Zaldir Posted December 7, 2015 Share Posted December 7, 2015 (edited) In response to post #31573045. #31573920, #31573935, #31575350, #31575375, #31581750, #31584915, #31585005, #31586510, #31587355 are all replies on the same post.Dark0ne wrote: The three files affected were:- Higher Settlement Budget (downloads from 5th December)- Rename Dogmeat (downloads from 4th December)- BetterBuild (downloads from 29th November)OP updated to include that information.ZedLeppelin wrote: Thank you for that info! I'm happy to say I downloaded/installed none of those 3 mods. I changed my Nexus p/w regardless, just to be safe. Hickory wrote: That dsound.dll file should be sent away to all AV companies that participate in Virus Total for manual investigation. Relying on existing heuristics is not doing anybody any good, especially since these files are extremely suspect to begin with and have not been tagged by the scans.spidermandala wrote: Thanks so much for giving us the heads up Dark0ne, I too luckily didn't pick any of these up but Ill be double vigilant now.RaverWolfe wrote: I actually downloaded the Rename Dogmeat one, I'll change all my s#*! asap just incase. adventnova wrote: glad i never downloaded those files.sydney666 wrote: Thanks for the update...Any news on synlSDLL.dll? This file and some program triggered my UAC and installed a touchpad service without me having such hardware. I don't know if the program acted as though it was a touchpad and thus my pc needed to install this service or if the actual file was a virus...once I uninstalled everything, no virus was found on my pc. I have since cleaned my system, but it was a little difficult as the program would not uninstall by normal means aka control panel.Very odd, but I am glad you are getting this under control.sonkaro wrote: Lets just hope it is just FO4 mods being affected. Thousands upon thousands could be affected if they touch Skyrim, Oblivion, and many of the other games Nexus hosts.But alas, only time will tell. Thank you for taking the time to preemptively warn us.RealmEleven wrote: There is nothing wrong with Higher Settlement Budget. I've been using it without problem ever since I found it (and I've been checking nexus daily since I got my mits on FO4) so I don't think I would have missed any fun and games, if any.Also, I eyeballed the files inside the archive. Two XML files, two BAT files and a text file. None of these five files show any unnecessary code, much less anything potentially suspicious.I don't think your database is compromised. If it was, we'd all be getting the same problem from the same mods. One of your informants on this thread mentioned Windows Defender catching malware in the browser but not in the file system. While I haven't had that experience, it's worth pointing out that I'm a premium member so I don't see your ads. Put these three facts together and it's pretty obvious where the potential issue is.Your site's only as secure as its weakest channel. If you can't vet every single advertisement that gets piped onto your site, before it is allowed to be displayed on your site, then you can't prevent hackers from abusing that channel. After all, the only way launch a driveby off a site without hacking that site's hosting server is to buy or steal advertising space on the advertising channel used by that site. Given the facts, that's the first place I'd look for a problem.One other thing: Including birthdays as a field in your account database makes your site's accounts a jackpot for identity thieves. In countries like Australia and, I suspect, throughout all the Commonwealth (British Colonies) a date of birth is an all access pass to a person's life, identity and property. One way to make a significant improvement to a site's security is to make a point of excluding all sensitive information like this.Anyways, I'll shut down cycle my disks for a dead system scan and see if anything interesting pops out of the woodwork. If I find anything, I'll let you know.jipao wrote: i downloaded the higher settlement mod, and after this warning i already change all my password. what do i do next? should i uninstalled the mod or it already late to do that?If the archive contained those files, you downloaded it before it was re-uploaded with the sound.dll file, so you are safe. :)The specific names of the archives that contain this dll are:BetterBuild-3002-1-2.zipHigher Settlement Budget v1.3-818-1-3.zipRename Dogmeat-4507-1-0.zip Edited December 7, 2015 by Zaldiir Link to comment Share on other sites More sharing options...
Nekoyoubi Posted December 7, 2015 Share Posted December 7, 2015 Thanks for saying something up front, Nexus. Good to know that it's being looked into early, and even better to know that you're willing to have the humility to come throw yourselves under the bus for any lapse of security. I, like everyone else I assume, don't want my web accounts compromised, but I appreciate knowing that it is a possibility and is being investigated. Is there anything that authors need to do going forward, other than downloading our files to confirm their integrity? Link to comment Share on other sites More sharing options...
patchling Posted December 7, 2015 Share Posted December 7, 2015 an intruder only needs to get lucky once to get in, you need to get lucky every single time to keep them out. some businesses do not even tell people that somebody got in, and will pay the intruder a lot of money to keep him or her from telling anybody that sericurity was breached. last time a gameing site/business told me, and it's other players, that they had a sericurity breach it had happened over 4 days before they told us! they claimed it was because they needed to verrify what, if anything, had been comprosied, before they announced it. now that i know something may have happened i am going to go change my password before anybody can cause trouble using my account. i don't use the same username or password twice, and i make shure it is hard to guess, but untill i change it they know what it is. as far as i am concrned no breach of trust has occured between nexusmods and myself. :thumbsup: Link to comment Share on other sites More sharing options...
