Technical Support - Someone logged into my account - Forum

" BlowFish wrote: " kappikarpfen wrote: " diredusk wrote: LOL this kappikarpfen is funny. Your password is currently being saved in your config file. firefox + noscript if you think you are getting pass sniped. Also smart people letting browsers auto save logins Yes you are right, my post is just one part you can do to secure your account. extracting the saved password istnt that easy like it is with java and u still need some other informations about your vcitim to do it or he is infected by a troj. I'm scanning with various malware tools right now. I think it unlikely I have a Trojan I run my browser in a sandbox. There has obviously been a 'wave' of attacks not that that means anything. I did have 'save password' selected, i know sloppy but i am confident in my security. for the life of me I can't think hiw they could get that file off my system. Well you have to keep in mind that because of how the password is saved, a virus / malware scanner might not pick it up. They don't have to do any keylogging, just have to grab the tiny config file and send it out over the internet.	Posted by Lask001 on Feb 18, 2013, 8:45:25 AM Quote this Post
" Scully wrote: Spybot only found low lvl threats, the normal browser tracker cookie kind. Nothing to indicate I was hacked through spyware etc. Ok thank you it could be an indication that they got your password or hash over java, if you have it activ. The phenomen of hack waves is related to the fact that the hacker sell the hash/password on the "black market" the costumers often buy them in big packets. Scully have you Java activated ? What you can do for your account security http://www.pathofexile.com/forum/view-thread/115464/page/7 see my post Last edited by kappikarpfen on Feb 18, 2013, 8:56:01 AM	Posted by kappikarpfen on Feb 18, 2013, 8:51:53 AM Quote this Post
" Lask001 wrote: Well you have to keep in mind that because of how the password is saved, a virus / malware scanner might not pick it up. They don't have to do any keylogging, just have to grab the tiny config file and send it out over the internet. And no antivirus/firewall can possibly be configured to detect anything that automatically grabs a file and tries to send it over the internet without the user's input. It's not like this method has been used since the dawn of the internet and follows simple steps that can be countered even by the low-end antiviruses. IGN = Zalmoxis Shop = 529687	Posted by Zalmoxis on Feb 18, 2013, 9:22:14 AM Quote this Post
" Lask001 wrote: I'm scanning with various malware tools right now. I think it unlikely I have a Trojan I run my browser in a sandbox. There has obviously been a 'wave' of attacks not that that means anything. I did have 'save password' selected, i know sloppy but i am confident in my security. for the life of me I can't think hiw they could get that file off my system. Well you have to keep in mind that because of how the password is saved, a virus / malware scanner might not pick it up. They don't have to do any keylogging, just have to grab the tiny config file and send it out over the internet. [/quote] I have to put my hand up and admit I ticked that box. Not sure what I was thinking at the the time <doh>. I still think it unlikely it could be grabbed but you never know.	Posted by BlowFish on Feb 18, 2013, 12:59:39 PM Quote this Post
" BlowFish wrote: I have to put my hand up and admit I ticked that box. Not sure what I was thinking at the the time <doh>. I still think it unlikely it could be grabbed but you never know. If it's related to malicious software, I think that is probably how the information is being collected right now. The way passwords are stored is a pretty big miss step on GGG's part in my opinion, they either need to implement a clever way to salt the hash, or change the way login info is stored.	Posted by Lask001 on Feb 18, 2013, 1:37:31 PM Quote this Post
