From Russia With Love

On December 28th, 2011, somebody exploited a vulnerability in this site’s forum software (the popular phpBB system) to install a hacker control panel that gave them wide access to this server and its files. Actually, code was injected back in October, but the individual waited until the 28th to do anything with it. On the 28th, he (I’m guessing it was a he) used the code he had installed to do two things: he set up a malware redirect and inserted a front page for some Russian porn site (more likely another vector for malware, I suspect) in an obscure location. I am lucky that his actions were not destructive; he was careful not to make any visible changes to this site or any of the page content. Instead, the malware redirect only affected mobile browsers; if you visited this site on your iPhone or Android device at the end of last year, you might have been surprised to see a fake Opera update page that tried to force some Java code to download. The porn front page was also hidden (albeit poorly) so as not to attract attention by regular visitors.

I noticed the redirect while traveling in Japan. I reached out to my ISP, but like everybody else they were on vacation. Today they wrote back with some suggestions, and I’ve gone through and performed a little bit of investigation and cleanup. The malware is gone, the porn is gone, and the hole is closed. So far, nothing else seems damaged.

It is inaccurate to call the person (or persons; there are actually three separate IPs that accessed the inserted content over the last week) who installed rogue code “hackers.” Hackers are people who have skills, and use those skills to poke around systems, looking for ways in. Hackers may be malicious or benign, but they are defined by curiosity; they are a breed who figures things out on their own in situations where the interface is as obfuscated as possible. The folks who attacked this site are barely script kiddies. They are using software authored by somebody else (complete with Russian comments containing spelling errors), they know little about actual security (the control panel they installed was protected by a password: “root”), and their goals have nothing to do with exploration or curiosity; they are inserting code specifically for monetary gain. Malware runs botnets, botnets make money. These people might feel proud of themselves for exploiting a hole that somebody else found in a popular piece of software and then using it to install code that somebody else wrote, but there’s no glory in their work. They are just following directions written on some forum, without understanding what the steps mean. If real hackers are topographers, mapping territory that has never been mapped before, the guys who broke into this site are little more than assembly line workers, following the same instructions over and over by route. They could be replaced with a machine. In fact, they are quickly being replaced by machines. This is the extent of their skills.

I have removed the forum from this site. Over its 9 year history, this site has been hacked two times, both of which stem from vulnerabilities in the forum software. I’m good about keeping my software up-to-date, but phpBB and its ilk are simply too complicated to reliably secure. Maybe I will come up with a replacement; I have all of the forum posts backed up and might one day restore them. But for now, I’m sad to say that the forum has to come down. If script kiddies from Russia (who, by the way, left their ip addresses all over the place for me to find) can crack it, it’s too vulnerable to allow on the site. Perhaps we can set up a third-party solution, like a Google Group, or maybe a G+ page. If you have suggestions, please let me know.

24 thoughts on “From Russia With Love

  1. Too bad about all that. This is one of the few forums I actually post on. I’ll miss them even if most of us only posted anything once every few months.

    At least your site is still here. Now that Hell Descent is gone and Rule of rose Mysteries hasn’t been updated in like 3 months, it feels like there are less and less survival horror online communites to visit.

  2. Wow, that sucks. Even though the forum was a bid dead at times, and I had been very inactive as of late due to life and work, I still liked talking to people on then forums about horror. I do hope that a new forum will srping back up in th future.

  3. Wow – I really am at a loss of words. I think I was one of the few people who actually visited your forums every month. Prefer not to say who I am just now, but yeah. If you want a forum, get vBulletin or even a free ProBoards account!

    P.S. Thanks for not deleting your site, though. You have a very comprehensive database of horror games, and even the so-called non worthy ones as well are interesting. You should add both Saw games if you get the time!

  4. And yeah, all of the other survival horror sites are dead now, and I’ve found myself not really that interested in Resident Evil or horror in general anymore, because games changed a lot and they just don’t make ’em like they used to. I never thought I’d hear myself say it, but I think maybe it’s FINALLY run its course. No one cares anymore. They still make horror games, sure. But are they ever any good? They seldom are 10/10 worthy anymore. The people who review them are either lying for money or they were written on the fly. As to this site, it’s sad that somebody would wanna hack a puny phpBB board that wasn’t that active. WTF? What was there to gain? This was the only horror community I felt involved in. The others are full of trolls and elitist users that take everything so seriously. But good luck for the future! I hope the quest can live on, even if it’s just on Angelfire or something…

  5. Yeah, kinda sad to see the forums go but security is number one, you got to protect yourself. I would like to see a new forum come up but the old one really lost momentum. This was the only one that went beyond playing and collecting horror games, and went towards critical examination. I know you’re really busy with your company, so maybe it’s time to put the forum to bed? Maybe make that google group after things have settled down for you.

