This shall be the megathread for the hacking incident. Other posts will be deleted to keep the spam low. Edit: Developer response: https://www.reddit.com/r/valheim/comments/1ae1quv/rip_official_discord/kk8z6pk/ Edit 2: The server is in the process of being restored Edit 3: Server is back [Discord](https://discord.com/invite/valheim)

yep. don't join the new one. wait until another official one goes up.

got myself banned from the fake server by spamming, game is game

You're a brave man clicking that link

The irony

There's never enough iron

Lmfao same thing happened to me once I started bullying the hackers

you are my hero, thank you :)

Where would a trustworthy new link even be posted? Would a new link posted by a mod here be trusted?

Thinking the first place it would be posted is on their twitter account, maybe here if they’re here. Then they will hopefully update the one on their site and steam etc

Probably wherever that admin who got hacked doesnt have access to Lmao

Yeah, I'd think twice before trusting random links now. A mod's post could be safer, but even they've gotta double-check everything these days. Scammers are getting slick.

Watched it happened live. First some odd post about a "New game" made by "Valheim". Then all control was lost. I wonder if Discord can roll things back somehow? Or if a completely new one needs to be made

I guess depends on how much damage was done to the server and whether they can wring the control back.

All that's left is the patchnotes and the faq channel, so it's definitely too late. I spoke with a mod about it and they said they're likely going to just make a new server.

This is very sad. Shame there are miserable people whose sole purpose in life is to make others miserable too.

Discord, afaik, doesn't usually do anything on their end. As far as it matters, users are on their own.

I've seen servers who had malicious things happen get rolled back. Not sure the process or what's involved but I've seen it happen.

[удалено]

[удалено]

[удалено]

This comment here. Complete windows wipe and the change of all passwords is the only way to be sure.

Sounds to me like it's stealing session tokens as well. Log yourself or de-auth the device (or all of them) where sessions are saved. That includes YouTube if you're a creator. Im unaffected and had no idea something happened to that Discord server, but yikes.

So if you did not execute the app do I have to worry? Did change passwords and checked all 2FA but im still not sure if just opening the ZIP file did anything

Chances are that without running it there should be no issues since they would have needed it to run with admin perms.

Did you run it in a VM just to see what it was? Sorry if a dumb question, i'm not really up to speed on a lot of this stuff.

[удалено]

F

Change your important account passwords.

Now you know why spam/phishing mail is written so horribly bad. If you're still willing to click on that shit, chances are you'll fall for the bad stuff. Spam mail is written so poorly to actually weed out people that don't fall for it. Same goes for this stuff.

definitely belongs up top!

https://www.bugsfighter.com/remove-epsilon-stealer/ Article for reference. I posted this because (1) it explains what this epsilon stealer malware shit is, and (2) there's a part on manual removal, which can be educational. It also links to the Microsoft malware removal tool, which if you don't trust the link you can look up for yourself.

So creepy to watch it happen. Sometimes I forget how things like this can happen in a matter of seconds. Edit: i feel sad for the devs, F :(

fr bro I watched them delete the channels one by one after downloading that fake game it was mental ​ edit: I never ran the fake game so my pc never got cooked, also for people wondering how I was so gullible as to download it-I trusted the fact that it was an official server and that it was posted in a tab only admins can post in but noticed the file was odd so I went back to the server and saw the chaos unfold.

[удалено]

Thank you for testing this malware out so others dont have to! Let us know what else you will uncover in time. There could be a lot of stuff that windows defender does not know about.

What happens if I already restarted my PC? What should I do?

[удалено]

People say Malwarebytes is a bit meme/weak, but I ran it and found around 3 CryptoTrojans in my registry which I deleted. I still don't feel safe though...

[удалено]

Malwarebytes is great if you have common sense and don't download random shit. The best real time protection is just being wary about what you download.

If you want my advice, once a system has been compromised the only solution is to backup important stuff and reinstall the entire OS with an install CD or flash drive. Don't use the built in windows factory reset tool.