" kappikarpfen wrote: " Scully wrote: Spybot only found low lvl threats, the normal browser tracker cookie kind. Nothing to indicate I was hacked through spyware etc. Ok thank you it could be an indication that they got your password or hash over java, if you have it activ. The phenomen of hack waves is related to the fact that the hacker sell the hash/password on the "black market" the costumers often buy them in big packets. Scully have you Java activated ? Here's my log Spoiler Search results from Spybot - Search & Destroy 2/18/2013 3:05:27 PM Scan took 00:25:31. 82 items found. Macromedia.FlashPlayer.Cookies: [SBI $6AA61750] Text file (File, nothing done) C:\Users\Guest\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\8ZU8VWJL\grooveshark.com\gsGlobal.sol Properties.size=97 Properties.md5=D64763B0225B0D7E82E0E2337ACB8E3A Properties.filedate=1316606773 Properties.filedatetext=2011-09-21 13:06:13 Macromedia.FlashPlayer.Cookies: [SBI $6AA61750] Text file (File, nothing done) C:\Users\Guest\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\8ZU8VWJL\grooveshark.com\jsQueue.sol Properties.size=5590 Properties.md5=2CB87A666E33BE39D3E22278EEFB0B79 Properties.filedate=1324839521 Properties.filedatetext=2011-12-25 19:58:40 Macromedia.FlashPlayer.Cookies: [SBI $6AA61750] Text file (File, nothing done) C:\Users\Guest\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\8ZU8VWJL\images.video.msn.com\CountryCode.sol Properties.size=69 Properties.md5=87D78766C42ABD7142225BFC7DC643D1 Properties.filedate=1311094442 Properties.filedatetext=2011-07-19 17:54:02 Macromedia.FlashPlayer.Cookies: [SBI $6AA61750] Text file (File, nothing done) C:\Users\Guest\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\8ZU8VWJL\images.video.msn.com\reportingSegment.sol Properties.size=83 Properties.md5=696D86995EB9695067BEA3DD3D207F64 Properties.filedate=1311094443 Properties.filedatetext=2011-07-19 17:54:02 Macromedia.FlashPlayer.Cookies: [SBI $6AA61750] Text file (File, nothing done) C:\Users\Guest\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\8ZU8VWJL\img.ultimate-guitar.com\acudeoSession.sol Properties.size=121 Properties.md5=B35A724842AC3BBEA576C895583CB1E7 Properties.filedate=1316629649 Properties.filedatetext=2011-09-21 19:27:29 Macromedia.FlashPlayer.Cookies: [SBI $6AA61750] Text file (File, nothing done) C:\Users\Guest\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\8ZU8VWJL\img.ultimate-guitar.com\SS_ARE_Override.sol Properties.size=57 Properties.md5=26FD3BC015241B0A5DF955E7606041FF Properties.filedate=1316629372 Properties.filedatetext=2011-09-21 19:22:52 Macromedia.FlashPlayer.Cookies: [SBI $6AA61750] Text file (File, nothing done) C:\Users\Guest\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\8ZU8VWJL\mail.google.com\wakeup.sol Properties.size=37 Properties.md5=FAEBF828D6C5D158230E0778B228B291 Properties.filedate=1343173874 Properties.filedatetext=2012-07-25 00:51:13 Macromedia.FlashPlayer.Cookies: [SBI $6AA61750] Text file (File, nothing done) C:\Users\Guest\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\8ZU8VWJL\org.ntnu.no\com.jeroenwijering.sol Properties.size=50 Properties.md5=BB44816E22B1170FF7E6D6519BB3B93A Properties.filedate=1311204914 Properties.filedatetext=2011-07-21 00:35:13 Macromedia.FlashPlayer.Cookies: [SBI $6AA61750] Text file (File, nothing done) C:\Users\Guest\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\8ZU8VWJL\p3.no\analytics.sol