Create a worm that will infect the official forums

[trancehax]

Couse you thought you'd make money of it?

I thought we were going to keep that our little secret, great, now I can't make a buck fifty off some leet worm.
Thanks a bunch!

[gimblin5]

Epic!!!!!!

[eti-enne02]

you can also make a DOS attack on the server of the website to COMPLETLY crash the website for a good amount of time =/ but this is stilla awesome find!!!! +2rep!

[Hasbro]

Lol, you all +rep it, and it doesn't work =O

[eti-enne02]

Lol, you all +rep it, and it doesn't work =O

its...not working?
I WANT MY REP BACK! GIVE IT BACK TO ME!

[Razmataz]

It was never tested, but the theory does establish some +rep from many. Not that i'm into WoW-Europe hacking.

[Moskva]

you can also make a DOS attack on the server of the website to COMPLETLY crash the website for a good amount of time =/ but this is stilla awesome find!!!! +2rep!

DDOSing is illegal. Using something like this may violate an agreement you have with the website, but, at most, that's a breach of contract.

At any rate, here's my input on this:

I don't know how these forums' filter works, but, for the proper post (though I don't know if you're willing to post something properly working, because then people will whine even more hardcore that it's not posted for contribs only -_-), you could try posting something like this:

Code:

That's working and valid PHP.

If you are really serious about making this worm though, you'd be much better off not having static values. Much like the people who post keylogger links (except with proper english), you'd have more success if you had a table/array with different topic title/text combinations, so there aren't hundreds of threads all called "Nerf warlocks...".

For example, you could store an array with keys being the forum IDs to each class forum, and then, say, if it's posting to the hunter key, the title would be a choice of
"Hunters are OP in arena"
"Hunter solo video: slave pens HEROIC last boss"

and other more enticing clicks. If you insult peoples' classes, they're definitely more likely to overreact and reply and freak out.

And the post itself, personally, I think a short post just linking to something else will almost never get clicked. People jump on stuff like that; your post will get quoted, link edited out, with people saying in big angry letters "KEYLOGGER", and reporting the hell out of it.

To entice more clickthroughs, you have a variety of options:

Post valid data, but embed the script. For example, post a link to a WWS parse, or some spreadsheet output, and just embed the script in the page. You could encrypt it, obfuscate it, or otherwise hide it from users.

Alternatively, you could try to hide it or conceal it - post it on a "post your UI" thread, for example. People click the links mindlessly (I know from experience)... nobody will really be surprised if it ends up being a dead image link or something.

Just try not to name the page "xx.html" or "xx.php". You could, for example, post it as a valid filename (WoWScrnShot9999.jpg) and then edit the htaccess, giving jpgs for that folder a MIME type of HTML or PHP or something.

Basically, the script would work, but wouldn't be very effective: it's VERY feasible, however, that the forums could be placed into entire disarray with some social engineering, on the scripter's part.

Just my 2c

edit:
I just wrote a novel, but the post I quoted had a link to it and I have two posts. I hate my life (#*%&#%(&#%... time to do it all again

Not to rain on your parade but what makes you think that the user name isn't being passed? On the official WoW forums once you log in your session is maintained. Don't believe me? switch pages, do you have to log in on everypage? didn't think so. Just cause you can't see the info doesn't mean it isn't there. Also try going directly to (wow europe post page) if you have no session info stored (either in a cookie or post vars) it redirects you to the forum home page. This means it is a PHP or JS page that will verify you are who you say you are.

Yes, it's a forum, and saves data on the client's PC to store login data. This has nothing to dow ith, well, anything. If you're posting a worm, I think it's extraordinarily evident that you realize that the submitting account's data is being compromised. Accounts get compromised all the time. Who says you have to post this from your own, live WoW account? You can post from a stolen account, scammed, friend's (well, ex-friend's...), or any sort of account that you don't own. It's done all the time.

Short response : Your method will not work as is, if you wanna get tricky and pass session variables through your script it is possible. But why not just DDoS attack the server I mean otherwise you are giving a direct link to your host and who you are,,,

It will work as is. You don't have to get tricky, and passing session variables is entirely unnecessary. It's being submitted client side, via a single line of JS that submits a form. Client side, where the data is already stored. If you're logged in, then the cookies/session data are stored, and they're being requested by the same server. It's fine. It's exactly what happens when something gets posted legitimately - the only difference is, the header is saying it's from a different referrer. If that script proper doesn't work on its own, all you'd have to do is modify the headers it sends... which is also really easy.
And why not just DDOS? Because that's against the law, and is an entirely different method of attack. By posting this worm, you get lots of forum spam. By DDOSing, you take the servers down completely. And, one person on one connection? You aren't taking down the WoW servers, sorry. You have no idea how much traffic they get on a daily basis, and how much throughput their servers have. One person trying to DDOS might make their servers' CPU load go up by like 2%.

edit: this could work on very insecure forums, but still you are giving a link to your site and I'm sure if you are messing around with script hacks you slipped up somewhere and got some personal information tied up with your hosting...

First of all, this entire thing could be run on JS, which means you could use an HTML-only host, and tens of thousands of those exist. Even if you needed PHP, or another SS language, there are many places you could host it. You can sign up for free hosting anonymously or with fake information... it's not very hard. If you're entirely anal, and think so highly of yourself that you think Blizzard would get legal to subpoena your ISP because they have your IP from making these posts, then use a proxy. There's tons of those out there too...

[imtel]

its...not working?
I WANT MY REP BACK! GIVE IT BACK TO ME!

Giefz +Rep back :yuck:

[Hasbro]

Giefz +Rep back :yuck:

POSTING IN AN EPIC THREAD!

[Hellgawd]

POSTING IN AN EPIC THREAD!

QUOTE PYRAMID CAUSE HASBRO TOLD MEH TWO! 6):6):

[imtel]

POSTING IN AN EPIC THREAD!

LEGENDARY WEE

[Neth'zul]

POSTING IN AN EPIC THREAD!

ZOMG WOOOOT!!!!!

[Moskva]

I'm glad my wall of text will never be read or analyzed because the new "in" thing is to post in huge letters and gigantic forum macros because that is clearly reasonable contribution. -_-

[Hasbro]

LEGENDARY WEE

LOL I DID READ UR WALL'O TEXT

[Ultrapowa]

i'm gonna test it and tell you what happens