1. The Melee Mapping Contest #4: 2v2 - Results are out! Step by to congratulate the winners!
    Dismiss Notice
  2. We're hosting the 15th Mini-Mapping Contest with YouTuber Abelhawk! The contestants are to create a custom map that uses the hidden content within Warcraft 3 or is inspired by any of the many secrets within the game.
    Dismiss Notice
  3. The 20th iteration of the Terraining Contest is upon us! Join and create exquisite Water Structures for it.
    Dismiss Notice
  4. Check out the Staff job openings thread.
    Dismiss Notice

Malicious Redirects - change your password

Discussion in 'Latest Updates and News' started by Ralle, Jul 28, 2016.

  1. Ralle

    Ralle

    Owner

    Joined:
    Oct 6, 2004
    Messages:
    11,166
    Resources:
    22
    Tools:
    3
    Maps:
    5
    Tutorials:
    14
    Resources:
    22
    Hey guys

    Last night Archian called me. Apparently the site was redirecting to something malicious trying to get you to download crap. Instantly I assumed the site (the server) was hacked. I searched through everything and realised it was not the server. It was the DNS (which is managed by Namecheap). Every few DNS lookups returned an IP that I am not in charge of. This IP served redirects to horrible spammy content.

    I fixed it by moving away from Namecheap FreeDNS (which I can no longer recommend). However, it would take about 20000 seconds (~6 hours) to propagate the changes. I left the site down until I was the only one in charge of the domain again. Being in charge of someone's domain gives you pretty big super powers.

    Anyway, it's fixed. I think it's safe to say that changing your password is a good idea. Especially if you're on staff.
     
  2. BlackRangerXIII

    BlackRangerXIII

    Joined:
    Dec 25, 2010
    Messages:
    973
    Resources:
    0
    Resources:
    0
    *Paranoia Attacks*
    *Changes Password Immediately*
     
  3. GunSlinger

    GunSlinger

    Joined:
    Oct 17, 2009
    Messages:
    1,433
    Resources:
    0
    Resources:
    0
    Good to know that you got everything fixed. Hopefully nothing bad happened to users viewing the site then.
     
  4. Kyrbi0

    Kyrbi0

    Joined:
    Jul 29, 2008
    Messages:
    7,686
    Resources:
    1
    Models:
    1
    Resources:
    1
    Aw man, I've *never* had to change passwords like this... It'll be so weird.

    Aren't I, like, enough of a nobody to not have to? : )
     
  5. Ralle

    Ralle

    Owner

    Joined:
    Oct 6, 2004
    Messages:
    11,166
    Resources:
    22
    Tools:
    3
    Maps:
    5
    Tutorials:
    14
    Resources:
    22
    Sure, but the DNS hackers proxied the site which is why everyone appeared logged out and if you logged in again, they could snoop on your login credentials.
     
  6. Remixer

    Remixer

    Joined:
    Feb 19, 2011
    Messages:
    1,580
    Resources:
    49
    Models:
    16
    Packs:
    1
    Maps:
    31
    Template:
    1
    Resources:
    49
    [​IMG]

    You bastards! And by the way, change the password.

    EDIT:
    Ralle, what if I am always logged in and never write my password? :D
     

    Attached Files:

  7. Lordkoon

    Lordkoon

    Joined:
    Oct 6, 2008
    Messages:
    700
    Resources:
    0
    Resources:
    0
    I was getting an error trying to enter the website so I used a french IP and the site loaded normally. I thought my country was specifically getting blocked, lol. Seems that wasn't the case.
     
  8. Quilnez

    Quilnez

    Joined:
    Oct 12, 2011
    Messages:
    3,218
    Resources:
    37
    Icons:
    2
    Tools:
    1
    Maps:
    7
    Spells:
    21
    Tutorials:
    2
    JASS:
    4
    Resources:
    37
    I didn't visit the site last night and didn't get redirected at all. Is it safe not to change my password then?
     
  9. Roland

    Roland

    Joined:
    Feb 18, 2012
    Messages:
    2,208
    Resources:
    2
    Models:
    1
    Icons:
    1
    Resources:
    2
    I thought that this new upgrade will prevent us from more and more attacks.. Ralle, you should strengthen your Online security for the sake of the site, I'm really worried about this site getting attacked by Assholes that hates this site :'<
     
  10. Ralle

    Ralle

    Owner

    Joined:
    Oct 6, 2004
    Messages:
    11,166
    Resources:
    22
    Tools:
    3
    Maps:
    5
    Tutorials:
    14
    Resources:
    22
    We were not hacked Roland. The server was not touched at all. It was the DNS server from Namecheap that was hacked.

    I'd say so.
     
  11. MasterBlaster

    MasterBlaster

    Joined:
    Feb 23, 2014
    Messages:
    356
    Resources:
    0
    Resources:
    0
    Well, good job with getting the site back up pretty fast.