    I hope a new forum will emerge. Good luck.

  6. Well, the only horror games on the agenda this year are Amy (but it’s on Xbox Live), the new Silent Hill on PS Vita, SH: Downpour and Resident Evil: Operation Raccoon City, although that’s a shooter and we have learned to detest those as horror but enjoy them just the same. The Last of Us which looks excellent BTW is not expected until 2013. So that does not leave us much to cover! 🙂

    Posted using my brain (joke!)

  7. By the way, I don’t actually recognise any of your names cos you’re signing them with something else, but I’m Pete.

  8. Sorry for all the poopy-ness! It’s a bummer about the forum – it was only one of three that I actually post at on a regular basis. I do have google+ so I would be up for a circle or something, I suppose.

  9. It’s horrible that the forum had to close that way, since it was one of the very few communities (Beyond the camera lens is the only one besides the Quest that I can think of) which was not only about Dead Space, Resident Evil and Silent Hill, but for all kinds of horror games and horror based design in general.

    Maybe you can try using another bulletin board script like SimpleMachines since it’s (a bit) more secure and unlike vBulletin it’s completely free.

    That’s a shame, but with scriptkiddies running rampant and any vulnerable script being only a google search away it’s pretty much inevitable these days. With the advent of easily accessible 0-day vulns and the accompanying ./’es one simply cannot be entirely safe anymore.

    To be entirely honest I’m not much of a forum goer, I’ve posted some on this board because the topics interest me but other than that I avoid forums in general. But if you want one available then the best route is most probably to outsource it so you don’t have to maintain (or worry about) it.

    Maybe some additional threading for comments would be a better idea? It’d require some more open-ended news posts to get topics to discuss but it’d also make the discussions more accessible on the front page.

  11. Although it may take some doing, how about adding some sort of sub-forums for all the games in the database? Series specific ones could benefit from just the one category, I guess, since there’d be a lot of sections.

    What about InvisionFree? Hundreds of people use that.

  12. Damn! The forum was a very valuable place for obscure and interesting information.

    I guess that a good idea is to install the latest vbulletin software, as far as I know, it’s vulnerabilities are hardly exploitable.
    Another idea could be using a platform for free forum hosting like .

    I’d avoid g+ or other social networks since not everyone has an account (I am not on any social network, for example) and it doesn’t allow the full control on the data (backups and such), but it delegates it to a third party.

    I hope you will choose to open the forum again, or at least to keep a visible archive of the old posts. A lot valuable information was posted here over the years…


  13. That sucks man. I didn’t really post here too much ,but I’d check the website out at least once a week if not more. I really loved all the insight and anyalysis. Unfortunately I’m not too good with technology ,but I hope you’ll be able to set up the forum again someday.

  14. Truly a shame. These boards were a great place to track down some of the most obscure titles and info. Here’s to hoping they live on in another time and place.

  15. Aw. That sucks. I don’t have internet at home, but I’d just signed up for the forums about a week before this happened while I was on my laptop elsewhere. With the holidays I didn’t have time to get on and check out much, and now they’re gone! Sadness.

  16. To be fair, though, I believe that a lot of the games already listed in the quest, with the exception of the classics, aren’t that good. They’ve also dated considerably. I think we can agree on it…

    But people still check them out because of their connection to survival horror, especially since D for example was one of the first 3D titles. I’ve actually played a couple of games I’ve really enjoyed from the list on here, but some just don’t cut the mustard. Despite that, Chris’ quest has one of the greatest catalogue of horror titles on the net today. Other sites often have a habit of wanting to falsely list games like Left 4 Dead as horror, when I’d probably consider that more like a FPS. You know? That’s why I think Chris’ site is #1 for theories and going beyond just the plot of each game…

    Simply put… say no to shooters!

  17. Just my two cents, securing forums can be a full time job, no one writes completely secure code so you have to constantly stay on top of patches and what not.

    Might be easier for you to lean into third part software, let someone else take on the hassle of software maintenance. Google groups is pretty good from my limited experience. Sure it sucks that you would need an account, but it’s not anymore difficult then creating an account for any forum software.

  18. That’s no good. The forum was very helpfull for obscure and interesting games.

    P.S. Any news about “…Iru” translation and walkthrough?

  19. Never used the old forum as I only recently discovered this site, but I would definetly visit a forum if their ever is one again.

  20. Aw man, thats a shame. It was bound to happen sooner or later, so much sketchy stuff got into the forum. Perhaps a Steam group for the time being?

Comments are closed.