
    ==============
    AppName: pol.exe AppVer: 1.18.12.0 ModName: flasha32.dll
    ModVer: 0.0.0.0 Offset: 0000476d
    ==============

    funny part was, i was still able to run around in the game with that error up. When I close that error and my windower disappear. I ran HJT and attached it, if someone can look at it please do.

    I log backin using bad password first, then i use a good password, ran about for a little while, a few minutes later my POL mysteriously disappeared.

    I logged in with bad password, got password error from SE, POL didn't hang or crash. Then I logged in with correct password, my POL disappeared again.

    I move to my laptop and logged in from there right away! but now it's doing version updates after i logged in... (forgot it's been awhile since i play on my laptop) however, that should have knocked them off, if i was being hacked.

    =================

    finally go into the char with my laptop, not hack, everything is normal. /pheew

  8. #448
    Cerberus
    Join Date
    Dec 2004
    Posts
    469
    BG Level
    4
    FFXI Server
    Quetzalcoatl

    Quote Originally Posted by sixstitches View Post
    Just had a POL crash with microsoft error, send to microsoft thingy.
    ==============
    AppName: pol.exe AppVer: 1.18.12.0 ModName: flasha32.dll
    ModVer: 0.0.0.0 Offset: 0000476d
    ==============
    flasha32.dll is listed as a Vundo trojan variant. It's also mentioned on this jp website about the new RMT phishing tells. I bet the RMT tells were what nailed a good portion of the people who got hacked.

  9. #449
    Cerberus
    Join Date
    Jun 2007
    Posts
    409
    BG Level
    4

    Quote Originally Posted by Solefald View Post
    flasha32.dll is listed as a Vundo trojan variant. It's also mentioned on this jp website about the new RMT phishing tells. I bet the RMT tells were what nailed a good portion of the people who got hacked.
    Mafai's friend had the disappearing act occur as well, maybe we're onto something -- but it doesn't explain the other hackings. I still haven't found anything on the sites via changes in file/registry on my VMs... So, can all of this be explained by retards not giving us the full story and visiting sites in RMT tells? ~______~

    Anyway, done with tests today -- will be back tomorrow to try out the Ethereal filtering.

  10. #450
    Who's driving? Oh my God Bear is driving! How can that be??
    Join Date
    Sep 2008
    Posts
    5,882
    BG Level
    8
    FFXI Server
    Lakshmi

    So it looks like when the program is run, it removes hosts and flasha32.dll shell hooks to pol? Should have people scan for complaint.exe just for the hell of it.

  11. #451
    Cerberus
    Join Date
    Dec 2004
    Posts
    469
    BG Level
    4
    FFXI Server
    Quetzalcoatl

    hosts is probably referring to C:\Windows\System32\drivers\etc\hosts which is a local DNS override of sorts. So if you typed in PlayOnline.com in your browser (any one, not just IE) it would send you to the phishing website instead of the real one.

  12. #452
    WASTE OF CURRENCY
    I CAN'T I CAN'T I CAN'T

    Join Date
    Feb 2006
    Posts
    9,065
    BG Level
    8
    FFXIV Character
    Izzy Izumi
    FFXIV Server
    Sargatanas
    FFXI Server
    Phoenix
    WoW Realm
    Arthas

    Can't you just make your hosts file read only?

  13. #453
    Puppetmaster
    Join Date
    Jul 2008
    Posts
    50
    BG Level
    2
    FFXI Server
    Phoenix

    Quote Originally Posted by sixstitches View Post
    Just had a POL crash with microsoft error, send to microsoft thingy.
    ==============
    AppName: pol.exe AppVer: 1.18.12.0 ModName: flasha32.dll
    ModVer: 0.0.0.0 Offset: 0000476d
    ==============

    funny part was, i was still able to run around in the game with that error up. When I close that error and my windower disappear. I ran HJT and attached it, if someone can look at it please do.

    I log backin using bad password first, then i use a good password, ran about for a little while, a few minutes later my POL mysteriously disappeared.