Properties.size=419 Properties.md5=9F33E776DCF664C776E019976E11B3F0 Properties.filedate=1352559640 Properties.filedatetext=2012-11-10 16:00:39 Macromedia.FlashPlayer.Cookies: [SBI $6AA61750] Text file (File, nothing done) C:\Users\Guest\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\8ZU8VWJL\s.ytimg.com\soundData.sol Properties.size=80 Properties.md5=58F6630853175160639DD7EAE958F0E4 Properties.filedate=1343176799 Properties.filedatetext=2012-07-25 01:39:59 Macromedia.FlashPlayer.Cookies: [SBI $6AA61750] Text file (File, nothing done) C:\Users\Guest\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\8ZU8VWJL\s.ytimg.com\subtitlesModuleData.sol Properties.size=163 Properties.md5=3F251B0F03A47961B52600DF1DF657D2 Properties.filedate=1343176579 Properties.filedatetext=2012-07-25 01:36:18 Macromedia.FlashPlayer.Cookies: [SBI $6AA61750] Text file (File, nothing done) C:\Users\Guest\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\8ZU8VWJL\s.ytimg.com\videostats.sol Properties.size=275 Properties.md5=9EEEE32FCF305AAC6C4EEBB97539C8F5 Properties.filedate=1343176643 Properties.filedatetext=2012-07-25 01:37:23 Macromedia.FlashPlayer.Cookies: [SBI $6AA61750] Text file (File, nothing done) C:\Users\Guest\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\8ZU8VWJL\www.chordbook.com\chordbook_prefs.sol Properties.size=148 Properties.md5=ADA761DD6AD319B75B01B7F0EE284E15 Properties.filedate=1316628322 Properties.filedatetext=2011-09-21 19:05:22 Macromedia.FlashPlayer.Cookies: [SBI $6AA61750] Text file (File, nothing done) C:\Users\Guest\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\8ZU8VWJL\www.chordbook.com\chordbook_ucache.sol Properties.size=55 Properties.md5=F3A1D64174A93FB496780F2A91F9F552 Properties.filedate=1316628322 Properties.filedatetext=2011-09-21 19:05:22 Macromedia.FlashPlayer.Cookies: [SBI $6AA61750] Text file (File, nothing done) C:\Users\Guest\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\8ZU8VWJL\www.nrk.no\com.jeroenwijering.sol Properties.size=53 Properties.md5=7426C3B83D09F67D83E61F7FAC026BC3 Properties.filedate=1316605971 Properties.filedatetext=2011-09-21 12:52:51 Macromedia.FlashPlayer.Cookies: [SBI $6AA61750] Text file (File, nothing done) C:\Users\Guest\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\8ZU8VWJL\www.nrk.no\no.nrk.clip.sol Properties.size=59 Properties.md5=58D23CD19B6A1BCF2EF3771E37CCC99E Properties.filedate=1316605971 Properties.filedatetext=2011-09-21 12:52:51 MediaPlex: [SBI $8E73A7FB] Tracking cookie (Internet Explorer (Inactive Users): Guest) (Browser: Cookie, nothing done) MediaPlex: [SBI $8E73A7FB] Tracking cookie (Internet Explorer (Inactive Users): Guest) (Browser: Cookie, nothing done) Right Media: [SBI $8E73A7FB] Tracking cookie (Internet Explorer (Inactive Users): Guest) (Browser: Cookie, nothing done) DoubleClick: [SBI $8E73A7FB] Tracking cookie (Internet Explorer (Inactive Users): Guest) (Browser: Cookie, nothing done) Adviva: [SBI $8E73A7FB] Tracking cookie (Internet Explorer (Inactive Users): Guest) (Browser: Cookie, nothing done) WebTrends live: [SBI $8E73A7FB] Tracking cookie (Internet Explorer (Inactive Users): Guest) (Browser: Cookie, nothing done) Statcounter: [SBI $8E73A7FB] Tracking cookie (Internet Explorer (Inactive Users): Guest) (Browser: Cookie, nothing done) DoubleClick: [SBI $8E73A7FB] Tracking cookie (Firefox: Guest (default)) (Browser: Cookie, nothing done) Zedo: [SBI $8E73A7FB] Tracking cookie (Firefox: Guest (default)) (Browser: Cookie, nothing done) Zedo: [SBI $8E73A7FB] Tracking cookie (Firefox: Guest (default)) (Browser: Cookie, nothing done) Zedo: [SBI $8E73A7FB] Tracking cookie (Firefox: Guest (default)) (Browser: