Recent Malicious Activity

Status
Not open for further replies.

Jay Gatsby

So when I'm free, I'm free
Staff member
Jun 8, 2010
2,349
735
0
Hi,

It’s recently come to our attention that a handful of servers have unfortunately been targeted in a string of malicious attacks. As a result of this, user details have been compromised and users may still be infected.

The servers that we know have had user data compromised are:


  • OS-Scape
  • Luminite
  • Solak

If you have downloaded any files from the above three servers, we recommend doing a comprehensive malware scan to ensure you’re not infected. You should also change your passwords immediately.

In the case of OS-Scape, you should search for a file called ‘ScapeFiles.jar’, particularly in the following directories:
Code:
%appdata%/Roaming/os-scape
%appdata%/Local/os-scape
In the case of Luminite & Solak, you should search for a file called ‘XLSTART.jar’, particularly in the following directory:
Code:
%appdata%/Roaming/Microsoft/Excel

Please note that in the above examples, you should scan your entire PC for these files, they may be hidden elsewhere. You can use a tool such as https://www.voidtools.com/ to search your entire PC for a particular file.

As a reminder, you should, where possible, be taking full advantage of two factor authentication as well as performing regular scans and sandboxing any files that come from providers you do not completely trust.

All of the servers above have informed their existing user bases about the breach and we believe that, whilst there was a level of negligence here, the management behind these servers weren’t acting maliciously. As such we won’t be taking action against these servers. We will be continuing to observe the response time of servers notifying users about breaches, and if we feel they’re intentionally misleading or delaying users of these breaches, we will likely take action.


If you’re a server owner, you have a responsibility to keep your systems secure. You’re operating in a scene where people will jump onto any exploit they can and the onus is absolutely on you to keep these exploits to a minimum. There are lots of documented ways to do this and below are some guides that may help with this:

Thanks,
Rune-Server Staff
 
Last edited:
Cheers Jay, I'll be making a post at some point on some tips for securing a web server. I know obviously there were some shortcomings in OS-Scape configurations, but this was because of the various flaws in the IPB forum software and the unfortunate event of our admins password became compromised so the hacker had an entry point to exploit IPB's security shortcomings.

For now, few things that RSPS owners can do to their websites:

- Use CloudFlare Pro, its $20 a month and gives you a WAF (web application firewall) which has a bunch of useful built in rules to stop common exploits.
- Only allow addresses originating from CloudFlare IPs
- Disable all vulnerable PHP functions in your config
- Ideally avoid IPB, but if you can't just make sure to allow only access for ANY staff member to login by using 2FA not just protected areas (as the admin hacked on OSS was compromised before he setup 2FA and then the hacker setup 2FA)
- More IPB security tips: https://www.rootusers.com/how-to-secure-invision-power-board-ipb/
- Use separate Docker containers for your main site and forum and use a different network interface for each
- Ensure your folders use the following permission set: directories to 755 and your files to 644
- Host client links external to your site and code sign where possible
- Set your allowed file types to only accept images/videos for posts to avoid XSS attempts
- Ensure you are using up to date application versions
 
Thanks, was wondering if a proper announcement was going to be made or not. :yes:
 
sad to think people still do this kind of thing to servers..
 
Great write-up Jay! :wub: I am almost done with my little Jar Scanner web app which may help players who don’t understand how to decompile and inspect suspicious code. :p
 
  • Like
Reactions: uint32_t
Thanks for the informative post Jay, i'm sure this will help clear some things in the air and help the infected victims and prevent this from happening in the future.
 
giphy.gif
 
Cheers Jay, I'll be making a post at some point on some tips for securing a web server. I know obviously there were some shortcomings in OS-Scape configurations, but this was because of the various flaws in the IPB forum software and the unfortunate event of our admins password became compromised so the hacker had an entry point to exploit IPB's security shortcomings.

For now, few things that RSPS owners can do to their websites:

- Use CloudFlare Pro, its $20 a month and gives you a WAF (web application firewall) which has a bunch of useful built in rules to stop common exploits.
- Only allow addresses originating from CloudFlare IPs
- Disable all vulnerable PHP functions in your config
- Ideally avoid IPB, but if you can't just make sure to allow only access for ANY staff member to login by using 2FA not just protected areas (as the admin hacked on OSS was compromised before he setup 2FA and then the hacker setup 2FA)
- More IPB security tips: https://www.rootusers.com/how-to-secure-invision-power-board-ipb/
- Use separate Docker containers for your main site and forum and use a different network interface for each
- Ensure your folders use the following permission set: directories to 755 and your files to 644
- Host client links external to your site and code sign where possible
- Set your allowed file types to only accept images/videos for posts to avoid XSS attempts
- Ensure you are using up to date application versions


By the way the way these attacks usually get in, is through forum theme uploads. Don't give ANYONE the admin perm to upload themes.
Even your most trusted partners or whatever, if they are compromised, their accounts can be used to upload themes as well.

Another reason I keep pushing everyone to xenforo, it has it's issues but not as dumb as shelling a box through a fucking theme. Also has an incredible api that you can use for auth.
 
sad to think people still do this kind of thing to servers..

sadly, in this private server community it will always be an issue. No matter the year.

O.T: Thank you for the announcement.
Stay safe everyone, if you ever want to release a server make sure to tripple check everything security related.
 
Cheers Jay, I'll be making a post at some point on some tips for securing a web server. I know obviously there were some shortcomings in OS-Scape configurations, but this was because of the various flaws in the IPB forum software and the unfortunate event of our admins password became compromised so the hacker had an entry point to exploit IPB's security shortcomings.

For now, few things that RSPS owners can do to their websites:

- Use CloudFlare Pro, its $20 a month and gives you a WAF (web application firewall) which has a bunch of useful built in rules to stop common exploits.
- Only allow addresses originating from CloudFlare IPs
- Disable all vulnerable PHP functions in your config
- Ideally avoid IPB, but if you can't just make sure to allow only access for ANY staff member to login by using 2FA not just protected areas (as the admin hacked on OSS was compromised before he setup 2FA and then the hacker setup 2FA)
- More IPB security tips: https://www.rootusers.com/how-to-secure-invision-power-board-ipb/
- Use separate Docker containers for your main site and forum and use a different network interface for each
- Ensure your folders use the following permission set: directories to 755 and your files to 644
- Host client links external to your site and code sign where possible
- Set your allowed file types to only accept images/videos for posts to avoid XSS attempts
- Ensure you are using up to date application versions
Or ppl can just program rsps to emulate Runescape in a custom scenario so players can have fun, as it was intended, rather than trying to fucking mug everyone off
 
I am all for progression, but this put another stain on the RSPS community. Security>Marketing
 
Status
Not open for further replies.

Users who are viewing this thread (total: 1, members: 0, guests: 1)

Who read this thread (total members: 3)