Alright, I'm browsing through the forum, minding my own business when I get this message. I keep getting this message saying hackgaia.com is requesting my Minecraft Username and Password. Anyone else on the forum getting this issue?
It's an attempt to get your username and password. Any information you put there goes directly to them. Taleworlds.com had an attack exactly like this before (I'm not sure if it was the same site or not).
I'm worried that someone might be so naive as to put in their actual information (Last time I got the message I put in a message saying **** you hacker, so on and so forth) so could one of the administrators please put up an announcement about it so everyone sees it?
Kendra~♥ wrote :
> I'm worried that someone might be so naive as to put in their actual
> information (Last time I got the message I put in a message saying **** you
> hacker, so on and so forth) so could one of the administrators please put
> up an announcement about it so everyone sees it?
Well, with bbcode turned off I don't think it'll be popping up again n-n
Rollback Post to RevisionRollBack
Do not wallow do not stall
Time waits for none at all
Your allowance may crawl,
It may fly or even vanish
But none will seem more lavished
Than time lost to all.
I applaud the quick action by the mods as to this decision.
This user had a good idea:
Gikon wrote :
> Ok let me explain this to you guys.
> I am a white hat; I know what I speak, Aight? ok.
>
> This login in generated by a PHP script known as a FLW or Fake Login
> Window. Since php can also output images it can be masked as such, so when
> the user loads the image that is posted using the BBcode tags [img] then
> they can run the output script of that php long with the FLW. These FLW
> dump into text files or other related files on the server of origin. The
> script can easily be spotted as the header or title of the window will
> state (ussaly) where it comes from, and if it does not the text of the
> window will, and even if that does not you should have common sense to know
> that almost no website uses php prompted logins just because of this.
> Add-ons like AD-Blocker-Plus for Firefox will automatically block FLW.
>
> to solve this issue you can not just block .php images from going into the
> [img] tag, that is not only unfair, but very hard to do; So what do you do?
> Well the easiest way would be to block free-host websites from having
> images on here, using a reverse hot-linking blocker (.htaccess), that would
> pretty much solve the issue since you need to really have a
> website/ftp/server to host php image scripts; since websites like
> imageshack and photobucket do not accept/remove php code.
>
> NOW EVERYONE CALM DOWN.
>
> Ok, So questions, comments, etc can be PM'ed to me or posted.
Rollback Post to RevisionRollBack
The National Socialist of minecraftforums, since 2010!
Yeah we know what the problem is, the issue is working out a solution that works for everyone, the options I know of are as follows:
1. Allow only whitelisted image hosts to be used, for example imgur.com and imageshack.us, this has the disadvantage of users being unable to use "dynamic" signatures that they host themselves, ones that report server status etc.
2. Pass all images through our own image outputter that makes sure it's safe to display. It would allow dynamic signatures to still work, but on the downside it would use bandwidth from us for every image and push us a lot higher, we already do 140mbps at peak times, impractical.
3. Verify that an image doesn't require authentication to be displayed whenever an image is posted, this is the "best" solution but it means someone could submit say "http://website.com/image.jpg" without authentication, but then when the forum allows it to be posted they switch the image on their server to require authentication.
None of these options are ideal, they all have large downsides, but it appears we'll have to select one, unless I've missed an obvious solution. The most likely result will be #1, which sucks, but... :sad.gif:
I'd say 3 or 2 is the least disrupting. Server status images are pretty large, along with the fact that there are image hosting sites being created every day, and it would be a pain to know which ones to use every time you post an image.
You can always ask Curse, since this is one of the reasons we signed with them in the first place.
But one of the main things that we're forgetting;
If someone knows the power to do this, they wouldn't do it on a random block-building indie game (unless it got shitloads of attention (CURSE!)) or unless that they were on a chain spree.
Bold on chain spree.
Ask around a bit and see what towns the cyclone hit before us - they might know the answer.
Possibly alert the entire community, otherwise it's extremely likely that they don't know what the hell is going on, and think that BBCode was disabled because of some curse hosting accident, then flame, rage, start topics, etc. Also, the more people going around asking, the more likely we're going to get a solution.
It isn't a popup, its an HTTP authentication request. (401 response)
Which sucks royally because browsers don't provide any real way of intercepting that and preventing the authentication prompt from popping up. This means all the checks would have to be done server side, which basically leaves the options citricsquid listed with one possible addtion.
If you want to check a file without actually downloading it, use a HEAD request ( as opposed to POST or GET). This behaves just like a GET except it should only return the header information. Then you check for a 401 in the header and don't embed any images that return it. Still involves a little extra bandwidth but it's quite a bit less than requesting the entire document. Mind you, sending a HEAD request could be interesting as I don't think PHP supports that by default so you might have to do a straight up tcpip connection via sockets and build the request yourself.
Rollback Post to RevisionRollBack
Tis far better to be a witty fool than a foolish wit.
Well you could change it so that the img tag always points to a script that verifies the actual image doesn't generate a 401 and then does a redirect to the real image. Honestly though while it is possible to code around this on the server side, I doubt it's worth the bother of doing so. Just flat out refusing to embed images that are not on trusted sites is probably the simplest solution that will work.
