• 🏆 Texturing Contest #33 is OPEN! Contestants must re-texture a SD unit model found in-game (Warcraft 3 Classic), recreating the unit into a peaceful NPC version. 🔗Click here to enter!
  • It's time for the first HD Modeling Contest of 2024. Join the theme discussion for Hive's HD Modeling Contest #6! Click here to post your idea!

Malicious Redirects - change your password

Status
Not open for further replies.

Ralle

Ralle

Ralle

Owner
Level 77
Joined
Oct 6, 2004
Messages
10,101
Hey guys

Last night Archian called me. Apparently the site was redirecting to something malicious trying to get you to download crap. Instantly I assumed the site (the server) was hacked. I searched through everything and realised it was not the server. It was the DNS (which is managed by Namecheap). Every few DNS lookups returned an IP that I am not in charge of. This IP served redirects to horrible spammy content.

I fixed it by moving away from Namecheap FreeDNS (which I can no longer recommend). However, it would take about 20000 seconds (~6 hours) to propagate the changes. I left the site down until I was the only one in charge of the domain again. Being in charge of someone's domain gives you pretty big super powers.

Anyway, it's fixed. I think it's safe to say that changing your password is a good idea. Especially if you're on staff.
 

Remixer

Remixer

Remixer

Map Reviewer
Level 31
Joined
Feb 19, 2011
Messages
1,957
angryralle-jpg.244278


You bastards! And by the way, change the password.

EDIT:
Ralle, what if I am always logged in and never write my password? :D
 

Attachments

  • ANGRYRALLE.jpg
    ANGRYRALLE.jpg
    220.1 KB · Views: 1,095

Roland

R

Roland

I thought that this new upgrade will prevent us from more and more attacks.. Ralle, you should strengthen your Online security for the sake of the site, I'm really worried about this site getting attacked by Assholes that hates this site :'<
 

deepstrasz

deepstrasz

deepstrasz

Map Reviewer
Level 69
Joined
Jun 4, 2009
Messages
18,856
It's not the first time I've seen that message when the site doesn't work. Although I don't know if before, the redirecting was also present. Yesterday, I just let it to see if the site would load as I was in the middle of posting something.
 

pyf

pyf

pyf

Level 32
Joined
Mar 21, 2016
Messages
2,985
Roland said:
I thought that this new upgrade will prevent us from more and more attacks.. Ralle, you should strengthen your Online security for the sake of the site, I'm really worried about this site getting attacked by Assholes that hates this site :'<
Click to expand...

Moving to XenForo allows to manage security issues in an easier way.
Since I believe it was DNS poisoning here, the site's integrity was not affected.



Interestingly, Dnssec-Trigger did not allow to prevent the issue for me, even with an up-to-date Unbound.
fyi, DNSSEC results are fetched from ISP Free's DHCP cache(s) for me. It might work differently for other users.

I point out at least one of us already asked for https through Let's Encrypt.
Is it now the right time to do it or not?

I myself point out again: it seems even when you are not logged, the whole Internet can have access to you profile pages. This means the whole Internet can see your full date of birth, if you have previously chosen to display it. With Hive 1, we could display our age only, which is not possible anymore with Hive 2. This is why I decided to completely prevent my own age from displaying, at least for now.

Ralle said:
We were not hacked Roland. The server was not touched at all. It was the DNS server from Namecheap that was hacked. [...]
Click to expand...

About DNS spoofing / cache poisoning / hijacking / rebinding
DNS spoofing - Wikipedia, the free encyclopedia
DNS hijacking - Wikipedia, the free encyclopedia
DNS rebinding - Wikipedia, the free encyclopedia

Now don't panic, guys and gals :wink:
 

Deleted member 212788

D

Deleted member 212788

Ralle said:
Sure, but the DNS hackers proxied the site which is why everyone appeared logged out and if you logged in again, they could snoop on your login credentials.
Click to expand...

Does that also apply to people who had the "keep me logged in" box checked? Cuase I haven't logged out or been logged out and haven't logged back in. Though I did change my PW and did add 2-step verification.

PS: I don't see any downloaded files as reported by mozilla.
 

pyf

pyf

pyf

Level 32
Joined
Mar 21, 2016
Messages
2,985
Extreme danger
Extreme danger: attack still happening in France (local time 06:45 PM)

One of the random redirects is a fake Hive Workshop site. Goal seems to be to make you log in.
** Do not do that. **

Address of fake site is h**p://ww2.hiveworkshop.com/ (replace asterisks with proper letters)
Tab allows you to differentiate the two very easily but for how long?

Please be very cautious, and doublecheck your address bar.
 

Ralle

Ralle

Ralle

Owner
Level 77
Joined
Oct 6, 2004
Messages
10,101
pyf said:
Extreme danger
Extreme danger: attack still happening in France (local time 06:45 PM)

One of the random redirects is a fake Hive Workshop site. Goal seems to be to make you log in.
** Do not do that. **

Address of fake site is h**p://ww2.hiveworkshop.com/ (replace asterisks with proper letters)
Tab allows you to differentiate the two very easily but for how long?

