Hacks still happening . . .Follow

Bumping this thread to add some info.

I received the "logged in from another terminal" message many hours after logging in. I was booted from FFXI, but POL didn't log me out entirely. I was able to log back in immediately. My fiance was playing at the same time, and nothing happened to her. However, we're both linked to the same SE Account and use the same security token.

So, nothing happened to my character. I use Firefox with up-to-date Adblock and NoScript with IFRAMEs disabled and all that, have scanned and am currently thoroughly scanning for any trojan/keylogger activity. I was using FFXIAH when it occured, scripts temporarily disabled (only way to view Price History).

It would stand to reason that if I were actually compromised, they should've also been able to access the SE Account to change information, but they didn't. My fiance logged onto the SE Account from her computer and changed the password, and I'm going to change my POL ID password on her computer immediately as I perform scans on my own.

Just adding to the circumstantial info we have thus far. I think there's some merit in the theory presented by some that the hackers may not be attacking all of their victimss directly with malicious software, but rather have gained access to registration server information through some kind of leak. I haven't managed to turn up any signs of infection on my PC, but if I do, I'll post my findings here.

If your fiance is using the same pol ID/token as you, wouldn't it make sense that she's the one who caused the logged in from another terminal message when she logged into her character?

The error occurs when you log into the same SE/pol account, long before you even pick a character.

Looks like my pass words been changed again...

It's just as Dandruffshampoo said. We were both playing together on FFXI all day, but only I was logged off and given the message.

I intend to, however, there's less than 2 hours left to contact them today and I'm still waiting for some flake to call me. With my luck they'll call while I'm on hold with SE and my call will be dropped, and SE's phone line ain't free. >_<


Ketrel, could you do me a favor and install the downloadable version of Housecall 7.0 and run it? It scans fairly quickly.
http://housecall.trendmicro.com/

I posted this in the thread about possible Windower infection. Housecall detected launcher.exe on this computer (the assumed unsafe PC) as a possible trojan or otherwise unspecific malicious software, while it did NOT do so on the assumed safe PC. So far this has been the only detection of any kind of malicious software I've had. I'm scanning with a number of other programs as well, but Housecall removed launcher.exe last night and so far no other programs have detected any threats.

RMT used to have free reign in the game, and it wrecked the economy. Perhaps you didn't play long enough, but many people remember the time when expensive items were tripled in price overnight after IGE announced their triple gil x-mas sales. (Incidently, all those items were bought up by RMT prior to the discount...)

Unlike other games, FFXI has a real economy. You can't say the solution to RMT is to not fight them at all and change the game to be more like WoW.

Gilbuying in FFXI isn't done by noobs looking to buy next week's exp food. It's done by members of toprated linkshells, buying the gil theirs or other linkshells sold to RMT. Why do you think HNMs are camped with $3000 bots? Not for Ridills... they got enough endgame gear rotting to pimp their backup accounts after their mains get banned... It's all about the gil they can sell.

My brother got hacked last week. We found out Sunday, and had the GM lock the account. Monday we got the password reset and log in to find him in the middle of Mount Zhayolm in nothing but rr/ex on Leviathan.... Both of his mules were empty as well. They wiped out all his IS and turned it in to gold pieces and deleted everyone on his friends list.

I have been telling him for months now to get a security token. Guess what he is doing after he gets his account rolled back.

And on a more personal note, the people who do this are scumbags of the lowest order. How can they feel no remorse for their actions? A job is a job, I get that, but wtf man? This isn't a job, it's theft, and now there are a total of three people I would bludgeon to death with an aluminium bat should I get the chance to see them again.

So pinkmage, when you gonna buy a security token? And use Firefox.....

So pinkmage, let me see if I'm understanding this. On your PC, you have your main hard drive, C:, and a D: drive, the D: drive is a recovery drive, correct? Or is it simply another hard drive? If the virus made its way into the recovery drive, then that's pretty horrible (I really hate the idea of a recovery drive versus a recovery CD anyway).

Your hacking was recently, correct? It would be extremely useful if you know what the threat name and location/file name of the infection were. Perhaps your scanner still has it in its history.

On my end, I still haven't detected anything. At this point I've run full scans with Avast, AntiVir, MB Anti-Malware, Spybot S&D, AdAware, Windows Defender, Housecall, Rootkit Buster, Avira AntiRootkit, Threatfire, and even NOD32. Nothing other than a (possible) false positive on Windower 3.3 (did not detect on 3.4). I also did file searches for the files associated with the keyloggers from over a year or so ago.

If my system is really that clean, then how were my POL ID and password discovered? You can't be booted with the "logged in from another terminal" message unless someone logs in with both your correct POL ID and password (an incorrect password doesn't boot the ID). Even if they have that, and you have the token, you're safe if your computer isn't infected. Is it possible to intercept a POL ID and password WITHOUT actually infecting someone's PC?

What's more, how are people with tokens having their POL IDs and passwords hijacked and changed, while their characters and items are left untouched? It doesn't make sense for them to be able to change a password without having a number from the token, or disabling the token, which would have given them free reign. You need to log in with the SE account name and token number in order to get to the settings to change a POL password, and yet Ketrel and several others have had this happen to them without their accounts being robbed. This suggests that the attacker changed their password WITHOUT having access to the SE account or a valid token number.

This is true. I've been in endgame shells where the majority of the people are account buyers, gil buyers, and botters. Unknown to most members, the leaders were selling the gil to RMT sites but it was common knowledge that some memebers were buying gil and some were buying separate accounts to use for botting.

Most of the people I know in endgame shells who box 2+ accounts usually end up getting amazing gear for the 2nd character...and then sell that character. The character they geared up with amazing gear were bought from the start and they geared it with intentions to sell it.
How do they lot gear for this character over other LS members? They act as if their cousin/brother/girlfriend is playing the character and that they are not dual boxing.

Some of them are friends, but people sell their accounts/ get banned all the time and then claim that they were hacked. Some of them even get their characters fully rolled back AFTER selling it.

Edited, Sep 24th 2009 8:58pm by asilica

Edited, Sep 24th 2009 9:00pm by asilica

Sorry, but you're mistaken. If this were true, all someone would need is your POL ID to boot you off of FFXI any time they wanted to.

If you use the POL ID with the wrong password, it does NOT boot the person that's already logged on. I just tested this personally, and with only a POL ID and the wrong password, the player remains logged in. No boot.

With a correct POL password, but incorrect SE Account password and token password, it does indeed boot with a "logged in from another terminal" message, as has been confirmed by several others. In order to use the security token and SE account, your POL password has to be saved, so when you logged in to your friend's account without entering anything you were still logging in with the correct POL password already saved on his system, just without the SE account password or token.

i am not buying since my acount already get ban ^_^
anyway the token is not available for my country-> singapore, if not i would have bought it when it's available.

http://blogs.zdnet.com/security/?p=4423