Potential Database Breach

[Djoveride2]

Thanks for the 411...I like this site...

[CatherineMartin]

In response to post #31573045. #31573920, #31573935, #31575350, #31575375, #31581750, #31584915, #31585005, #31586510, #31587355, #31590785 are all replies on the same post.

Dark0ne wrote: The three files affected were:

- Higher Settlement Budget (downloads from 5th December)
- Rename Dogmeat (downloads from 4th December)
- BetterBuild (downloads from 29th November)

OP updated to include that information.

ZedLeppelin wrote: Thank you for that info! I'm happy to say I downloaded/installed none of those 3 mods. I changed my Nexus p/w regardless, just to be safe.

Hickory wrote: That dsound.dll file should be sent away to all AV companies that participate in Virus Total for manual investigation. Relying on existing heuristics is not doing anybody any good, especially since these files are extremely suspect to begin with and have not been tagged by the scans.

spidermandala wrote: Thanks so much for giving us the heads up Dark0ne, I too luckily didn't pick any of these up but Ill be double vigilant now.

RaverWolfe wrote: I actually downloaded the Rename Dogmeat one, I'll change all my s#*! asap just incase.

adventnova wrote: glad i never downloaded those files.

sydney666 wrote: Thanks for the update...

Any news on synlSDLL.dll? This file and some program triggered my UAC and installed a touchpad service without me having such hardware. I don't know if the program acted as though it was a touchpad and thus my pc needed to install this service or if the actual file was a virus...once I uninstalled everything, no virus was found on my pc.

I have since cleaned my system, but it was a little difficult as the program would not uninstall by normal means aka control panel.

Very odd, but I am glad you are getting this under control.

sonkaro wrote: Lets just hope it is just FO4 mods being affected. Thousands upon thousands could be affected if they touch Skyrim, Oblivion, and many of the other games Nexus hosts.

But alas, only time will tell. Thank you for taking the time to preemptively warn us.

RealmEleven wrote: There is nothing wrong with Higher Settlement Budget. I've been using it without problem ever since I found it (and I've been checking nexus daily since I got my mits on FO4) so I don't think I would have missed any fun and games, if any.

Also, I eyeballed the files inside the archive. Two XML files, two BAT files and a text file. None of these five files show any unnecessary code, much less anything potentially suspicious.

I don't think your database is compromised. If it was, we'd all be getting the same problem from the same mods. One of your informants on this thread mentioned Windows Defender catching malware in the browser but not in the file system. While I haven't had that experience, it's worth pointing out that I'm a premium member so I don't see your ads. Put these three facts together and it's pretty obvious where the potential issue is.

Your site's only as secure as its weakest channel. If you can't vet every single advertisement that gets piped onto your site, before it is allowed to be displayed on your site, then you can't prevent hackers from abusing that channel. After all, the only way launch a driveby off a site without hacking that site's hosting server is to buy or steal advertising space on the advertising channel used by that site. Given the facts, that's the first place I'd look for a problem.

One other thing: Including birthdays as a field in your account database makes your site's accounts a jackpot for identity thieves. In countries like Australia and, I suspect, throughout all the Commonwealth (British Colonies) a date of birth is an all access pass to a person's life, identity and property. One way to make a significant improvement to a site's security is to make a point of excluding all sensitive information like this.

Anyways, I'll shut down cycle my disks for a dead system scan and see if anything interesting pops out of the woodwork. If I find anything, I'll let you know.

jipao wrote: i downloaded the higher settlement mod, and after this warning i already change all my password. what do i do next? should i uninstalled the mod or it already late to do that?

Zaldiir wrote: If the archive contained those files, you downloaded it before it was re-uploaded with the sound.dll file, so you are safe. :)

The specific names of the archives that contain this dll are:
BetterBuild-3002-1-2.zip
Higher Settlement Budget v1.3-818-1-3.zip
Rename Dogmeat-4507-1-0.zip

I found dsound.dll in one of my Skyrim mods, not sure what, I just cleaned ALL 50 of them out, and am currently redownloading all of them, and checking them.