Cookie, nothing done) Zedo: [SBI $8E73A7FB] Tracking cookie (Firefox: Guest (default)) (Browser: Cookie, nothing done) Zedo: [SBI $8E73A7FB] Tracking cookie (Firefox: Guest (default)) (Browser: Cookie, nothing done) Zedo: [SBI $8E73A7FB] Tracking cookie (Firefox: Guest (default)) (Browser: Cookie, nothing done) Zedo: [SBI $8E73A7FB] Tracking cookie (Firefox: Guest (default)) (Browser: Cookie, nothing done) Right Media: [SBI $8E73A7FB] Tracking cookie (Firefox: Guest (default)) (Browser: Cookie, nothing done) Right Media: [SBI $8E73A7FB] Tracking cookie (Firefox: Guest (default)) (Browser: Cookie, nothing done) Right Media: [SBI $8E73A7FB] Tracking cookie (Firefox: Guest (default)) (Browser: Cookie, nothing done) Statcounter: [SBI $8E73A7FB] Tracking cookie (Firefox: Guest (default)) (Browser: Cookie, nothing done) Tradedoubler: [SBI $8E73A7FB] Tracking cookie (Firefox: Guest (default)) (Browser: Cookie, nothing done) DoubleClick: [SBI $8E73A7FB] Tracking cookie (Firefox: Guest (default)) (Browser: Cookie, nothing done) Tradedoubler: [SBI $8E73A7FB] Tracking cookie (Firefox: Guest (default)) (Browser: Cookie, nothing done) Tradedoubler: [SBI $8E73A7FB] Tracking cookie (Firefox: Guest (default)) (Browser: Cookie, nothing done) Tradedoubler: [SBI $8E73A7FB] Tracking cookie (Firefox: Guest (default)) (Browser: Cookie, nothing done) DoubleClick: [SBI $8E73A7FB] Tracking cookie (Firefox: Guest (default)) (Browser: Cookie, nothing done) Adviva: [SBI $8E73A7FB] Tracking cookie (Firefox: Guest (default)) (Browser: Cookie, nothing done) DoubleClick: [SBI $8E73A7FB] Tracking cookie (Google Chrome: Default) (Browser: Cookie, nothing done) Statcounter: [SBI $8E73A7FB] Tracking cookie (Google Chrome: Default) (Browser: Cookie, nothing done) Tradedoubler: [SBI $8E73A7FB] Tracking cookie (Google Chrome: Default) (Browser: Cookie, nothing done) Tradedoubler: [SBI $8E73A7FB] Tracking cookie (Google Chrome: Default) (Browser: Cookie, nothing done) Tradedoubler: [SBI $8E73A7FB] Tracking cookie (Google Chrome: Default) (Browser: Cookie, nothing done) Clickbank: [SBI $8E73A7FB] Tracking cookie (Google Chrome: Default) (Browser: Cookie, nothing done) Clickbank: [SBI $8E73A7FB] Tracking cookie (Google Chrome: Default) (Browser: Cookie, nothing done) WebTrends live: [SBI $8E73A7FB] Tracking cookie (Google Chrome: Default) (Browser: Cookie, nothing done) Statcounter: [SBI $8E73A7FB] Tracking cookie (Google Chrome: Default) (Browser: Cookie, nothing done) Internet Explorer: [SBI $1E8157BE] Typed URL list (Registry Key, nothing done) HKEY_USERS\S-1-5-21-1417629647-411349403-2833329462-501\Software\Microsoft\Internet Explorer\TypedURLs Internet Explorer: [SBI $0BC7B918] User agent (Registry Change, nothing done) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent Internet Explorer: [SBI $0BC7B918] User agent (Registry Change, nothing done) HKEY_USERS\PE_C_TEMP.HK42-PC\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent Internet Explorer: [SBI $0BC7B918] User agent (Registry Change, nothing done) HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent Internet Explorer: [SBI $0BC7B918] User agent (Registry Change, nothing done) HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent Internet Explorer: [SBI $0BC7B918] User agent (Registry Change, nothing done) HKEY_USERS\S-1-5-21-1417629647-411349403-2833329462-501\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent Internet Explorer: [SBI $0BC7B918] User agent (Registry Change, nothing done) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent MS Media Player: [SBI $5C51E349] Client ID (Registry Change, nothing done) HKEY_USERS\S-1-5-21-1417629647-411349403-2833329462-501\Software\Microsoft\MediaPlayer\Player\Settings\Client