SgtMajRet Posted December 7, 2015 Share Posted December 7, 2015 Thank You Dark0ne, for being up front with us. As far as I'm concerned, there is no broken trust here, if anything I trust you and the site even more now. I'll be looking for updates on the "potential breach". Thanks again. Link to comment Share on other sites More sharing options...
ryokox3 Posted December 7, 2015 Share Posted December 7, 2015 It is refreshing to see someone did not wait months to tell people about this. Kudos to you for that. Link to comment Share on other sites More sharing options...
WightMage Posted December 7, 2015 Share Posted December 7, 2015 Thanks for letting us know bud. Link to comment Share on other sites More sharing options...
noparts Posted December 7, 2015 Share Posted December 7, 2015 (edited) In response to post #31590135. RealmEleven wrote: "That email" was meaningless and indicates nothing - particularly deferring to "trusted sources". People generally deploy appeal to authority arguments like those unspecified "trusted sources" when they're engaged in fraud or unwittingly propagating somebody-else's fraud. About the only exception I've encountered is when people idolize and try to emulate high status individuals who engage in dishonest behaviour (e.g. politicians, religious leaders, etc) and so blindly copy their style of argument without realizing how damning it is when heard by folks in the know about such things. Either way, that email's not worth considering simply for the lack of actionable facts. Dare I suggest the source-header might be far more informative than the body text. And If I were to guess ... I think the email a form of misdirection - I mean, you can see it's not pointing you to the facts you need in order to prevent a criminal act and if the email's author is in possession of any of those facts, that'd be aiding and abetting would it not?Getting back to what the email isn't helping with, with respect to paragraph 5 of the OP, I don't agree that it's damning. It seems that your server logs confirm the account activity...? In absence of anything contradictory about the IP addresses connected with the activity, I think it will more than likely indicate a new bug going around and the users in question might want to pull their hard disks and have them scanned by a something up to date that is run from a nice fresh clean operating system which isn't used to do anything other than download AV updates and scan the hard disks removed from other systems. But I guess that's their call.To the question of your server integrity, I downloaded a bunch of stuff yesterday and the day before and... well, if there's something lurking on your server, where's my copy of sound.dll? More to the point, if your server's been hacked, why distribute sound.dll with three mods that don't need sound (i.e. where the file really stands out like a house cat in an aquarium) instead of some of the many mods where the presence of a sound library might make sense (e.g. True Storms)? And why not hit Nexus Mod Manager? That has to have the largest audience. Anyways, dead system scan coming up while I have breakfast so if I find anything interesting I'll let you know.For now, I think that a number of user accounts may have been compromised by malware probably originating with other sites and operating from the user systems in question. But I still think it's worth looking into how much control you really have over advertising content injected into your site by third party advertising channels.Also, one really important detail concerning other people finding out about compromised accounts before you do; this will tend to happen anyway, but I think it may occur more often if you don't have a clear channel of communication (e.g. a site contact) accessible to people who cannot log in. If someone can't log in, can they lodge a support ticket? You still need to run email verification against password resets and the like, but if users who've lost access can't contact you, they will voice the issue elsewhere.Well, as I am reading this rather long thread, Malwarebytes' just interrupted me with this notification: "Malicious Website Blocked". Further, this is not the first time its happened on a Nexus site. In fact, most of you probably see (in the lower left section of the scren, url's that are flying by so fast, you can barely make out the shortest of lines. I realize it's intended and that most of them are surely legit; but, as for me, I'm a devout Fallout / Elder Scrolls fanatic. I'm also pretty anal about this crap (pun intended) since I recently got zapped and taken hostage by a so-called FBI office, for ransom! Almost a month, to get back up and running. Without paying the $200.US that they demanded. So, I'm with what's-his-name, above; it's getting really hard to trust this site anymore - as well as many others! That said, I'm outta here. Oh, sorry, the block was:"Protection, Malicious Website Protection, IP, 184.173.133.194, bidder.tlvmedia.com, 0, Outbound, Detection, 12/6/2015 7:34:41 PM, SYSTEM, COMPUTERTWO, Protection, Malicious Website Protection, IP, 184.173.133.194, bidder.tlvmedia.com, 0, Outbound, "(end) From: Malwarebytes Anti-Malware www.malwarebytes.org Edited December 7, 2015 by noparts Link to comment Share on other sites More sharing options...
L337Sarge Posted December 7, 2015 Share Posted December 7, 2015 Thank you for informing us, it is comforting to know our credit information is not stored in your system. Link to comment Share on other sites More sharing options...
KevinDAmery Posted December 7, 2015 Share Posted December 7, 2015 In response to post #31589855. Xetaxheb wrote: Increasing your password length does loads more for security than adding special characters does.A standard lowercase alphabet password with 12 characters is about 3000 times the number of potential combinations that 9 characters with lowercase alphabet and 6 special character options is.(adding 3 characters to the length instead of adding 6 possibilities to the characters to remember.)As much as this is a cartoon, it actually describes the real world very accurately.https://xkcd.com/936/ Link to comment Share on other sites More sharing options...
EWM333 Posted December 7, 2015 Share Posted December 7, 2015 Thanks for keeping us informed and up to date Link to comment Share on other sites More sharing options...
Recommended Posts