Please be very cautious, and doublecheck your address bar.
Click to expand...
The reason why it shows the login page is because it's a different sub domain, but you are right. People should not login when that link is showing up. It's a proxy by the bad guys.

I have now changed it so it will attempt to redirect you to the proper URL if you reach ww2. At worst people will end up in an infinite redirect loop.

Looks like other people are starting to see the problem too. Glad we moved away from Namecheap.
Ekrem Büyükkaya on Twitter
 

pyf

pyf

pyf

Level 32
Joined
Mar 21, 2016
Messages
2,985
Ralle said:
I have now changed it so it will attempt to redirect you to the proper URL if you reach ww2. At worst people will end up in an infinite redirect loop.
Click to expand...

Yep, I have experienced it since my last post.
Now, there is a message with a link pointing to how to switch to Google DNS. Link looks genuine to me. Text reads: "The DNS server used to look up the site is serving the wrong address. Please follow this link to switch to Google's DNS servers or wait a few hours and see if this message disappears."

I am updating my protective hostlists very frequently atm. :grin:

Misha said:
well i dunno what it was about this, but it totally did not even allow me to post a single post here today, it was that slowed.. or outright connection-less, letting me view a page and then cutting off
Click to expand...

imho they want to block / disrupt access to THW, until you stumble on their fake site(s) and login there. Please be very cautious, double check your address bar, and look at your Tab.
 

pyf

pyf

pyf

Level 32
Joined
Mar 21, 2016
Messages
2,985
deepstrasz said:
People... stupidity. All seen before. You just gotta' be careful not to get hurt.
Click to expand...

Stupidity? Clever engineering I would say, based on disruption and frustration.

With the disruption of THW, people will grow impatient. When one of the random redirects leads them to the fake ww2 site, they will not be cautious and fall into the trap.

At first sight, the main page of the fake (=ww2) site was an exact replica of the main THW page. Only differences I spotted:
- no Hive icon on Tab, for the fake site.
- not logged on the fake site (obviously). Of course, with a bit of luck, you could eventually succeed to load the real THW site in another Tab, and see you are already logged here.
 

Roland

R

Roland

What the fuck is going on with the WW2 Virus and the Hitler/Stalin/Trump Shit?
 

pyf

pyf

pyf

Level 32
Joined
Mar 21, 2016
Messages
2,985
Do not forget Benito. :wink:


Quoting one of my earlier posts in this thread:

"One of the random redirects is a fake Hive Workshop site. [...] Address of fake site is h**p://ww2.hiveworkshop.com/ (replace asterisks with proper letters) [...]"

Should help you get the joke.
As for Trump, honestly idk.
 

pyf

pyf

pyf

Level 32
Joined
Mar 21, 2016
Messages
2,985
France: I experienced first redirects to third-party junk sites around 08:00/09:00 PM (local time) on July 27

First Virustotal scan for the ww2 (=fake) THW site was done on July 27 23:56:19 UTC (not by me).

I guess the end of the issues would depend on one's PC configuration, as well as one's ISP/internet settings. See:
- locally poisoned DNS cache (solution : purge your local cache, or disable Windows' DNS Client service once and for all if applicable)
- poisoned non-local DNS server's cache (solution: use another, untainted DNS server, if applicable).

I would suggest you check your browsing history. If you see the url h**p://ww2.hiveworkshop.com in it, then assume you might mistakenly have logged in on this malicious fake site. Redirects to it were random.



About WW2
http://www.hiveworkshop.com/posts/3081177/

Seriously guys, *read* this thread...
 

Cherrymage

Cherrymage

Cherrymage

Level 22
Joined
Nov 4, 2010
Messages
6,232
pyf said:
I would suggest you check your browsing history. If you see the url h**p://ww2.hiveworkshop.com in it, then assume you might mistakenly have logged in on this malicious fake site. Redirects to it were random.
Click to expand...
Oops, seemed that I have "No History" extension on, so I can't really check. But I think I saw "h**p://ww2.hiveworkshop.com" quite a few times before...
 
Status
Not open for further replies.

Similar threads

Shados
  • Locked
Tutorial: Setting up a DDNS
Replies
2
Views
2K
ZypherXII
ZypherXII
Ralle
  • Locked
DNS trouble
Replies
10
Views
787
Wolverabid
Wolverabid
harper
  • Locked
They BANNED me!
Replies
4
Views
992
-Vindic@tor-
-Vindic@tor-
Ralle
  • Locked
What's going on?
Replies
15
Views
4K
The_Taxidermist
The_Taxidermist
Bugz
  • Locked
DEF CON: The event that scares hackers
Replies
2
Views
1K
Bugz
Bugz
Top