Odd Player Hack Story

Excellent logic, but the problem is that's not going to happen :\

Too many kids with mommy's credit card.

Well best theory I can think of is that someone that worked on the security token leaked info about it on the black market (aka RMTs) or the dood himself is a rmt and is using his knowledge to break into accounts. It would make sense to me if that's what happened o.o

*gives you your tin foil hat*

Doesn't even need to be that complicated or dastardly. A thoroughly pwned computer would give a third agent sufficient access to one's computer to hijack your FFXI session. It's probable the connection was maintained without the player's knowledge by using their computer as a proxy (would prevent the character from DCing like you do when you change IP addresses), in which case shutting down the computer might have terminated the connection and minimized the damage to the account.

I'm going to take a stab in the dark and say this was referred to my post.

Obviously, you have trouble reading.

"...made by some third party company only interested in THEIR bottom line."

Read: Not SE

In case people are curious... this a tl;dr summary from BG of the theories behind the recent hacks.

Just confirmed that that registry key doesnt exist in normal (clean) XP installs.

Noscript and Adblock plus cannot do anything for you once you have already let the malware into your computer. If the hack is using a proxy override, they are probably routing your info through a proxy which allows them to collect your info (and also mimic your login credentials, since it would appear to the SE server that you are actually the proxy computer). Interesting.

so something like this happened to a good friend of mine. the story goes like this we had JUST entered dynamis-beauc when all of a sudden he d/c we were all like ok maybe he was having internet problems. but when i look in the linkshell list his wife was still logged in and helping us out. it took him like 5 mins to get back into account, but in that time he had some how warped to jeuno without the whole group noticing him being gone idk how considering we were all RIGHT THERE!! when he got back on he was naked and infront of the senders everything of value almost gone. the only reason i know this happened was cause i was like wtf are you in jeuno and how the hell did you get there so quick? he ended up having another problem with his account like 15 mins later too and it took him another 15-20 to get back on. this all happened on monday and i think we know who the culprit is cause of this nice little lovely site. not gonna name names as of yet but when your a 75 with insane gear and only have 4 items on you sales record something is kinda fishy there. and they were all the on the 25th. if any1 from kanzenls reading this hit me up with a /tell yo.

Dude. Needs some periods and capitalization. Maybe some paragraphs. Because I am not reading that wall'o'text. tl;dr version works too.

Just pointing out this again (that i posted on page 3) because people are still arguing over how they got into his system. I hope it helps alleviate some of the tension here.

From what I've gathered from reading (of course these are all theories, and I'm not a big tech person.....) there have been people who have gotten hacked who use Firefox, only browse FFXI-related sites for the most part and use Adblock+ and NoScript with (what seems) to be the proper settings. One theory is that it's coming from the gamepad ads that are displayed on ffxiclopedia. (Possibly some hole that's allowing it to get past adblock/noscript) Also it's possible that this security hole has been patched a few days ago since people have been unable to reinfect themselves with "R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local"

tl;dr version: You can be fully protected, using Firefox with add-ons and still get hacked.

Damn people and their crazy hacks

anyone have a virus scanner that can actually find this?

No one's completely sure of anything, however http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html can detect "R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local" It has been stated that this can turn up from normal software download (eg. Photoshop) I'm not sure if there's a way to find the .dll file that's actually causing the issue.

ive got the line in my registry but like you said it can turn up from a normal file download

It doesn't mean anything that you have it, but getting rid of it doesn't hurt anything. I think it installs itself for like registering the software or something. Anyway, I "fixed" it to make myself feel better. D:

i went in the long way to get rid of it. used run regedit.exe

I just wanted to vent my frustration from playing this game for nearly 4+ years and getting hacked last week.

Losing over 6M gil and most of my non-rare/ex gil has completely killed any spirit I had for this game.

Although I have been not too social in-game recently(I've mostly been crafting and not doing any group events due to time restraints of my new job), I would like to say goodbye everyone whom I could not say goodbye to in-game.

I enjoyed all the adventures I had in Pandemonium. Thank you for the fun times in Salvage, Sea, Sky and Dynamis. Best of luck to all.

I had something weird happen to me, too. However, I didn't lose anything or my account. I was farming Bonnacon and went afk on the ramp. When I got back I was clear on the other side of the zone, close to the beginning of the zone, almost dead. I do live with my mom and brother, but both of them were not here at that time.

I was running into a wall with very low HP. There was a BLU near by and I asked them if they saw anything aggro me, or wth happened. They said they had no clue. When they got there it had been just in time to see me run by with low HP and run into the wall.

So I cured up and headed back to Bonnacon area, baffled. I called a GM to see if they could tell me what happened, and they were clueless. Said they could not help me if I don't know what happened myself.