    I logged in with bad password, got password error from SE, POL didn't hang or crash. Then I logged in with correct password, my POL disappeared again.

    I move to my laptop and logged in from there right away! but now it's doing version updates after i logged in... (forgot it's been awhile since i play on my laptop) however, that should have knocked them off, if i was being hacked.

    =================

    finally go into the char with my laptop, not hack, everything is normal. /pheew
    I think this is accurate, been busy all day, sorry for the lack of posting, it also seems to be injected through flash based ads from google, I did some searching around, google ads has several trouble tickets in from many different websites about infected ads for the "gamepad" ad catagory, as well as some other catagories, weather it's the same thing or not, I'm not sure as of yet. It seems that google ads are rather vulnerable to this sort of thing, perhaps the suspects who are trying to steal account are using this as a means of delivering a trojan payload to users now?

    Edit: Also, I haven't been able to re-infect my laptop after I formated it again, however I'm still getting the errors generated off of ffxiclopedia citing random .js files.

  14. #454
    Who's driving? Oh my God Bear is driving! How can that be??
    Join Date
    Sep 2008
    Posts
    5,882
    BG Level
    8
    FFXI Server
    Lakshmi

    Quote Originally Posted by Solefald View Post
    hosts is probably referring to C:\Windows\System32\drivers\etc\hosts which is a local DNS override of sorts. So if you typed in PlayOnline.com in your browser (any one, not just IE) it would send you to the phishing website instead of the real one.
    Yeah, question is how is it getting modified before even visiting the website.

    Quote Originally Posted by Izzy View Post
    Can't you just make your hosts file read only?
    No because there are some hack/hijackers that can add hosts to the file even though it's set to read only.

  15. #455
    Puppetmaster
    Join Date
    Jul 2008
    Posts
    50
    BG Level
    2
    FFXI Server
    Phoenix

    Quote Originally Posted by TummieGaruda View Post
    Yeah, question is how is it getting modified before even visiting the website.
    If it's any sort of malicous code or trojan package, you can execute commands on a system through exploits... for example the exploit in flash that they patched Aug.19th. The exploit allowed for a "glitch" in the code at the correct location which would allow the hacker to run commands, edit files, run scripts, etc on the user.

    So, perhaps the user was exposed to the malicious code before they visited that specific website. lol.

    I also checked my hosts file earlier- it wasn't modified (pre-format, when my laptop was infected.)

  16. #456
    Who's driving? Oh my God Bear is driving! How can that be??
    Join Date
    Sep 2008
    Posts
    5,882
    BG Level
    8
    FFXI Server
    Lakshmi

    Quote Originally Posted by Akisu View Post
    If it's any sort of malicous code or trojan package, you can execute commands on a system through exploits... for example the exploit in flash that they patched Aug.19th. The exploit allowed for a "glitch" in the code at the correct location which would allow the hacker to run commands, edit files, run scripts, etc on the user.

    So, perhaps the user was exposed to the malicious code before they visited that specific website. lol.

    I also checked my hosts file earlier- it wasn't modified (pre-format, when my laptop was infected.)
    Sorry I should have been more specific as I meant what possible actions were taken by the user or what site was visited. I guess it will be hard to track down as of right now until we get more information as there were those who were using Firefox with No-Script and what not... that is if NS was configured correctly.

  17. #457
    Relic Shield
    Join Date
    Apr 2009
    Posts
    1,514
    BG Level
    6

    Noscript just updated minutes ago with some new features that might help. Reading the info now.

  18. #458
    Melee Summoner
    Join Date
    Feb 2008
    Posts
    29
    BG Level
    1
    FFXI Server
    Bismarck

    Preliminary post here while catching up from where I left off this morning, but...
    I was just on FF, logged in to do salvage, was bringing up wiki to check some things on another PC on my network, when....
    Bang.
    Connection lost, not only in FF, but my entire internet connection went down. Of course, I shut out FF and killed off the PC it was running on. I immediately txt'd a friend and he's been kindly watching for me and asking a GM as we speak to lock my account.