[noparts]

In response to post #31590135. #31592185 is also a reply to the same post.

RealmEleven wrote: "That email" was meaningless and indicates nothing - particularly deferring to "trusted sources". People generally deploy appeal to authority arguments like those unspecified "trusted sources" when they're engaged in fraud or unwittingly propagating somebody-else's fraud. About the only exception I've encountered is when people idolize and try to emulate high status individuals who engage in dishonest behaviour (e.g. politicians, religious leaders, etc) and so blindly copy their style of argument without realizing how damning it is when heard by folks in the know about such things. Either way, that email's not worth considering simply for the lack of actionable facts. Dare I suggest the source-header might be far more informative than the body text. And If I were to guess ... I think the email a form of misdirection - I mean, you can see it's not pointing you to the facts you need in order to prevent a criminal act and if the email's author is in possession of any of those facts, that'd be aiding and abetting would it not?

Getting back to what the email isn't helping with, with respect to paragraph 5 of the OP, I don't agree that it's damning. It seems that your server logs confirm the account activity...? In absence of anything contradictory about the IP addresses connected with the activity, I think it will more than likely indicate a new bug going around and the users in question might want to pull their hard disks and have them scanned by a something up to date that is run from a nice fresh clean operating system which isn't used to do anything other than download AV updates and scan the hard disks removed from other systems. But I guess that's their call.

To the question of your server integrity, I downloaded a bunch of stuff yesterday and the day before and... well, if there's something lurking on your server, where's my copy of sound.dll? More to the point, if your server's been hacked, why distribute sound.dll with three mods that don't need sound (i.e. where the file really stands out like a house cat in an aquarium) instead of some of the many mods where the presence of a sound library might make sense (e.g. True Storms)? And why not hit Nexus Mod Manager? That has to have the largest audience. Anyways, dead system scan coming up while I have breakfast so if I find anything interesting I'll let you know.

For now, I think that a number of user accounts may have been compromised by malware probably originating with other sites and operating from the user systems in question. But I still think it's worth looking into how much control you really have over advertising content injected into your site by third party advertising channels.

Also, one really important detail concerning other people finding out about compromised accounts before you do; this will tend to happen anyway, but I think it may occur more often if you don't have a clear channel of communication (e.g. a site contact) accessible to people who cannot log in. If someone can't log in, can they lodge a support ticket? You still need to run email verification against password resets and the like, but if users who've lost access can't contact you, they will voice the issue elsewhere.

noparts wrote: Well, as I am reading this rather long thread, Malwarebytes' just interrupted me with this notification: "Malicious Website Blocked". Further, this is not the first time its happened on a Nexus site. In fact, most of you probably see (in the lower left section of the scren, url's that are flying by so fast, you can barely make out the shortest of lines. I realize it's intended and that most of them are surely legit; but, as for me, I'm a devout Fallout / Elder Scrolls fanatic. I'm also pretty anal about this crap (pun intended) since I recently got zapped and taken hostage by a so-called FBI office, for ransom! Almost a month, to get back up and running. Without paying the $200.US that they demanded.

So, I'm with what's-his-name, above; it's getting really hard to trust this site anymore - as well as many others! That said, I'm outta here. Oh, sorry, the block was:

"Protection, Malicious Website Protection, IP, 184.173.133.194, bidder.tlvmedia.com, 0, Outbound,
Detection, 12/6/2015 7:34:41 PM, SYSTEM, COMPUTERTWO, Protection, Malicious Website Protection, IP, 184.173.133.194, bidder.tlvmedia.com, 0, Outbound, "

(end)
From: Malwarebytes Anti-Malware
www.malwarebytes.org

Sorry, I should have included the log:

Malwarebytes Anti-Malware
www.malwarebytes.org


Protection, 12/6/2015 4:50:37 PM, SYSTEM, COMPUTERTWO, Protection, Malware Protection, Starting,
Protection, 12/6/2015 4:50:37 PM, SYSTEM, COMPUTERTWO, Protection, Malware Protection, Started,
Protection, 12/6/2015 4:52:36 PM, SYSTEM, COMPUTERTWO, Protection, Malicious Website Protection, Starting,
Protection, 12/6/2015 4:53:22 PM, SYSTEM, COMPUTERTWO, Protection, Malicious Website Protection, Started,
Detection, 12/6/2015 7:34:41 PM, SYSTEM, COMPUTERTWO, Protection, Malicious Website Protection, IP, 184.173.133.194, bidder.tlvmedia.com, 0, Outbound,
Detection, 12/6/2015 7:34:41 PM, SYSTEM, COMPUTERTWO, Protection, Malicious Website Protection, IP, 184.173.133.194, bidder.tlvmedia.com, 0, Outbound,

(end)

[knute730]

Wow.

 

Why the f*#@ did I ever decide to come to this site.

 

Thanks a lot guys.

[nexvox]

In response to post #31593485.

knute730 wrote: Wow.

Why the f*#@ did I ever decide to come to this site.

Thanks a lot guys.

Why did you is right.

[Sayron1Gamer]

In response to post #31593485. #31593880 is also a reply to the same post.

knute730 wrote: Wow.

Why the f*#@ did I ever decide to come to this site.

Thanks a lot guys.

nexvox wrote: Why did you is right.

At least they told you as soon as they did, many companies out there can take weeks or months to report these breaches to the public, and sometimes they don't tell anyone at all! Instead of hating them, be thankful they are honest about the situation, and besides these breaches always happens sooner or later to everyone and there isn't much that can be done as hackers always find exploits unknown to the owner of the servers. Nothing is perfect, not us humans nor computer programs and security systems. Lay off on the hate alright?

[LanceHolland90]

I downloaded Higher Settlement Budget on 2 Dec, going through the mod .zip sitting in my NexusMods folders, I cant see any dsound.dll file.

 

This is horrible news, especially since many of us have downloaded dozens of mods over the last few weeks as they grew in popularity.

[komarr12]

In response to post #31593485. #31593880, #31593925 are all replies on the same post.

knute730 wrote: Wow.

Why the f*#@ did I ever decide to come to this site.

Thanks a lot guys.

nexvox wrote: Why did you is right.

Sayron1Gamer wrote: At least they told you as soon as they did, many companies out there can take weeks or months to report these breaches to the public, and sometimes they don't tell anyone at all! Instead of hating them, be thankful they are honest about the situation, and besides these breaches always happens sooner or later to everyone and there isn't much that can be done as hackers always find exploits unknown to the owner of the servers. Nothing is perfect, not us humans nor computer programs and security systems. Lay off on the hate alright?

it's a good site for mods and the bottom line is absolutely NO site is hack proof.

[utherix]

In response to post #31590135. #31592185, #31592550 are all replies on the same post.

RealmEleven wrote: "That email" was meaningless and indicates nothing - particularly deferring to "trusted sources". People generally deploy appeal to authority arguments like those unspecified "trusted sources" when they're engaged in fraud or unwittingly propagating somebody-else's fraud. About the only exception I've encountered is when people idolize and try to emulate high status individuals who engage in dishonest behaviour (e.g. politicians, religious leaders, etc) and so blindly copy their style of argument without realizing how damning it is when heard by folks in the know about such things. Either way, that email's not worth considering simply for the lack of actionable facts. Dare I suggest the source-header might be far more informative than the body text. And If I were to guess ... I think the email a form of misdirection - I mean, you can see it's not pointing you to the facts you need in order to prevent a criminal act and if the email's author is in possession of any of those facts, that'd be aiding and abetting would it not?

Getting back to what the email isn't helping with, with respect to paragraph 5 of the OP, I don't agree that it's damning. It seems that your server logs confirm the account activity...? In absence of anything contradictory about the IP addresses connected with the activity, I think it will more than likely indicate a new bug going around and the users in question might want to pull their hard disks and have them scanned by a something up to date that is run from a nice fresh clean operating system which isn't used to do anything other than download AV updates and scan the hard disks removed from other systems. But I guess that's their call.

