Full Version: Careful Where You Browse
Looks like Catalyst and the shadowruntabletop forums both got defaced and redirected again.
QUOTE (binarywraith @ Jul 4 2017, 07:09 AM) 
Looks like Catalyst and the shadowruntabletop forums both got defaced and redirected again.
Thank God, I only come here for anything related to Shadowrun!
Any idea what's up, sites been down for while now. Doesn't seem to be any official word.
I'm a cynic, so I'm going to assume Catalyst paid their hosting provider like they did their Freelancers, so they'll get it fixed 'eventually'.
They could have prevented this hacking by turning wireless off, but then the comments sections wouldn't have worked.
Ever tried to actually use their forum?
'Working' is now how I would describe its operation in the best of times.
'Working' is now how I would describe its operation in the best of times.
Not sure about the previous times recently (CGL has been hacked more than once within the last month or so), but since the 28th of June, they've been hacked by a group known as the Xai Syndicate. I do not know of the motivation behind their hacking. You can theorize all day as to why they did it.
From the looks of things, someone had been scanning up gifs on the battletech side of things called lhous#.gif (# being 3, 4, 5, 6, etc) since at least March 18th. It looks like around the 28th of June 'they' found the malware (lhouse6.gif). (It looks like there was malware on there since March 18th, too, but it was found and someone has been occasionally looking around trying to find more) I am assuming someone was already doing triage at the time and just accidentally publically submitted the malware. It also looks like there were at least 5 malware samples that were looked into on March 18th.I didn't bother downloading the malware and analyzing it or looking to closely into it, but can if bothered enough to do it.
Over the past several days, I assume CGL, Topps, and probably Rackspace have likely been doing triage on their webserver (it's been up for at least a couple of days, you could ping it, etc, but the webpages themselves were offline). Instead of getting a working website going, they went with the option of keeping everything offline for X amount of time. I assume to try and continue to look into how they were hacked, make sure all trojans, rootkits, etc have been removed (which could very well mean someone had to change out hardware).
... Okay, as I look more into this, I think I need to get in touch with their forensics people / whoever they hired for forensics just so I can get a few things straight and potentially provide a bit of insight. If this post looks chaotic, it's because I was changing what I had typed on the fly. Most of this stuff I've known over the past several days, but there is more and more information I'm seeing (this is all publically available if you look, btw) since I decided to care more (Shadowrun has been my favorite game since the 90s and is literally the reason why I do the job I do right now).
From the looks of things, someone had been scanning up gifs on the battletech side of things called lhous#.gif (# being 3, 4, 5, 6, etc) since at least March 18th. It looks like around the 28th of June 'they' found the malware (lhouse6.gif). (It looks like there was malware on there since March 18th, too, but it was found and someone has been occasionally looking around trying to find more) I am assuming someone was already doing triage at the time and just accidentally publically submitted the malware. It also looks like there were at least 5 malware samples that were looked into on March 18th.I didn't bother downloading the malware and analyzing it or looking to closely into it, but can if bothered enough to do it.
Over the past several days, I assume CGL, Topps, and probably Rackspace have likely been doing triage on their webserver (it's been up for at least a couple of days, you could ping it, etc, but the webpages themselves were offline). Instead of getting a working website going, they went with the option of keeping everything offline for X amount of time. I assume to try and continue to look into how they were hacked, make sure all trojans, rootkits, etc have been removed (which could very well mean someone had to change out hardware).
... Okay, as I look more into this, I think I need to get in touch with their forensics people / whoever they hired for forensics just so I can get a few things straight and potentially provide a bit of insight. If this post looks chaotic, it's because I was changing what I had typed on the fly. Most of this stuff I've known over the past several days, but there is more and more information I'm seeing (this is all publically available if you look, btw) since I decided to care more (Shadowrun has been my favorite game since the 90s and is literally the reason why I do the job I do right now).
