War Z Server Files & Source Code Discussion
Let's "audit" the situation here.
• What happened to War Z?
You must be registered to see links
servers and forums (including their databases) were compromised by multiple people it seems.Details on how (Quoted from theDomo on this forum; cache backup of the post):
More (retarded) information on that here:#######################################################################
Tile: WarZ, Warinc Hack
Author: H.J. Auditing Employee Brent Junker
E-mail: junker@HJauditing.com
Web:You must be registered to see links
#######################################################################
============
Introduction
============
In this document we will be covering the points of entry into Hammerpoint.
============
Part 1 "point of entry"
============
The hacker started by auditing. thewarinc.com
Found an SQL Injection in the forums wich has been patched since then.
After finding the SQL Injection, then proceed to dump the user table.
And some of the admins had passwords like ******.
From researching the user table, the hacker found out that kewk
where using the same password on the forum, his email,
The WarInc and The WarZ. This was the point of entry.
============
Part 2 "The Shell"
============
The hacker then proceeded of logging in to the admin cp of The WarZ.
Then proceeded going to the plugins and adding a malicious plugin for executing basic commands.
Plugin contained.
***************
And then executed the command ******************** to get a more sofisticated backdoor up.
example:
*****************************
Then the hacker hid the shell in a discrete directory so the administators would not find it.
============
Part 3 "password logging"
============
This is where it is starting to get interesting. The hacker placed a password logger in the vBulletin login function.
Then we would be able to grab all login sessions with plain text passwords
============
Part 4 "Accessing emails"
============
About more than half of the employees used the same passwords on their email accounts along with their personal email.
So inside their email contained information about SVN, RDP, what hosting company they where using and conversations between
employees, witch contained some inappropriate content on their work emails.....
...... and more
You must be registered to see links
• What is the "War Z Server files" thread? Who is "Sirgay"?
Originally, a retarded user named "Sirgay" created this thread: http://forum.ragezone.com/f111/warz-serverfiles-29-03-2013-a-920346/ to most likely just cause drama and infect people. He claimed infecting the War Z servers, as well as having up-to-date server files (but no sourcecode). He could barely speak english fluently, and in the end the files were completely fake (and included viruses)
• What was really in Sirgay's files?
Upon release of the so-called "files" he had, there was 3 seperate .rars to download as well as a database file. The final rar was called "WarZMarch30.rar" and here is a picture of the contents:
This looks to me like the data extracted from War Z including the client files with other random crap included.
There was a bunch of files with "Super Mario Bros" as the title and a "Studio.exe" virus which copied a java.exe to your localdata folder with a text script and disabled your task manager. Retards.
The database he uploaded was a "Kal Online" database which had nothing to do with War Z and was last modified in 2008.
• What's Happening Now?
This thread was made to inform everyone on what's going on here.
• I was infected! How can I remove it?
(you should have been a little smarter, but)
Re-enabling task manager:Here is a simple guide on how to remove the infection if you need help post here also make sure to download malwarebytes also i know this is in wrong section but i posted here so the infected users have a better chance to see.
Tips:
Having a problem removing restore your PC back to a previous date
Disconnect your pc from the internet well doing this, (to stop him from messing you up)
You must be registered to see links
Windows XP & Vista/7
1. First go to your start and select Run if you don't see run then seach for it.
2. Once you click on it type %appdata% and go to the bottom do you see java.exe
3. Now minimize that and go back to run type msconfig and then select startup disable java.exe
4. Now restart your PC and then login and go back to appdata and delete java.exe
Windows 8
1. First go to your start and search for run then type %appdata% and see if you got java.exe
2. Hold [CTRL] + [ALT] + [DELETE] then select startup disable java.exe
3. Restart your PC and then login then go back to your appdata and delete java.exe
Screenshots [Windows 8]
Notice i didn't get infected the program i was right clicked on in my startup wasn't the infected file was example
Type regedit into search, navigate to this registry.
DeleteCode:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\]
or replace 1 with 0.Code:DisableTaskMgr=1
Attachments
You must be registered for see attachments list
Last edited: