IFRAME On FFXIAH? :o

Anyways, Scragg is on vacation for about 2 weeks. He will barely be on and not working on the site much. At the moment there are lots of bugs on the site including for us mods. Until Scragg comes back he will check it out when he comes back. I already have a small list for myself too. So we all have to be patient for the next 2 weeks. :/

That's fair enough, we're not having a go at anyone. Any irritable tones is because this is a potential security leak. Nobody knows what that iframe is for, so everyone should be demonstrating extreme caution.

If Scragg is on holiday, even more reason to keep it blocked. I doubt he added it in himself for a benign purpose if he's on holiday. It's actually been embedded into the page source; it's not just coming from an advert or something.

I wouldn't want to see anyone's accounts compromised because they browse this site. Neither would you, I know that. We just need to make sure people keep noscript blocking them.

Sent a text to Scragg. So hopefully you guys can chill a bit until he can be on.

Iframe appears to have been removed! :o

It's gone now! :o

It is indeed. Do we know the cause?

Silly question. Spyware and/or keyloggers. Anybody raise a stink on the JP side so that they're aware as well?

Anyone have an idea of when it was added?

It was added probably up to 30 minutes before my OP. I check the site very frequently and it was noticeable for me right away.

The JPs use this site to post on the forum so much less than we do it's silly. As far as I can see, even when changing the site to read JP, they post like one thread a month. >_> If that's what you were asking.

Now we just have to hope whoever managed to get it there can't do it again.

And, not a silly question, obviously it's spyware/keyloggers; I meant do we know how it got there.

So far nothing has been compromised and was taken care of.

I don't see the Iframe noscript icon anymore, an admin remove the code injection ?

On FFXIAH's side. We don't know what it might've done to people's computers. Hopefully nothing.

Ready the antivirus/antispyware scans. >.>

It's a trap!

There might be a bit of confusion around this whole thing.

Dynamic sites (such as ffxiah.com) are vunerable to code injection. This is a form of attack in which a dynamic site calls on certain data, but the attacker spoofs that data to inject their own code. In this case, a flash/script to redirect the end-user to a site that could have possible exploits that will automatically download to the end-users computer.

FFXIAH.com probably didn't have any of it's sensitive data stolen or corrupted and the code itself was easy enough to erase. I'm sure Scragg is altering the php right now to prohibit that type of injection again. FFXIAH.com is safe, yes, but the people who were redirected unknowingly to the malicious site might be infected. They might have keyloggers or dataminers.

Alyria, I think there might have been a misunderstanding when the thread started - Although the box is "annoying" to look at, people were by no means upset that they had to look at it. They were upset because it implied that the server had been compromised. If you remember ffxi-somepage, that site hasn't been the same since it's ad attacks.

Suggestion to anyone that visited ffxiah.com and might have been exposed: AV scan your computer a few times. Make sure virus definitions are up to day. Might want to consider not logging into FFXI for a day or two, so that you give the AV companies enough time to identify the virus (if it's new) and create something for it.

Hey guys,

Firstly the iframe was indeed on the site and was not authorized by FFXIAH.com. It has been removed. The user got control of my FFXIAH account for the website which exposed some admin controls. Admins have a page to manage strings throughout the site for localization and announcements. The user simply injected an iframe tag within one of the strings. I'm not sure what was contained on the remote page but it can be assumed to be nefarious.

I have researched the server's logs. They didn't gain access to our servers or database. The stored passwords on the site are safe and encrypted/salted. No website files were modified, every time a file is modified, I receive an email.

I have made the necessary patches and will continue to monitor.

I am on vacation and just got done with a 20 hour drive but I will continue to handle any incident with extreme urgency.

Thanks Scragg. It's frustrating to be on call 24-7 when these hiccups happen, and I want to let you know that the response was prompt and very much appreciated.

Just a side note, it's convenient it happened on your first day of vacation (I'm assuming this is the first, as you mentioned a long drive you just took) as well as your admin login on the web front side of ffxiah.com (rather than access to the root) was compromised. Do you think this could be someone with knowledge of your schedule and/or a list of potential passwords you would use rather than just a brute force?

Username: Scragg
Password: admin123

Bad. :P

Obviously it was Love, Secret, Sex or God. Haven't you seen the movie Hackers? Sheesh.

So actually, something was compromised.

In general, when it comes to this kind of thing do not give advice if you don't know what you are talking about.

You actually could have been a LOT more harmful than helpful, and it is really worse when you get uppity about being wrong.

Take a lesson from Scragg on proper site maintenance. :)

Thanks for all the hard work and here's hoping you can enjoy the rest of your vacation "incident" free :D

Give Aly a break, they pay her to keep you chumps in line, not to become an all-knowing tech guru. :P

Actually I do this free and I had misunderstood it anyways, I was thinking the add-on was broken. I may not be a full blown computer geek so no need to bash at me for any mistake.

It was a mistake and I admitted it.

Ok so people can't be douches against you but you can be douches on them? gg.

If your trying to say you can't do anything until scragg is back then it's fine but say something like.

"Scragg is the only one who can fix this and is not here atm, all i can tell you is keep your safety and do not click on that box"

Wow that was hard i'm exhausted (sp)

There is plenty of cause to bash you for your mistake when your 'advice' makes you susceptible to the attack. You don't go telling people 'Oh I disabled your security system because it was beeping at me, sorry your house got robbed teehee^^!'

Since you're computer illiterate, the ONLY thing you should have said in this situation is 'Ok, I've contacted Scragg so he can take a look at it.'

Also, this
http://forums.windower.net/topic/11323-guide-protecting-your-web-browser/