home
Fallout New Vegas
Terms of Service | Privacy Policy
Copyright © 2024 Robin Scott. All rights reserved.

Staff account compromise. What's happened and an apology.

  • Comment
More articles
Back in March you might remember a news post written by myself titled Be Careful: Trojans masquerading as popular executables. To cut a long story short, a user was uploading a malicious file to the site that, when installed, would enable the user to find out your Nexus username and password, which was then in turn used to log in to other user's accounts with the stolen login information and continue to upload the same virus to the sites.

Today we were alerted to a malicious change to SkyUI, one of the most popular files on the Nexus network, at around about 12.30pm GMT. Within 20 minutes the file was removed and we got to work investigating how the file was added and who removed the original SkyUI file and replaced it with a malicious executable (thank you to those people who reported the file and were clever enough not to install it!).

Following on from that we noticed some strange actions coming from one of the staff member accounts here and, while I have not been able to get in contact with the staff member yet, we can conclude that the staff member's account has been compromised and this was how the "hacker" was able to remove files and upload new ones in their place. As part of their job the moderation team need to be able to access and edit the file pages on the site. If an unsavoury miscreant gains access to one of those accounts they can, potentially, do quite a bit of damage. Unfortunately that was the case today.

We were able to quickly identify and remove access to the account, however, a few more files were changed by the "hacker" before we could trace things. These files, on top of SkyUI for Skyrim, were:

ApacheiSkyHair for Skyrim
Fallout 3 Redesigned - Formerly Project Beauty for Fallout 3
Project Nevada for Fallout New Vegas
Oblivion Character Overhaul version 2 for Oblivion

It's clear the "hacker" was going for some of the most popular files for each of the main games the Nexus supports to gain maximum exposure.

It's important to note that staff members do not have access to any personal details (they can't even see your email address) including any Premium Member details and we do not store any credit card information so that's not an issue at all. This was not a traditional "hacking". Our server's themselves weren't compromised (indeed, we think we've got things locked up pretty damn tight right now to the point where you need to be on a specific IP address before you can even gain access to the server terminals and think about user accounts and passwords). Unfortunately the computer's of one of the staff members was compromised and this is the result.

Things have been tidied up and the threat has been removed. If you downloaded one of the compromised files listed above and ran it between the hours of 12pm and 2.30pm today then please run a full virus sweep of your system. If you did not download any of those files in that time then this breach will not have affected you. We've contacted each of the owners of the files listed above. For them, unfortunately, because their main files were removed they will need to be reuploaded and the stats will have been reset for those specific files. It's important to note that deleting an uploaded file does not reset or clear the main file's stats. It's just unfortunate that the stats for those specifically uploaded files will be lost. I'll have a word with the main database admin to see if we can't get the majority of stats for those files restored, with a bit of loss due to having to roll-back a day or two. If you're the owner of one of those files please send me a PM so we can look into that with you.

I apologise personally for what has happened because, at the end of the day, the buck stops with me. I am highly protective of the staff here who have individually volunteered thousands of hours of their time, some of them for many years, to keep this network of sites clean and tidy. Unfortunately these things happen and I will obviously have a word with all the staff here to remind them all of best internet practises to maintain account security.

On an unrelated note I've had a few reports from German users saying that one of the ads on the rotation is sending them to a fake java updater page. This seems to be localised to only German locations, which makes it tough for me to diagnose, but I have been in contact with the advertising supply chain to try and get to the bottom of this and hopefully the issue will be resolved shortly.

226 comments

Comments locked

A moderator has closed this comment topic for the time being
  1. MWisBest
    MWisBest
    • member
    • 0 kudos
    Avast has indeed been throwing a lot of false positives lately. They've really been going downhill for a while now unfortunately.
    1. SableDreamer
      SableDreamer
      • member
      • 5 kudos
      Indeed. They've also let a few things slip through the cracks on me. Didn't want to, but I finally had to cave and return to using Norton a while back.
    2. chet
      chet
      • member
      • 13 kudos
      I have watched norton and the skipped file list has thousands and the trusted list has less then half that many
    3. 3nigmatica69
      3nigmatica69
      • member
      • 0 kudos
      I Use that "Malwarebytes"... Anti-Malware...
    4. tommy61157
      tommy61157
      • premium
      • 9 kudos
      I use it too and have their premium service.
  2. Aoikani
    Aoikani
    • supporter
    • 43 kudos
    On an unrelated note I've had a few reports from German users saying that one of the ads on the rotation is sending them to a fake java updater page. This seems to be localised to only German locations, which makes it tough for me to diagnose, but I have been in contact with the advertising supply chain to try and get to the bottom of this and hopefully the issue will be resolved shortly.