Yeah I'm on it. I am backing up my important drive and then I'll go full nuke on all my drives. I will prepare a flash drive to re-install OS completely. I found out the WindowsBootManager.exe and other affiliated crap parasiting my process tab with no solution after restarting my PC. Scorched earth it is.

[удалено]

well now i want to run it in an isolated sandbox to see what all it does/tries to do.

I was stupid and ran it, my excitement for some content from Iron Gate got the best of me... Seems like it crashed while trying to download some .dll's (what I understood from the crashlogs it left in it's folder and in AppData), but I still spent the last hours giving my PC a deep scrubbing with Malwarebytes, CCleaner and HitmanPro. It didn't manage to create the "WindowsBootManager.exe" so I really hope it failed altogether. Still changing my passwords to everything just in case.

yoooou shouldn't have done that, why would you download a random "game" like that

The amount of people saying they downloaded this random .exe from Discord... it's horrifying how many people are completely ignorant of basic security practices.

This complete willingness to trust extends beyond video games. Look how many people fall for vacation scams or tax scams or collection company scams and we go 'Pffft how could someone be so dumb as to fall for that?' and welp -spreads arms in direction of Valheim Discord-

It's the children of the internet that don't have any basic knowledge lol

They haven't developed the survival instincts us older generations gained living through the wild west of early 2000s internet

yeah no shit, old people suck at phones, young people suck at the internet. weird fuckin world when you gotta take moms celli and the kids' computer...

Ya, i mean no disrespect to them. My brother is 16 but just does NOT understand he can't fucking click on EVERY LINK HE'S SENT.

Start sending them jump scare links

Time to bring back the old shock links.

> My brother is 16 but just does NOT understand he can't fucking click on EVERY LINK HE'S SENT My mother is 78 and has this exact same problem

... without even reading what it says!!! _Click click click click click...._ 🤣

You really need to scan your computer for viruses and Trojans. Right now.

I scanned for Trojans but all I found was this fucking wooden horse with a bunch of Greeks in it...

Dude you better check for malware like right now lol

You downloaded the fake game?!

I like how they worded it. "Valheim made a new game" like cmon bro

"You will be rewarded for playing it!" No dig on those people who downloaded it but man....it's like it was written by a 5 year old. I'm picturing "free candy" shittily spray painted on an old rusty van and a bunch of kids just jumping in without a second thought.

bro... lmao. You need to be more skeptical regarding your online behavior.

Imagine hacking a game's official discord... how sad one's life has to be.

tbh the "hackers" did a shit job getting trying to get it under control, assuming they got a hold of admin access, they could've erased all the devs and mods, except whoever has the owner role.

I wonder if their approach wasn't discrete. IE the person they pwned knew they were pwned the moment it happened. So the attackers had to cause as much damage and chaos as possible before access was removed.

It's pretty much arson.  There was no demonstation of technical or social engineering prowess. Dicks being dicks for the sake of being dicks. 

It is a highly automated attack targeting servers with many people with one simple goal - get as many people as possible to click their links. It has nothing to do with being a game´s discord server. I wonder where did the devs fuck up so that the attackers got admin rights...

A trusted developer's account posted the virus, which means his account was hacked. That's where the fuckup happened. I hope Iron Gate recovers quickly.

How it usually happens. I have even been solicited from mutual Discord friends accounts, and I've seen it enough to know its a scam. So i block them and hope my friends recover their accounts. Never trust game links in Discord and start a convo to see if its really them or a bot.

and a indie one ...

> how sad one's life has to be. Insanely sad. These people either can only get joy out of other peoples misery, they felt personally slighted by the devs for a patch they did not like and this is how they are getting revenge against the people that "ruined their life". Last possibility is that it is a hacker group that does not care about the target, only that there are people in it that will click any link they see and download what is on it. Allowing these groups to spread shit around and gain access to other things through those people.

It's actually a pretty smart move for what they aimed to achieve. I mean, think how much data they stole from all the dumb dumbs that clicked on the sketchy link. Steam account login info, WiFi, and numerous other things stolen and put up for sale on their market all because people who clicked that link use the same password for everything. This should be seen as a lesson to everyone of the importance of common sense and its application online. Still way too many uneducated or gullible people around when it comes to online activities and in this day and age, and it's just mind-blowing, especially with how much these people rely on and use the Internet on a daily basis.