I'm sorry this has happened to your friend. It is indeed very odd.

/

I'll play guinnea pig for the hackers when I get home.

I will use my second account I have to guinnea pig around. If the account gets hacked, so be it, since I'm not using it much anymore.

But I will need YOUR help as well. I would like to receive all FFXI-related website URLs from everyone who reads this and had their acounts hacked. Also include the links to RMT sites if you've visited those prior to the hacking.

What I have the hackers to offer is:
- Windows XP SP2;
- Firefox 3.5;
- IE6;
- Firewall: off;
- Windows Update: off;
- NO antivirus/antimalware/anti-anything software;
- NO browser protection plugins;
- NO Security Token;
- An FFXI account with 3 characters.

To most of you, my computer would seem like an easy prey to get into, with a lack of protection. Yet I'm running the computer virus-free for years now. I run an online virus/malwarescan like, once or twice a year, and always comes out clean.

I will manually put in every password for my second account and keep track of activities.

I'm not woried about my main account. The password for my main account has been 'saved' for as long as I know, and when I DO have to put it in at the billing page, I use the software keyboard.

So... C'mon hackers! Gimme yer best shot~!

I read gloryseeker's post, and the random leaving zone to jeuno without being noticed caught my attention.
I had an experience, while running through North Sandoria, i saw a rmt do one of their tells... but MT'ed it into say
After that I immediately typed /target "Rmtname" (I forgot the name)
I couldn't target him at all, i had movement+ boots on, and after not seeing him for a few seconds, I used flee, and still could not target him
I saw the say text in the middle of Northern Sandoria, so there was no way he could have outrun me anywhere, and Everytime I did /sea all "rmtname", it was still in zone
The point is.. either RMT can pos warp/zone warp, or maybe they ARE gms and can't be seen/targeted (has anyone even seen these oddly named RMT that spam tells?), but can still be /searched
so back to the other post, maybe he was zonewarped to jeuno, or the LS just didnt notice him somehow..
Not to mention his gear he had on him was sent, in 5min? it takes me 5min just to get to the delivery box and start sending stuff.

MY STORY TIME! D:

I agree, i got hacked once, went to pol website enter my stuff and it was fake site, i handed over my info. I logged out one day in rolanberry S and the next day I login in bastok markets nekked by delivery guy. Click delivery guy to see the remainder of my stuff leaving unable to see who took it. Went to mh everything gone, called GM had rollback done. Keep in mind as most feel the same way, it is only a game but i vested a lot of time into this game to be hacked and have nothing really pissed me off. Had my hacker been in arms reach I'd ripped his throat out that night. -.-

I'm Unicorn server and I Waited 6 weeks on the rollback. Whole time I'm eyeballing FFXIAH.com (Handy as the site is, it is a rmt heaven with all it's rmt adds) to see who might be selling what I was missing. Low and behold within a week i saw 1 person that sold everything I was missing on the AH. A feller with the name starting with "Uni" -.- So as i already created another account to continue to play while i waited for rollback i /sea all uni and found loads of characters with thier name starting with "Uni" all lv1. Was a good 20+ characters on at any time of day.

Through /sea all uni i watched one lv1 thf run from jeuno to sandy. I caught him at the OP in WR with my new lil lv10 mnk. Chased him all the way to sandy "/shouting <t> RMT WARNING!"
When he got to town he set HP and turned around and left town heading to Ghelsba.

Of course I'm still following him /shouting my shout ^^. Got to Ghelsba and got to MPK him with orc's and he HP'd to sandy and headed back with me still in tow stalking him. 2nd trip he wised up though and 2hr'd and made it to the zone to grotto, I didnt make it.

I saw in port sandy just above the AH "uni" people buying seeds in peoples bazaars for 1m each. That is when the gilbuyer shouts came from meh. :D Both characters instantly logging everytime, the buyer and the seller.

During my rollback i used my new account to totally stalk and harrass rmt in any way shape or form w/o worry of ban. 1) was temp account til got main back so meh 2) rmt do NOT call GM's. o.- /sea all uni and all lv1's i seen i spammed tells saying "give me 50m and we call it even for you being a *** *** hacker"

Do a /sea all <first 3 letters of your server> and find the rmt group near you. I didnt harrass any lv75 type "Uni" people as i didnt see rmt lving to 75 and figured them to be real people. Whether they are or not I do not know.

Oh, is another thing they do I saw. They'll create characters simply to send the starting gil to a main character. You know when they are when you see hundreds of different named "?Name" characters running straight to delivery guy then logging out. They log out the character permanently, delete it, create another, and repeat. ALL on the same Content ID. Report the character is all fun but it's gone and deleted by the time a GM answers your call. 14-day trial program failing at it's best right there. Let alone the spammed tells.