To the question of your server integrity, I downloaded a bunch of stuff yesterday and the day before and... well, if there's something lurking on your server, where's my copy of sound.dll? More to the point, if your server's been hacked, why distribute sound.dll with three mods that don't need sound (i.e. where the file really stands out like a house cat in an aquarium) instead of some of the many mods where the presence of a sound library might make sense (e.g. True Storms)? And why not hit Nexus Mod Manager? That has to have the largest audience. Anyways, dead system scan coming up while I have breakfast so if I find anything interesting I'll let you know.

For now, I think that a number of user accounts may have been compromised by malware probably originating with other sites and operating from the user systems in question. But I still think it's worth looking into how much control you really have over advertising content injected into your site by third party advertising channels.

Also, one really important detail concerning other people finding out about compromised accounts before you do; this will tend to happen anyway, but I think it may occur more often if you don't have a clear channel of communication (e.g. a site contact) accessible to people who cannot log in. If someone can't log in, can they lodge a support ticket? You still need to run email verification against password resets and the like, but if users who've lost access can't contact you, they will voice the issue elsewhere.

noparts wrote: Well, as I am reading this rather long thread, Malwarebytes' just interrupted me with this notification: "Malicious Website Blocked". Further, this is not the first time its happened on a Nexus site. In fact, most of you probably see (in the lower left section of the scren, url's that are flying by so fast, you can barely make out the shortest of lines. I realize it's intended and that most of them are surely legit; but, as for me, I'm a devout Fallout / Elder Scrolls fanatic. I'm also pretty anal about this crap (pun intended) since I recently got zapped and taken hostage by a so-called FBI office, for ransom! Almost a month, to get back up and running. Without paying the $200.US that they demanded.

So, I'm with what's-his-name, above; it's getting really hard to trust this site anymore - as well as many others! That said, I'm outta here. Oh, sorry, the block was:

"Protection, Malicious Website Protection, IP, 184.173.133.194, bidder.tlvmedia.com, 0, Outbound,
Detection, 12/6/2015 7:34:41 PM, SYSTEM, COMPUTERTWO, Protection, Malicious Website Protection, IP, 184.173.133.194, bidder.tlvmedia.com, 0, Outbound, "

(end)
From: Malwarebytes Anti-Malware
www.malwarebytes.org

noparts wrote: Sorry, I should have included the log:

Malwarebytes Anti-Malware
www.malwarebytes.org


Protection, 12/6/2015 4:50:37 PM, SYSTEM, COMPUTERTWO, Protection, Malware Protection, Starting,
Protection, 12/6/2015 4:50:37 PM, SYSTEM, COMPUTERTWO, Protection, Malware Protection, Started,
Protection, 12/6/2015 4:52:36 PM, SYSTEM, COMPUTERTWO, Protection, Malicious Website Protection, Starting,
Protection, 12/6/2015 4:53:22 PM, SYSTEM, COMPUTERTWO, Protection, Malicious Website Protection, Started,
Detection, 12/6/2015 7:34:41 PM, SYSTEM, COMPUTERTWO, Protection, Malicious Website Protection, IP, 184.173.133.194, bidder.tlvmedia.com, 0, Outbound,
Detection, 12/6/2015 7:34:41 PM, SYSTEM, COMPUTERTWO, Protection, Malicious Website Protection, IP, 184.173.133.194, bidder.tlvmedia.com, 0, Outbound,

(end)

That message is because the ads on nexusmods sometimes redirect you to some shady s#*!.

[Rettrix]

Thank you Dark0ne, your transparency and informative post is appreciated and a model action that all businesses and organisations should strive to emulate.

 

We ask that you please keep us updated on the situation as the vast majority of us hope you can squash this threat and come out better and more secure for going through this ordeal.

 

Props to you Dark0ne and best wishes