QUOTE (Golgoth @ Jul 6 2017, 01:49 PM)
Over the past several days, I assume CGL, Topps, and probably Rackspace have likely been doing triage on their webserver (it's been up for at least a couple of days, you could ping it, etc, but the webpages themselves were offline). Instead of getting a working website going, they went with the option of keeping everything offline for X amount of time. I assume to try and continue to look into how they were hacked, make sure all trojans, rootkits, etc have been removed (which could very well mean someone had to change out hardware).
... Okay, as I look more into this, I think I need to get in touch with their forensics people / whoever they hired for forensics just so I can get a few things straight and potentially provide a bit of insight. If this post looks chaotic, it's because I was changing what I had typed on the fly. Most of this stuff I've known over the past several days, but there is more and more information I'm seeing (this is all publically available if you look, btw) since I decided to care more (Shadowrun has been my favorite game since the 90s and is literally the reason why I do the job I do right now).
... Okay, as I look more into this, I think I need to get in touch with their forensics people / whoever they hired for forensics just so I can get a few things straight and potentially provide a bit of insight. If this post looks chaotic, it's because I was changing what I had typed on the fly. Most of this stuff I've known over the past several days, but there is more and more information I'm seeing (this is all publically available if you look, btw) since I decided to care more (Shadowrun has been my favorite game since the 90s and is literally the reason why I do the job I do right now).
Ahahaha, "forensics people"?
I'm sorry, but you seem to have a very wrong impression of scale here: There is no triage and no forensics team looking into possibly replacing hardware after a sophisticated attack on a high-value target. CGL is a tiny company with an off the self hosting package who had their website defaced. Topps isn't involved anywhere in this, the hoster doesn't care as long as the server isn't used for anything criminal or disruptive to others, and even CGL themselves are not exactly in a hurry...
I know 100% that someone has at least been going through suspect files to see if they are bad since the server was brought down.
Also, it wasn't a simple defacement.
Also, they've had malware tied to their IP address for quite some time. I could go in depth, but I really like for people to go and do research. Tons of free resources out there.
IPs:
67.192.254.201 (Rackspace) has been associated with CGL since at least 2013. This IP address has also been listed as owned for quite some time.
138.68.247.168 (Digital Ocean) is their new IP address as of today.
But I could be wrong. I haven't had my coffee yet today.
Also, it wasn't a simple defacement.
Also, they've had malware tied to their IP address for quite some time. I could go in depth, but I really like for people to go and do research. Tons of free resources out there.
IPs:
67.192.254.201 (Rackspace) has been associated with CGL since at least 2013. This IP address has also been listed as owned for quite some time.
138.68.247.168 (Digital Ocean) is their new IP address as of today.
But I could be wrong. I haven't had my coffee yet today.
QUOTE (Blade @ Jul 6 2017, 04:55 AM)
They could have prevented this hacking by turning wireless off, but then the comments sections wouldn't have worked.
This made me LOL.
QUOTE (Golgoth @ Jul 6 2017, 09:29 AM)
I know 100% that someone has at least been going through suspect files to see if they are bad since the server was brought down.
Also, it wasn't a simple defacement.
Also, they've had malware tied to their IP address for quite some time. I could go in depth, but I really like for people to go and do research. Tons of free resources out there.
IPs:
67.192.254.201 (Rackspace) has been associated with CGL since at least 2013. This IP address has also been listed as owned for quite some time.
138.68.247.168 (Digital Ocean) is their new IP address as of today.
But I could be wrong. I haven't had my coffee yet today.
Also, it wasn't a simple defacement.
Also, they've had malware tied to their IP address for quite some time. I could go in depth, but I really like for people to go and do research. Tons of free resources out there.
IPs:
67.192.254.201 (Rackspace) has been associated with CGL since at least 2013. This IP address has also been listed as owned for quite some time.
138.68.247.168 (Digital Ocean) is their new IP address as of today.
But I could be wrong. I haven't had my coffee yet today.
You realize that for the most part, Rackspace does not do server or website administration, right? They are simply hosting providers.
QUOTE (Golgoth @ Jul 6 2017, 05:29 PM)
I could go in depth, but I really like for people to go and do research. Tons of free resources out there.
Yeah sure, "there is proof just google it" is always an indication of a solid argument
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.