Not that I would particularly like that solution myself as I have my own site and host my own images, but hopefully getting my site added to the list would just be a matter of sending PMs to the right people.
Rollback Post to RevisionRollBack
Tis far better to be a witty fool than a foolish wit.
What is the point of phishing Minecraft accounts?
-
View User Profile
-
View Posts
-
Send Message
Retired Staff-
View User Profile
-
View Posts
-
Send Message
Retired StaffMaybe a message warning everyone until the permanent fix would be good.
-
View User Profile
-
View Posts
-
Send Message
Retired StaffPlease link me to the locations it's happening, I removed the offending user but if there's more doing it. PM or post, whichever works.
-
View User Profile
-
View Posts
-
Send Message
Retired StaffI'll mention it over in the mod forum
-
View User Profile
-
View Posts
-
Send Message
Retired Staff> I'm worried that someone might be so naive as to put in their actual
> information (Last time I got the message I put in a message saying **** you
> hacker, so on and so forth) so could one of the administrators please put
> up an announcement about it so everyone sees it?
Well, with bbcode turned off I don't think it'll be popping up again n-n
Do not wallow do not stall
Time waits for none at all
Your allowance may crawl,
It may fly or even vanish
But none will seem more lavished
Than time lost to all.
-
View User Profile
-
View Posts
-
Send Message
Retired StaffThis user had a good idea:
Gikon wrote :
> Ok let me explain this to you guys.
> I am a white hat; I know what I speak, Aight? ok.
>
> This login in generated by a PHP script known as a FLW or Fake Login
> Window. Since php can also output images it can be masked as such, so when
> the user loads the image that is posted using the BBcode tags [img] then
> they can run the output script of that php long with the FLW. These FLW
> dump into text files or other related files on the server of origin. The
> script can easily be spotted as the header or title of the window will
> state (ussaly) where it comes from, and if it does not the text of the
> window will, and even if that does not you should have common sense to know
> that almost no website uses php prompted logins just because of this.
> Add-ons like AD-Blocker-Plus for Firefox will automatically block FLW.
>
> to solve this issue you can not just block .php images from going into the
> [img] tag, that is not only unfair, but very hard to do; So what do you do?
> Well the easiest way would be to block free-host websites from having
> images on here, using a reverse hot-linking blocker (.htaccess), that would
> pretty much solve the issue since you need to really have a
> website/ftp/server to host php image scripts; since websites like
> imageshack and photobucket do not accept/remove php code.
>
> NOW EVERYONE CALM DOWN.
>
> Ok, So questions, comments, etc can be PM'ed to me or posted.
The National Socialist of minecraftforums, since 2010!
for some reason I feel this has to do with curse.
EDIT:
http://www.hackgaia.com/
what the hall
(safe to click on)
-
View User Profile
-
View Posts
-
Send Message
Retired Staff1. Allow only whitelisted image hosts to be used, for example imgur.com and imageshack.us, this has the disadvantage of users being unable to use "dynamic" signatures that they host themselves, ones that report server status etc.
2. Pass all images through our own image outputter that makes sure it's safe to display. It would allow dynamic signatures to still work, but on the downside it would use bandwidth from us for every image and push us a lot higher, we already do 140mbps at peak times, impractical.
3. Verify that an image doesn't require authentication to be displayed whenever an image is posted, this is the "best" solution but it means someone could submit say "http://website.com/image.jpg" without authentication, but then when the forum allows it to be posted they switch the image on their server to require authentication.
None of these options are ideal, they all have large downsides, but it appears we'll have to select one, unless I've missed an obvious solution. The most likely result will be #1, which sucks, but... :sad.gif:
-
View User Profile
-
View Posts
-
Send Message
Retired Staff-
View User Profile
-
View Posts
-
Send Message
Retired StaffYou can always ask Curse, since this is one of the reasons we signed with them in the first place.
But one of the main things that we're forgetting;
If someone knows the power to do this, they wouldn't do it on a random block-building indie game (unless it got shitloads of attention (CURSE!)) or unless that they were on a chain spree.
Bold on chain spree.
Ask around a bit and see what towns the cyclone hit before us - they might know the answer.
Possibly alert the entire community, otherwise it's extremely likely that they don't know what the hell is going on, and think that BBCode was disabled because of some curse hosting accident, then flame, rage, start topics, etc. Also, the more people going around asking, the more likely we're going to get a solution.
-
View User Profile
-
View Posts
-
Send Message
Curse PremiumWhich sucks royally because browsers don't provide any real way of intercepting that and preventing the authentication prompt from popping up. This means all the checks would have to be done server side, which basically leaves the options citricsquid listed with one possible addtion.
If you want to check a file without actually downloading it, use a HEAD request ( as opposed to POST or GET). This behaves just like a GET except it should only return the header information. Then you check for a 401 in the header and don't embed any images that return it. Still involves a little extra bandwidth but it's quite a bit less than requesting the entire document. Mind you, sending a HEAD request could be interesting as I don't think PHP supports that by default so you might have to do a straight up tcpip connection via sockets and build the request yourself.
-
View User Profile
-
View Posts
-
Send Message
Curse PremiumNot that I would particularly like that solution myself as I have my own site and host my own images, but hopefully getting my site added to the list would just be a matter of sending PMs to the right people.