I just caught a hacker...

Well, by "head-in-the-sand" I mean that assuming you are safe because you use all reasonable precautions, is unwise in my opinion. (see turbousa's post). You are ignoring the possibility of novel attacks or methods, or insider information.

Who, me? I did make suggestions...
OK, they were in the form of questions, but you get the idea.

How about you just make you password alphanumeric, not godjecdoc or some lame pw. GoD3jEcDoC286, if a hacker really wants what you got he will get you no matter what, Just make it harder for him to.

1. More QQ. People have capslock on and try it x times to come here realizing that the first sentence they try to write looks like this:
"MY ACCOUNT GOT HACKED". Now realizing that they had caps on they start a new thread to QQ. "Why isn't it possible to reset the delay???????? I HAVE IMPORTANT TRADE/GVG/AB/POLYMOCK TOURNAMENT/INGAME MARRIAGE".

2. Forming groups in HA/TA/GvG.
"Rerolling. Brb in 60mins. Char is flagged as delete delayed"
or my favorite assuming you need yet another password to flag them (not goin to mention that a keylogger will have that one aswell...doh...i did it):
"OMG I LOST MY PASS TO UNFLAG MY CHARRRRR:RESET??" QQ!

3. I agree on 3.

idk, but from the sound of it this hacking attempt was a lot more complex and insidious than the usual "keylogger" user slip up of security. I mean the OP clearly stated he's done little if anything out of the ordinary to put him at risk, didn't use textmod even. That and the fact that he was allowed a reconnect attempt, I don't think he would be given that chance to reconnect if somone else was already on his account (in the sense that the hacker had his password before his disconnect from AB).

People have modified their clients to affect others in the past, it seems entirely likely that something similar is afoot here. It makes sense actually, forcing a disconnect but then allowing a reconnect attempt, if you could track the reconnect attempts I have no doubt you'd be able to get somone's account info. Think about it, reconnect attempts require no ID verification, no re-entering of passwords, all that information is likely auto encoded in the reconnect attempt.

idk maybe I'm jumping at shadows but to me it seems likely the reconnect system is being exploited in some fashion here.

I got that same keylogger a week or so back.

My computer was new, I'd installed all the protection on it I possibly could...then bam, a few days with my new comp and I get that.

I attributed it to the fact I'd been on IE and followed a link to a games site that HP (the company I bought the machine from) lead me to. I had no reason to believe it was dodgy, given the fact it was part of a program that HP had put on my computer. Hadn't downloaded anything dodgy, and certainly hadn't downloaded texmod.

Suffice it to say, I reformatted after getting the virus, and will not ever again open IE for anything.

I did have an incident on the none official wiki the other day, when I clicked on a skill icon to see the skill description my Firefox No Script thingy told me the link had cross site xml scripting on or something. I've read that that's a bad thing, so I'm so glad No Script didn't allow me onto the page.

Gotta be so careful where you browse, and scan every single day.

Mystica, why dismiss ideas so quickly? Versus thinking how you'd take the basic idea and make it practical? What I posted were just shortened summaries of full ideas posted elsewhere - not the full, more "practical" versions.

Actually, as it is, that sounds like an excellent fix for idiots who use caps lock.

I think normal people either use caps lock very rarely, or by accident. After one or two failed attempts, a normal person would check they didn't have caps lock on by accident.

The "full" idea for lockout/delay would be something like... One failed attempt only adds small or no delay, and if you have caps lock on, the client could detect this and warn you. Each subsequent failure adds increasing delays. This would not inconvenience people, unless they regularly need 5 or more attempts before they get into GW (unlikely)... but would make brute force attacks unfeasible.

Beyond a certain number, they might go as far as blocking the IP address or the account for a period, maybe even requiring email re-activation or something.

All these could be optional extra security choices that you could enable, or not.

Again, the "full" version is something like: making a character permanently undeletable, or having delayed deletion would be optional per character.

Obviously, you wouldn't enable it on a PvP character that you will re-roll again and again. But you might choose to enable it on your main PvE title-hunter character, so that even if someone accessed your account and stole your goodies... you'd at least still have a character with titles, skills, HoM intact etc.

Delayed deletion would be optional again... by selecting it, you could re-roll a character, but deletion would be delayed - long enough that you could report a stolen account and have it returned. Deletion could be cancelled at any time before the delay is over.

If you didn't want those features, you just wouldn't use them.

But most do. Constantly sending traffic out rather than just every now and then when a good chunk of data is collected would be particularly suspicious.

That's not how client applications work. Port 80 is traditionally reserved for an HTTP server. The browser, as a user application, would not generally try to use ANY ports below 1024. It COULD masquerade as something like VNC by binding to 5800, or pretend it's AIM on 5190, but anyone who would be able to discover this would know if they're running those things or not.

Aha... I did not know that part of it, my bad.

Anyway, it would be interesting to have access to some of the machines of the people who lost accounts. If this really is an attack against a vulnerability in the client, which it may or may not be, the only thing that's going to help expose it in the short term is if anyone has unaltered firewall logs, disk access logs, etc.

Although, frankly, I'm still leaning toward keylogger or trojan.

The Guild Wars client already has this in use, incorrect logins increases the delay the person needs to wait to login.

Really? The few times I've mistyped my password several times in a row, I've never noticed any delay. Well, if that's true, is it built into the client, or the server? If it's in the client, you could meddle with things to bypass the delay and make as many brute force attempts per second as the server can handle.

OH SNAP!!!!!!!!! Hax in guildwiki just from viewing skill pages? Awesome, that's one of the few sites I do allow scripting on in any form :/. Hope my pitiful storage is still there, but hope my characters are there most of all.

gratz on save the stuff...

but you get trash only.. maybe he looking for a everlasting tonic...

seems it would have been more practical to just take the keys, but he took the time to open the chest. you sure it wasnt your little brother?

After testing it, it might be the server after all. With a few incorrect passwords you get the first response in the image above, then eventually the 2nd, which pops up more and more with incorrect logins.

Wrong, sir. I'm not using McAfee, I'm using the av that my university bought for its staff. And, it started crying in pain when the file from Tomb raider finished its download.

Nope...no one else I know has (or would even remotely want) access to my account.

Yeah, I found it odd as well that he took the time to open the chest 47 times instead of just opening a trade with his other account. Maybe he didn't realize that the keys were worth a ton at the moment, and was just hoping for an everlasting tonic.

Whast the name of the anti-virus that picked it up?

also The more I read the more it's starting to sound like a disgruntled A.net worked and an inside job.

you have this on your account and someone just wanted to use your keys!?

http://www.guildwarsguru.com/forum/s...57&postcount=7

certainly someone is just messin with you.

Yeah...I guess they didn't have a chance to check the material storage tab in my storage.

Norton never picked up anything. I ran another scan last night after the attack, and made sure my definitions were updated, and nothing appeared.

The same reconnect system that was used in the ARMBRACE exploit?

Strange coincident. LOL

Slash Owned.
On both sides.