|
Post by Tim on May 21, 2010 8:46:39 GMT -6
A couple users reported multiple issues last night, which I'm guessing are related. The first is the game hanging while loading pages, while trying to connect to googlesearch.com. The second issues is users with AVG (anti-virus, spyware, malware, etc program) have had warnings about the site. erom discovered that when he loads the page it's trying to connect to 4 outside sites that have nothing to do with GoS and seem to have questionable legitimacy.
I'm looking into both issues as fast as I can. Will be spending my lunch break and my evening trying to figure this out. Not sure if its an issue with my hosting site or what.
Will keep you guys posted as I figure things out. Any info you might have on the issue might be helpful. Thanks for your patience.
-Tim
|
|
|
Post by redrum on May 21, 2010 8:49:28 GMT -6
cookies. thats what those sites are giving you.
|
|
|
Post by Tim on May 21, 2010 12:29:53 GMT -6
Update: Looked into things over lunch. I too am seeing calls to the 4 sites that redrum pointed out (and no, they aren't work friendly), and ran into the AVG warning about the page. Haven't found the root of the problem yet, but I did trace the calls back to one file on the site. Unfortunately, that file is the page that controls the header of the page with all the links to nearby, town, profile, etc. The login page and all popup windows (item and quest stats) don't appear to be causing any issues. All other pages may and likely are.
I can say with some reasonable assurance that after experimenting on the test site a bit, these new issues are not from some recent code change on the site or the server. I swapped out the header file with the ones from v3 and v4 and still saw the links when I loaded a page. This leads me to believe that something the header file has been linking to for some time is now causing issues.
My tonite after work (4-5 hours from now) is to dig through the header file, find the culprit, and remove it for now, regardless of what it's effect on the game might be. If nothing else I'll come up with a work around until the malware issue can be resolved.
Stay tuned for more updates.
|
|
|
Post by redrum on May 21, 2010 12:47:18 GMT -6
ok this is what i have worked out so far. any url from gos.talij.com/"insert random" will redirect you to nsfw site. so it seem moore of a server issue. specifically 404page. so it reasons you have a broken link somewhere wich redirects you.. i think
|
|
|
Post by redrum on May 21, 2010 12:48:11 GMT -6
correction any url for a page that does not actually exist on the site
|
|
|
Post by Tim on May 21, 2010 13:07:44 GMT -6
interesting. Did you notice the redirects on the pages I mentioned above (index2.php, itemstat.php, queststat.php)? I checked and they didn't seem to be showing up on those to me. Could be that the header page links to a broken link, which would tie in with what you're seeing.
Definately will look into that later. If you come up with any other thoughts. Let me know.
(Stupid work. Part of me really wants to take the rest of the afternoon off so I can look into this. Mentally I'm only kinda here anyways... *sigh*)
|
|
|
Post by Tim on May 21, 2010 13:35:10 GMT -6
Ok. DEFINATELY related to missing pages. Tried to go to an address that doesn't exist like you suggested and it linked me to a phony virus scan page. That definately narrows it down. Thanks redrum!!!
Now I just need to take care of the issue. Decided it's best not to do any further testing here at work though...
|
|
|
Post by redrum on May 21, 2010 15:31:26 GMT -6
well you can rule out the index2.php. as the login page appears to be clean. my bet is with the header.htm
|
|
|
Post by Tim on May 21, 2010 15:45:02 GMT -6
That's the one I had narrowed it down to. Emailed my host about the issue, as me changing my 404 error pages has no effect. Will try to find the issue in the header file, so at least that issue might clear up.
|
|
|
Post by redrum on May 21, 2010 15:54:32 GMT -6
hopefully you get it solved. going to sleep. i'll be back in about 9h
|
|
|
Post by Tim on May 21, 2010 15:56:17 GMT -6
Update: Fixed the broken link in header.htm. Cleared up the occurances on normal site pages now. Haven't checked them all yet, so there could be a broken link on another page still, so let me know if anyone is still noticing the issues on other pages.
Still issues with going to pages that don't exist redirecting to badness. I wouldn't recommend it to anyone, just in case you get malware. Working with my host to clear that up.
|
|
|
Post by Tim on May 21, 2010 18:05:07 GMT -6
Hopefully last update: My host fixed the issues with the missing page redirection issues, so all should be well now. Sorry for any of the trouble the 'bubble of evil' might have caused you guys. Please let me know if you guys notice any further issues!
Go Team!!
|
|
|
Post by redrum on May 21, 2010 21:35:51 GMT -6
problem seems to be gone.. did your host give you any explenetion to how it happend. but it's nice that you got it solved
|
|
|
Post by Tim on May 21, 2010 22:42:41 GMT -6
From the host: "It appears that your site was hacked by someone who was able to log in using your FTP credentials. We are not 100% as to how they were able to obtain your login credentials, however we do believe it was due to an exploit called Gumblar, which uses a vulnerability in Adobe software products like Acrobat Reader or Flash Player to capture your FTP information and send it out on the internet."
I'm not certain that's what happened, but I've taken steps to at least try to prevent this in the future. Apparently it's an issue that my host has seen happening a lot the last few months. Just something that's going around. If it happens again, 1) there's no longer a broken link in the header file, so it won't be noticeable unless you try to go to a broken link, and 2) I'll know what to do to fix it.
|
|
|
Post by redrum on May 21, 2010 23:23:08 GMT -6
doesn't sound right. if someone had actually had the ftp credentials they could have done so much more. than just messed with the 404. and then theres the fact that gumblar works in a totally different way
|
|