    After the text was sent out... I pulled my network plugs, rewired some things, and connected back to the web. The suspicious line from previous pages was in my latest scan from HJT. I've had HJT scanning periodically and saving throughout the day, and when this all happened was the first time it returned that line. After changing around my network to exclude the supposed infected machine, I attempted to log back in to POL and it crashed, on a different machine..

    Whatever this is, it went through my network, hit every machine, and is crashing POL now.

    As I said, I was on wiki looking some things up about salvage when this happened. I wouldn't advise playing around with wiki or ffxiah.com until this is resolved, since I see some of the same ads on both sites. Personally, I don't visit many other sites (aside from BG) relating to FF, so if anyone see's related ads elsewhere, please alert the rest of the community.

    In the meantime, my account is locked via friend talking to GM, and I'll be keeping an eye on this.

  19. #459
    Puppetmaster
    Join Date
    Jul 2008
    Posts
    50
    BG Level
    2
    FFXI Server
    Phoenix

    Quote Originally Posted by Sabertiger View Post
    Preliminary post here while catching up from where I left off this morning, but...
    I was just on FF, logged in to do salvage, was bringing up wiki to check some things on another PC on my network, when....
    Bang.
    Connection lost, not only in FF, but my entire internet connection went down. Of course, I shut out FF and killed off the PC it was running on. I immediately txt'd a friend and he's been kindly watching for me and asking a GM as we speak to lock my account.

    After the text was sent out... I pulled my network plugs, rewired some things, and connected back to the web. The suspicious line from previous pages was in my latest scan from HJT. I've had HJT scanning periodically and saving throughout the day, and when this all happened was the first time it returned that line. After changing around my network to exclude the supposed infected machine, I attempted to log back in to POL and it crashed, on a different machine..

    Whatever this is, it went through my network, hit every machine, and is crashing POL now.

    As I said, I was on wiki looking some things up about salvage when this happened. I wouldn't advise playing around with wiki or ffxiah.com until this is resolved, since I see some of the same ads on both sites. Personally, I don't visit many other sites (aside from BG) relating to FF, so if anyone see's related ads elsewhere, please alert the rest of the community.

    In the meantime, my account is locked via friend talking to GM, and I'll be keeping an eye on this.
    So you're saying that you didn't use the machine for web browsing that was infected? And it spread over the network? Well then, that's a whole new ballgame if that's accurate.


    Side note: What's up with BG? After reformatting, I never reinstalled flashplayer, and it's asking me to install flash each page view, does a main component of BG use flashplayer? Nothing seems to have lost functionality without flash installed on my end. Just a question, not saying it's releated, just didn't notice it this morning, lol.

  20. #460
    Melee Summoner
    Join Date
    Feb 2008
    Posts
    29
    BG Level
    1
    FFXI Server
    Bismarck

    Not exactly.

    I was playing FF via PC x2, browsing wiki via PC x3, when the internet connection died (shared connection with the network), found the suspicious line on PC x3, but POL crashed on PC x2. So yes, it went across network boundaries, at least on my machines.

    EDIT: Oh, ran HJT on the PC x2 that was running FF, did not find the suspect line. That was interesting.

    XP Home SP3(lolIknow) and XP Pro SP3(again lolwindows I know eh).

    My next Computer Science project at school: Write a Linux emulator that runs FFXI (unless someone knows of one?)

Page 23 of 47 FirstFirst ... 13 21 22 23 24 25 33 ... LastLast

Similar Threads

  1. What in the fuck is going on with Ancient Currency prices?
    By Avarice in forum FFXI: Everything
    Replies: 22
    Last Post: 2009-01-12, 05:21
  2. Ok what the hell is up with Roc?
    By S N K in forum FFXI: Everything
    Replies: 49
    Last Post: 2008-06-28, 21:00
  3. Oldschool players with JP Accounts & The new Expansion
    By Lyramion in forum FFXI: Everything
    Replies: 39
    Last Post: 2007-11-24, 01:31