I e-mailed the STFU with ALL my findings and told GM's and the response I got was: from the STFU never heard a word from them, from the GM's I got this "There is nothing we can do"

Actually, that seems to be a GM macro I think now cause that's thier usual answer to everything. If a GM isnt or cannot do anything then get them the f out and get someone in that can or will.

I handed a load of stuff on a platter to them and nothing. They were more worried if I was lying about being hacked than to get the hackers. 6 Weeks for a rollback was rediculous too, but I kept myself entertained harrassing rmt the entire time.

Well that's my hacking story. So yea, they don't care to much or they'd eliminate the 14-day trial program, a real player is either in or out, 14 days isnt enough time to do crap in this game except to do rmt activities period. You all know it, I know it, and SE knows it. So why is it still here. Because they don't care. GM's care more about your character name than banning rmt.

I left a much longer post similar to this one about a week ago, but I just wanna offer it up in this conversation here.

I've read every post in the five pages, and I honestly can't remember anyone even MENTIONING playing on PS2.

Long story short, I'm not HELP I AM TRAPPED IN 2006 PLEASE SEND A TIME MACHINE, and I have never told anyone any of my account info, nor have I entered it anywhere besides my PoL login screen. Been playing for 4-5 years, I play on PS2. I don't have the Security Token. I was hacked two Sundays ago. I was in Port Jeuno, when I get a full DC, forcing me out of everything, PoL included, with a message telling me that I've been logged in from another terminal. I try to log back in, PoL password changed. My brother was playing at the time (separate account, billing info, everything), so I called him up, blah blah blah, fifteen minutes later, a GM suspended the account. Was cleaned out, I'm currently in the process of game recovery (gotta get my FFXI fix in the meantime).

So getting hacked on PS2, without giving any information to anyone ever...how? Just throwing it out there, since from what I can tell is everyone talking about getting hacked on PC only. (Although now that I think about it, this thread might be PC-specific, which could be the reason why there's no PS2/360 talk. In which case, oh well, it's already typed out, so ignore it if you want. And I guess, re-reading the OP, this is almost completely irrelevant, since I'm not on PC and don't have the token. But whatever.)

Also, just really quickly, I would like to say that to claim SE is behind RMT is silly. "Prove to me that SE isn't RMT" isn't a valid argument, because you can't prove that they are.

/ma "Barfire" <me> ... Flame away.

Its possible they are using a network level hack where they can see the packets sent and received from your internet in general, which can explain why you can be hacked on a console as it is on an internet connection. If you have a PC and browse the internet with it, you might have picked it up and it is infecting your net connection. If you don't have a PC, I don't know what to tell you o.o

Has he used the USB flash drive security feature?

Yes, the RMT spamming /t can be seen. A few weeks ago, while in my MH in Bastok,I received the usual RMT /t from Brogame. I did a /sea all and discovered the offender was in Port Bastok. Imagine my surprise when, just a few minutes later, I exited to Port Bastok, ran across the bridge to the exit, and standing right in front of me was the spammer.......I called a GM immediately and stayed right where I was. All I got was a message that the activity would be investigated, blah, blah the usual garbage that comes out of GM's mouths. Last week, I was headed to the same exit and there was the same RMT spammer, standing in the exact same spot as a few weeks earlier. Proof positive I would say that SE doesn't give a hoot and never will.

Sorry to bump a dying thread but the same ***happened to me about 3 weeks ago. I'd been duo'ing with a BLU buddy of mine for exp, and I DC'ed (No response from server), had been lagging quite a bit that day, so I thought OK, no problem. Logged back in and everything was fine.. About 20 minutes later, I DC again, this time no R0 or anything, just BOOM DC and get the message I'm logged in from another terminal.. I started shitting bricks, but was able to log back in no problem. I even changed my POL password real quick. Thinking everything was cool, I finished up my grind session and logged out for the night later on. 2 days later, I go to log in and get a message that my POL password is wrong. Tried several times with the same result. I was however able to login to my SE account using my SE pw and token, no problems. Scratching my head I called SE and stayed on hold for what seemed like 2 hours, to find out that my pw had indeed been changed. The guy was real nice and reset it for me and stayed on the phone while I logged in to see if my stuff had been taken. Apparently I was one of the lucky ones, because I was in the exact same spot I had logged at, with all my goodies intact. The SE rep verified that there's some sort of hack going on where they can "hijack" an active session. I've since been completely unable to find any sort of trojan or malware on my PC. I've used everything I can think of, even packet sniffing tools to try to weed out the culprit. I don't go to any weird websites or anything that would get me infected with something, haven't been to any phishing site. I use Firefox and noscript.. all the standard precautions that anyone with half a brain would take. Anyway, yeah. .