Thankfully, we were back mere hours later but were unable to host downloads for a day or two (thanks to MajorGeeks and Softpedia for being mirrors!).
Fast-forward to now and due to security concerns, we've opted to reset the forums.
This was done partially due to our last backup being ~3 months out of date, but also due to the time sink it would be to check every table and record for possible shenanigans. The original plan was to try and recover everything from the backup post attack, but after a week double-checking every file and record, it became apparent it's not very practical.
If you were a member of this forum prior to 14th January 2018 we strongly encourage you to reset all your login credentials that you may have duplicated here. While we've seen no evidence of the attackers gaining access to user records, there are signs of access to other tables in the database.
So what happened?
Over the weekend (13th / 14th January 2018), this project's website was the victim of a malicious attack
We believe they started planning this attack from around 6th January 2018, before setting it into motion over the weekend
From what we've deduced, the attackers gained access to the server via an exploit in some of it's software / technology. From there, they uploaded several scripts and their very own version of GameSave Manager (v3.1.455.0 wrapped in a 'Setup Wizard')
The 'Setup Wizard'
Their 'release' was a 18.6 MB executable 'Setup Wizard' which would extract GameSave Manager. In contrast, the official release is 7.44 MB in size
The 'payload' they seem to be using is a 2010 build of Mozilla Firefox
It isn't clear what they're doing with Firefox, but it's safe to assume they're likely exploiting vulnerabilities in it
Am I infected? How do I know?!
The way the hijack was implemented means that you had to initiate the download from our website, if you were referred to the '?s=download&a=dl' link from another website then you shouldn't have been affected. This also means that auto-updating within GameSave Manager doesn't seem to be affected
So then, the easiest way to check if you're infected / affected by this is by checking your installed program list. To do this, follow the steps below:
- Click Start -> Windows System -> Control Panel
Alternatively, click Start -> Control Panel
- Click onto Uninstall a program
- The entry we're looking for is titled 126.96.36.199, with no publisher and a size value of around 38 MB
Looks like I'm infected, help!
Firstly, we need to make it clear; we're in no way experts at this sort of thing!
Also, please be aware that we'll be using the Windows Registry Editor. Follow at your own risk!
- Disconnect from the internet, immediately
- Start Windows Registry Editor
To do this, hold the WinKey on your keyboard, while pressing R. Within the Run dialog, enter regedit.exe and click OK
- Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
If an entry named 'firefox' is listed then delete it, reboot your system and start 'Windows Registry Editor' again
- Navigate to 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall'. Look for a 'GameSavesManager_is1' key, note down the contents of the 'InstallLocation' value and then delete the key
- Close the Windows Registry Editor and delete the path that was specified within 'InstallLocation' (from the previous step) using Windows Explorer
- Within Windows Explorer, navigate to your %AppData% folder (typically 'C:\Users\your_username\AppData\Roaming')
- Delete / rename the folders AMozilla and ComObject (there's another AMozilla folder within AppData\Local too!)
- Reconnect to the internet and perform all your favourite anti-virus, anti-spyware, etc scans
What's being done to prevent this occuring again?
As mentioned before, we're assuming the attackers gained access via a root exploit of the website's control panel.
We'd been putting off upgrading said control panel for ~3 years, but have now upgraded all technologies the website runs on. We're (or rather I, Gekz seems a little absent as of late) will be redesigning the website too. As such, the current 'maintenance' page will probably be there for some time.
We would like to thank you all for your patience and understanding while we try and get back to normal.
We apologise for the inconvenience this has all caused.