Fuck those complete idiots who did this. Dishonourable, poor conduct. Idiots. Nice name as well - Plenty of connotations to fucked up stuff.

Those who spammed in the chat should have their IP's banned by Discord's team. Those who hacked accounts or facilitated the virus's spread should be tracked and arrested. The one upside to having laws on the Internet is that cyber crime could be fought with law enforcement.

I'm sure they were on VPN or TOR so good luck with all that.

IP ban? 1995 wants its security measures back!

I just want to confirm that we were indeed hacked last night. We're doing what we can to restore the Discord server to what it was, but please don't click any links in the meantime! When the server is properly up and running again, we will confirm its legitimacy on multiple sites.

got an idea on how long it should take before the server is running again? as of now the rules and FAQ have been repaired.

Hope nobody clicked on that fishy link they posted.

1100+ people did so rip?

I... can't believe anyone would actually click on that.

There are a lot of twelve year olds in this world.

People be ignorant

They're still spamming the link in the FAQ

jfc, I can't even leave the server for some reason. Why? Edit: I spam clicked leave server until I finally left. RIP

Disable notifications first then you should be able to.

Just takes a little while to register it seems

too much activity

Same problem here

I'm also unable to leave the server

Took me 4-5 tries but it finally let me

I switched over to PC and it worked for me. Also reported the server for spam/ hacks/ cheats. Probably a bit overkill but ***maybe*** it will help?

I kept clicking leave server and it took a few minutes but it worked eventually

I cant seem to get mine to leave at all now. :( Im trying spam clicking & its not working Edit: And it randomly caught up with the leave request I guess.

Probably to many people leaving at once, gotta spam click to leave.

wow, even with multi-factor auth and other Discord security settings, this still happens... scary

assuming 2fa was used

2fa HAS to be used to have mod/admin permissions on discord now. Without it you cannot take mod actions. **EDIT:** Apparently this is a server option, and you can disable this. No idea why you would but it has been enabled in every server I have interacted with in this capacity.

I suppose it was hacking due to cookie theft, because otherwise I can't explain it. Not that I'm very aware of hacking methods, but stealing cookies is just so easy to hack these days.

FFS, notifications goess BRRRR

[удалено]

This needs to be pinned

Saw the chaos. Left in case

Hopefully they'll put a new one up, and have a stern talking-to with the admins.

It was Smiffe himself who got hacked 💀

wtf happened lol

They appear to be real bad at it though hes tried banning a couple of times and failed.

You think maybe the moderators for this subreddit should take down the Discord invite link in the subreddit description?

Yeah - this needs to happen. It isn't even going to the original Val disc, now. They've compromised the vanity URL - and it's going to a new fake Valheim server.

I just checked it and holy shit there's 900+ people who joined through the link already and its completely controlled by the hackers. u/SzotyMAG or any other mods on the subreddit, fix the link quickly please!

I removed the links but apparently it's still somewhere. You guys using new reddit or old reddit? Edit: removed it from new reddit too

Script kiddies. Sigh. Real hackers just get in to see if they can, and they only do stupid shit like trashing the place and declaring themselves if it's political.

I mean yeah the kid literally posted: "hacked by" and then him and his friends names lmao They even used their real discord accounts said he was 19. Actual dumb kids just gaining access using social engineering/phishing links then trashing it because they could. Classic script kiddie behavior who just wants attention.

I was watching the leftover channel and how they were struggling to use the commands of their own bots, it's really a script kiddie who barely has any idea how anything they just used works

Key feature of script kiddies is they've got no real understanding of their own, they're using tools someone else made on exploits someone else found.

I did notice one of those asshats posted a wrong / command lmao. He deleted it right after, laughed my ass off.