    P.S. Also, reps are disabled or is it just me? //nevermind, found it :)
     
  12. deepstrasz

    deepstrasz

    Map Reviewer

    Joined:
    Jun 4, 2009
    Messages:
    9,225
    Resources:
    1
    Maps:
    1
    Resources:
    1
    It's not the first time I've seen that message when the site doesn't work. Although I don't know if before, the redirecting was also present. Yesterday, I just let it to see if the site would load as I was in the middle of posting something.
     
  13. pyf

    pyf

    Joined:
    Mar 21, 2016
    Messages:
    2,277
    Resources:
    2
    Tutorials:
    2
    Resources:
    2
    Moving to XenForo allows to manage security issues in an easier way.
    Since I believe it was DNS poisoning here, the site's integrity was not affected.



    Interestingly, Dnssec-Trigger did not allow to prevent the issue for me, even with an up-to-date Unbound.
    fyi, DNSSEC results are fetched from ISP Free's DHCP cache(s) for me. It might work differently for other users.

    I point out at least one of us already asked for https through Let's Encrypt.
    Is it now the right time to do it or not?

    I myself point out again: it seems even when you are not logged, the whole Internet can have access to you profile pages. This means the whole Internet can see your full date of birth, if you have previously chosen to display it. With Hive 1, we could display our age only, which is not possible anymore with Hive 2. This is why I decided to completely prevent my own age from displaying, at least for now.

    About DNS spoofing / cache poisoning / hijacking / rebinding
    DNS spoofing - Wikipedia, the free encyclopedia
    DNS hijacking - Wikipedia, the free encyclopedia
    DNS rebinding - Wikipedia, the free encyclopedia

    Now don't panic, guys and gals :wink:
     
  14. Heinvers

    Heinvers

    Arena Moderator

    Joined:
    May 7, 2010
    Messages:
    7,985
    Resources:
    83
    Models:
    2
    Icons:
    50
    Packs:
    3
    Skins:
    25
    Template:
    3
    Resources:
    83
    Good to know that that's nicely settled. Just changed it. I would like to know if the chat's unavailability is also linked to this.
     
  15. don_svetlio

    don_svetlio

    Joined:
    Nov 30, 2011
    Messages:
    1,396
    Resources:
    3
    Models:
    1
    Skins:
    1
    Maps:
    1
    Resources:
    3
    Does that also apply to people who had the "keep me logged in" box checked? Cuase I haven't logged out or been logged out and haven't logged back in. Though I did change my PW and did add 2-step verification.

    PS: I don't see any downloaded files as reported by mozilla.
     
  16. pyf

    pyf

    Joined:
    Mar 21, 2016
    Messages:
    2,277
    Resources:
    2
    Tutorials:
    2
    Resources:
    2
    Extreme danger
    Extreme danger: attack still happening in France
    (local time 06:45 PM)

    One of the random redirects is a fake Hive Workshop site. Goal seems to be to make you log in.
    ** Do not do that. **

    Address of fake site is h**p://ww2.hiveworkshop.com/ (replace asterisks with proper letters)
    Tab allows you to differentiate the two very easily but for how long?

    Please be very cautious, and doublecheck your address bar.
     
  17. Ralle

    Ralle

    Owner

    Joined:
    Oct 6, 2004
    Messages:
    11,166
    Resources:
    22
    Tools:
    3
    Maps:
    5
    Tutorials:
    14
    Resources:
    22
    The reason why it shows the login page is because it's a different sub domain, but you are right. People should not login when that link is showing up. It's a proxy by the bad guys.

    I have now changed it so it will attempt to redirect you to the proper URL if you reach ww2. At worst people will end up in an infinite redirect loop.

    Looks like other people are starting to see the problem too. Glad we moved away from Namecheap.
    Ekrem Büyükkaya on Twitter
     
  18. Misha

    Misha

    Joined:
    Jun 9, 2008
    Messages:
    7,153
    Resources:
    70
    Models:
    61
    Icons:
    1
    Packs:
    2
    Skins:
    4
    StarCraft II Resources:
    2
    Resources:
    70
    well i dunno what it was about this, but it totally did not even allow me to post a single post here today, it was that slowed.. or outright connection-less, letting me view a page and then cutting off
     
  19. Ralle

    Ralle

    Owner

    Joined:
    Oct 6, 2004
    Messages:
    11,166
    Resources:
    22
    Tools:
    3
    Maps:
    5
    Tutorials:
    14
    Resources:
    22
    Okay take a look at this now: HIVE
     
  20. pyf

    pyf

    Joined:
    Mar 21, 2016
    Messages:
    2,277
    Resources:
    2
    Tutorials:
    2
    Resources:
    2
    Yep, I have experienced it since my last post.
    Now, there is a message with a link pointing to how to switch to Google DNS. Link looks genuine to me. Text reads: "The DNS server used to look up the site is serving the wrong address. Please follow this link to switch to Google's DNS servers or wait a few hours and see if this message disappears."

    I am updating my protective hostlists very frequently atm. :grin:

    imho they want to block / disrupt access to THW, until you stumble on their fake site(s) and login there. Please be very cautious, double check your address bar, and look at your Tab.