ID MS Direct3D: [SBI $7FB7B83F] Most recent application (Registry Change, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name MS Direct3D: [SBI $C2A44980] Most recent application (Registry Change, nothing done) HKEY_USERS\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication\Name MS Direct3D: [SBI $C2A44980] Most recent application (Registry Change, nothing done) HKEY_USERS\S-1-5-21-1417629647-411349403-2833329462-1001\Software\Microsoft\Direct3D\MostRecentApplication\Name MS Direct3D: [SBI $C2A44980] Most recent application (Registry Change, nothing done) HKEY_USERS\S-1-5-21-1417629647-411349403-2833329462-501\Software\Microsoft\Direct3D\MostRecentApplication\Name MS Direct3D: [SBI $C2A44980] Most recent application (Registry Change, nothing done) HKEY_USERS\S-1-5-18\Software\Microsoft\Direct3D\MostRecentApplication\Name MS DirectDraw: [SBI $EB49D5AF] Most recent application (Registry Change, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name MS DirectInput: [SBI $9A063C91] Most recent application (Registry Change, nothing done) HKEY_USERS\S-1-5-21-1417629647-411349403-2833329462-1001\Software\Microsoft\DirectInput\MostRecentApplication\Name MS DirectInput: [SBI $7B184199] Most recent application ID (Registry Change, nothing done) HKEY_USERS\S-1-5-21-1417629647-411349403-2833329462-1001\Software\Microsoft\DirectInput\MostRecentApplication\Id MS Paint: [SBI $07867C39] Recent file list (Registry Key, nothing done) HKEY_USERS\S-1-5-21-1417629647-411349403-2833329462-501\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List Windows: [SBI $1E4E2003] Drivers installation paths (Registry Change, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Installation Sources Windows: [SBI $1E4E2003] Drivers installation paths (Registry Change, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Installation Sources Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry Change, nothing done) HKEY_USERS\S-1-5-20\Software\Microsoft\Windows Media\WMSDK\General\ComputerName Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry Change, nothing done) HKEY_USERS\S-1-5-21-1417629647-411349403-2833329462-501\Software\Microsoft\Windows Media\WMSDK\General\ComputerName Windows Media SDK: [SBI $CAA58B6E] Unique ID (Registry Change, nothing done) HKEY_USERS\S-1-5-20\Software\Microsoft\Windows Media\WMSDK\General\UniqueID Windows Media SDK: [SBI $CAA58B6E] Unique ID (Registry Change, nothing done) HKEY_USERS\S-1-5-21-1417629647-411349403-2833329462-501\Software\Microsoft\Windows Media\WMSDK\General\UniqueID Windows Media SDK: [SBI $BACCD0DA] Volume serial number (Registry Value, nothing done) HKEY_USERS\S-1-5-20\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber Windows Media SDK: [SBI $BACCD0DA] Volume serial number (Registry Value, nothing done) HKEY_USERS\S-1-5-21-1417629647-411349403-2833329462-501\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber Cache: [SBI $49804B54] Browser: Cache (2) (Browser: Cache, nothing done) Cookie: [SBI $49804B54] Browser: Cookie (136) (Browser: Cookie, nothing done) Cache: [SBI $49804B54] Browser: Cache (8) (Browser: Cache, nothing done) History: [SBI $49804B54] Browser: History (53) (Browser: History, nothing done) Cookie: [SBI $49804B54] Browser: Cookie (447) (Browser: Cookie, nothing done) Cookie: [SBI $49804B54] Browser: Cookie (3244) (Browser: Cookie, nothing done) It's either very old or new and harmless. And yes, I do have java installed, Version 7 Update 13. I haven't used this PC since the security issue was found and fixed. Last edited by Scully on Feb 18, 2013, 1:55:14 PM	Posted by Scully on Feb 18, 2013, 1:53:43 PM Quote this Post