    Not just German users, I am also receiving the same redirect from one of the ads to that fake java updater page. I'm a US user and unfortunately I haven't pinpointed the source.
    1. HipsterPolice
      HipsterPolice
      • supporter
      • 0 kudos
      I just got this too. When it sent you to the java update page, did it download a javainstaller.exe file? It happened to me but I deleted it quickly enough; I think it must have infected something though.
    2. SableDreamer
      SableDreamer
      • member
      • 5 kudos
      I was getting this as well. Seems to have been rectified as of a few days ago, though.
    3. GhostlyComa
      GhostlyComa
      • supporter
      • 5 kudos
      Get Adblock
    4. whymeman
      whymeman
      • member
      • 0 kudos
      addblock only blocks ADDS so youre awnser is invalid
    5. tommy61157
      tommy61157
      • premium
      • 9 kudos
      Adblock can be set to block more than just ads actually, please do your research before you troll.
  3. poppy26
    poppy26
    • member
    • 0 kudos
    I am infected???I delete the mod the creation of project nevada(last modified) is from 3 august 2014
  4. zander07
    zander07
    • member
    • 0 kudos
    most likely work of henchmen for disgruntled corporate houses, its kind of industrial espionage to gather demographic of guys creating mods and guys who use them. and whether this Modding community wud grow as large and un-policed like the hackers, u know who.... club hackers and Modders together as part of a criminal gang.
  5. mhhniangue
    mhhniangue
    • member
    • 0 kudos
     Glad it's been sorted out. 9.jpg
  6. PET6235
    PET6235
    • member
    • 3 kudos
    ApacheiSkyHair got infected? That's a shame. The uploader took the time to talk to me and they seemed like a very nice person, and someone just had to be a jerk and desecrate the files that the uploader took the time to upload. For those who somehow think this kind of thing is amusing, keep in mind even something as simple as uploading the file to Nexus is not the easiest thing to do and these programers don't do it because they have to but because they want to.

    Also for those who download please make sure your virus protection is up to date obviously people have shown they have little regard for others property, but that doesn't mean we can't do our part to protect ourselves.

    Good luck to Dark0ne and the staff at nexus on trying to keep the site clean and safe.

    best of luck,

    1. 3nigmatica69
      3nigmatica69
      • member
      • 0 kudos
      ApachiiSkyHair? O_O, NOOOOOOOOOOOOOOOOO... Yet i still have the recent one but it's clean since i have been using it for a while now Apachii doesn't release very often so maybe it got infected right after i downloaded it...
  7. 3nigmatica69
    3nigmatica69
    • member
    • 0 kudos
    I remember getting that Random BAN a couple months back for no legitimate reason... It came up like a random pop-up telling me i was banned by an administrator... Can anyone really get Banned for just browsing? LMAO...
  8. Keimpx
    Keimpx
    • member
    • 1 kudos


     
    snip
     


     
    No reason to use anti-virus/malware whatsoever. It's for people who can't sustain self-control when faced with the chance to download music.mp3.exe.
     
    Any executable you download simply open it up in Ollydbg and you'll know 99% of the time if it's malware or not if it's pulling some shady system calls (keyboard hooks are a dead giveaway).
     
    As for web attack vectors just disable Javascript in your browser and keep a whitelist of trusted sites you'll allow it to run on. You should do the same for Silverlight and Flash too (Not sure about Shockwave, I don't keep updated with ALL CVEs).
    1. gigabitemon
      gigabitemon
      • member
      • 2 kudos
      I know the feeling. There are some REALLY ignorant people out there.
      I personally use combofix, SOME malwarebytes (haven't needed it for a while), adblock, noscript, and flash block.
      There are some russian sites that will give you some crazy fbi virus... that was a NIGHTMARE.
      seriously, though. People actually download music.mp3.exe

      I also suggest that if it says "download with manager/accelerator" that you uncheck that EVERY TIME. almost ALWAYS a virus.

      plus, if your search engine is something like conduit/gamewrangler (my mother's chromebook's first "virus")/some crazy european site, then combofix is probably a good option. also, check your control panel for things like "search protect"

      other than that, don't download things like playpickle (for surveys, game currency, etc.)
      don't click the big green flashing low res download button (that even says ilivid on the bottom in small print!)

      always look for the crappy ye old internet download button that changes when you put your mouse over it and it grey with small text.

      so many things to do to protect yourself,
      and yet, people still depend on anti-virus to keep them out of trouble.
      waste of space, ram, bandwidth, and money.
    2. Skithblathnir
      Skithblathnir
      • member
      • 0 kudos
      Depending on your rig antivirus is definitely not a waste of space, but I do agree that its very simple to detect viruses and that we as a community should help give tips to people that might help them in the future.

      (Note on the FBI one, sometimes all you have to do is take your computer off the IP address and reset it to get rid of that one. Happened to me when downloading a ROM, I reset the router to give it a new IP and wam blam kazam all fixed up. Only problem is remember to reset your WAP or other Internet "Sign In" password cause you will lose it.
  9. bben46
    bben46
    • premium
    • 781 kudos
    While combofix is a very good repair tool. It is not recommended for neophytes.
    For those who are not sure, here is the official  tutorial on how to use it. http://www.bleepingcomputer.com/combofix/how-to-use-combofix
     
    And that it specifically says

     
    You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.

    You have been warned, so please do not blame combofix if you do not follow this advice.
  10. gigabitemon
    gigabitemon
    • member
    • 2 kudos
    You have to be careful who you sell advertising to... there's fake ad fly flash updaters that actually infect syswow64 on win7. these usually appear in cheesy sites like mediafire and 4shared.

    as for the suggested virus scans, I prescribe combofix. it's free and it pretty much fixes everything virus-related. (win7 and below only)

    I just wonder, with all the people using mod organizer daily, why the hacker didn't make the skyui file a newer version, so that when a person opened up the manager, that it would say that there is an update available for that mod, and when they updated, then they would download the virus, even if they already had skyui before the hack and weren't going to download it unless it were an update?