Toon Hacking/Account Stealing/Keylogging Consolidated Thread

[axuis]

ok we are on guk too and the same thing happend to my guildies loged out at 1 and came back in next day naked in front of a mail box naked in big bend

so this a bit of a coincenence that we both on guk and this is happend ?

again as i said in earlier posts all virus scanners up to date etc and i have been told they ran that web rooter as well only cookies found so where does this leave us? our gb wasnt stolen thank god as they didnt have permision to loot but we are with out 3 players at least until soe gets back to them and if they done every thing they can or could to stop this and it didnt stop it its bound to happen again

something def wrong when so many people are saying same story

[Ily]

So Pet, what do you reccomend for 64 users?
And what, if anything, do you know about StopSign/eAcceleration products?
Thats what Ive been running for the last 2 years and have had 0 problems.

[feldon30]

According to Petgroup, the appropriate course of action for anyone who gets hacked is to box up your computer and ship it back to the manufacturer.

Why do I keep posting this? Cause you are being an asshole. 3 paragraphs about how you think everyone in this thread are idiot scum who are beneath you and should have been done the world a favor and been aborted and then 1 sentence about "btw run this and this tool" is really gonna get more people to post!

[Oswaldor]

Quote:

Originally Posted by Basta

Posted first in TEch Support as the thread was found vua Google. Reposted here after reading more of the site.

...snip...

I inform the Guild Leader of what has happened and log off. Check virus scans for any thing and run a new full scan.




So where does that leave me. Yes my account information has been shared with one person, my son, and his account looked just like mine. Empty and naked. He has accessed only his account from his computer, both accounts have been accessed from my computer, but not in the last six months.

Just out of curiosity I logged in one of the toons that ended up in Big Bend to sww aht might be going on there. Zogun, Zipheethick, Kikam, Zogigoog, and Ojikog are all going from a small room by the mailbox there, bank, vendor and come back and stand next to another of these toons and then log. At any given time how many level 1 toons would be in Big Bend? They were all Level 1/1.

So where does this put me.....in the stupid class because I shared the account infor with my son. Or just maybe, just maybe is there something to what some of are saying.

I am definitely open to suggestion cause losing everything you've acquired in 2 years of playing really sucks. Granted, SoE, after investigation may replace your gear and GB items but I still feel as if I've been raped.

That is interesting. Trend Micro would definitely pick up on the infection if it was from the recent injection attacks. The agent is dormant now and TM have already categorised it so it should be detected.
That and the rest of the reports are definitely more fuel to the fire that this is not just a user issue.

[axuis]

well i have been saying this in a few posts but every one assumes its user error off the bat

[Trepan]

Quote:

Originally Posted by Basta

So where does this put me.....in the stupid class because I shared the account infor with my son. Or just maybe, just maybe is there something to what some of are saying.

I'm curious if you've changed your password lately, like in the last 3 weeks or is it a password that could have been collected a while ago and only just recently been put to use.

Have you read the SoE forums on other machines (friends, neighbors, countrymen, coffee shops, comps on the network at Best Buy...?) and authenticated so as to have been able to post? Has your son logged on your toon at a friend's house to show him that shiny new item or loan a plat or help out?

There are plenty of opportunities to collect that information, your box need not have been the one compromised.

-----------

Oswaldor: Are you tracking all traffic from your honeypot over time? How does that altered DLL behave aside from having a different checksum?

-----------

I know some incarnations of botnets rely on sleeper processes that fire up for short periods to contact the master server and then go dormant again.

I know I'd like to be able to remove all traces of my hacks once I've gotten the goods. If they log which information was collected from which IP they were from (there are lots of situations where a DHCP'd address can be fairly static and not re-assigned to a new MAC), then what, besides a certain level of sophistication, is to stop it from sending a "ok, rape accomplished (successful or not). Delete yourself" the next time that little guy fires up and pings the botnet master server?

-----------

As for why a company would not want to step forward and announce that they've been hacked... you'll find reticence from any publicly traded company to do that. Sprinkle that with the reminder that SoE was burned last year due to an employee at the company who did their billing selling subscriber contact information to marketing companies, and you can easily imagine a lot of people standing around in a board room wondering what course of action to take.

There are InfoSec companies out there who are focused on fighting fires in the background so that their clients don't have to announce breeches of security. Unless there was personal information leaked, there is no law in the US that requires acknowledgment of any such breech (if one did occur).

[Petgroup]

Quote:

Originally Posted by feldon30

According to Petgroup, the appropriate course of action for anyone who gets hacked is to box up your computer and ship it back to the manufacturer.

Actually, I've said it about 20 times. Run the free Webroot scan and see what it finds.

In my 1,000+ posts on this site find anything remotely close to me saying "Box up your computer and ship it back to the manufacturer" I probably haven't even used box & manufacturer in the same sentence till this post.

I enjoy being this so called asshole who offers a year free subscription to Webroot for the first hacked player who posts a screenshot showing Webroot free scan found the culprit.

Thats $40 out of my pocket or $69 if I sold it to you on a service call. I don't have to do shit, I'm offering a resolution to hacked players in a game I don't even play or will ever play again. It's for the flames community. Yet you call me an asshole and say I think everyone is scum and beneath me. Fuck off.

Quote:

Originally Posted by Ily

So Pet, what do you reccomend for 64 users?
And what, if anything, do you know about StopSign/eAcceleration products?
Thats what Ive been running for the last 2 years and have had 0 problems.

I use Trend on my 64bit Vista & I'm surprised it didn't find this magical hack going around. I've never used Stop Sign but there commercials are just as annoying as Head On.

[Ily]

Yeah, I actually started using them before I ever saw a commercial because I had another 64bit buddy reccomend them... But youre right, they are annoying ads.

[Oswaldor]

Quote:

Oswaldor: Are you tracking all traffic from your honeypot over time? How does that altered DLL behave aside from having a different checksum?

It is not an altered dll - it is the actual trojan that gets injected into most processes using the standard windows injection scheme.
I haven't monitored it over time, just observed that as soon as it got something it liked (ie. a password field in IE) it transmitted some encrypted data to 61.188.39.175:2034.

Unfortunately my honeypot lived only a short life - it was created using a standard XP installation disc with absolutely no updates. Needless to say it died pretty quick, when I turned off the firewall.

[Bitmap]

Quote:

Originally Posted by Petgroup

I use Trend on my 64bit Vista & I'm surprised it didn't find this magical hack going around. I've never used Stop Sign but there commercials are just as annoying as Head On.

I use trend as well and it didnt pick up on a trojan my system picked up, but doing a double check with kapersky did pick it up.