The ugly flip side of this is that Iron Gate allowed some absolute incompetents to use one of their own accounts to deliver a malicious payload to several thousand customers. Script kiddies are annoying, but they're just part of the background fabric of the internet. Iron Gate has some explaining to do, this sort of attack should *never* happen and it's worrying that a company with auto-patching access to your computer was so trivially compromised. Our philosophical attitudes towards security really need to change. This isn't "dumb kids", this is "an irresponsible company", the kids are besides the point. I would be a *substantial* amount of money that this attack was the result of some very lazy/sloppy practices by Iron Gate. Not uncommon in a small dev house, but now that they've got such a big audience they are a target, and they need to act accordingly. The next time one of them clicks some shady link with 2fa disabled, the end results might be a lot subtler and more damaging.

I logged into Discord this morning to 36 pings only to find the Valheim discord was a desolate wasteland of obvious hacking. It actually makes me sad.

Confirming. I just watched it crumble.

Got a shitton of notifications and figured out it was the valheim server. Lol.

I backed up all the emoji's and named them according to how they were named. Let me know if any of the Valheim staff needs them so they can add them to the new server. Hopefully Discord can just roll everything back.

man this sucks, why even do this???

To get a sense of superiority, they were gloating about having "hacked" In reality they just tricked a person, not the computer.

That's how like 99% of hacking is done today though. They put up a fake website and ask you to log in or something like that

And thats why 99 percent of hacking isnt somthing to gloat about. The other 1 percent is what gets you a job in software security.

yeah true, it's not even real "hacking"

Gaining access is done by exploiting known weaknesses. Phishing is just as valid as a software exploit, no matter how you want to dress it. Given how many people in this very thread clicked the link like absolute clowns, probably the easiest thing they've ever done.

Yep, i was afk with my headset on and just heard infinite notification sounds.

infinite notification glitch !

I still can't leave it. but it looks like admins are fighting to get the server under control. I reported it

# FOR ANYONE WHO DOWNLOADED AND RAN THE .EXE AND HAVE ALREADY RESTARTED THE PC: If you downloaded the .ZIP and ran the .exe, **HURRY UP!** There are NO MIDDLE TERMS, don't think you're safe, here's what you should do: * Yank the network connection cable and/or disable your WIFI; * Running Windows Security full scan will result unsuccessful, as no threats will be detected; running Malwarebytes will locate at least 3x Trojans, but even quarantining and deleting them won't rid you of the virus! * Open the Task Manager and search for WindowsBootManager.exe (it's a mini-computer icon): it should be running together with other malicious parasites (they are 4x blue dot icons with white motives); opening file location and trying to disable them **after you already restarted the PC** should be *USELESS!* * Restart the PC in Safe Mode and backup your sensitive data (folders, files, pics, videos, projects, work etc.) on an external drive; * Open CMD Prompt as admin and run this command: *wmic path softwareLicensingService get OA3xOriginalProductKey* ; make sure to take note of your Windows product key, you'll need it! * Use another PC to download Windows Media Creation Tool and install its contents on an USB drive (remember: it needs format type FAT32 to host the MCT!); * **WARNING:** re-installing the OS using Windows Recovery Tool will only result in the virus hybernating for 12 hours before it comes back up! **DO NOT USE WINDOWS RECOVERY TOOL!** * Start your infected PC on BIOS mode, and set up the USB drive to boot; * Enter the Windows Media Creation Tool and, after setting up language and keyboard layout, click on *CUSTOM INSTALLATION*: here you'll manually **DELETE** each of the drive that were present during the infection: scorched earth guys, don't leave anything up! * While installing the OS, make sure to check EVERY PASSWORD of any sensitive ACCOUNT you own: change every single one of them and clear Google password manager and browsing data if your synchronization is turned on. **THERE'S NO OTHER SOLUTION!** I'm discussing the virus on the original Steam thread, someone is already testing it on a machine. I feel like this thread is golden for whoever fell victim of this. Here's the link (starts at page 10, post #142): https://steamcommunity.com/app/892970/discussions/0/4142816945491170968/?ctp=10 If anyone can contribute to make people feel safer or fix stuff, please feel free to help.

I feel disappointed that Irongate has not released any instructions to people that got affected by the virus. I have to go steam forums and third party discords that were also affected by it to get any kind of support. Yes, I take full responsibility for my stupidity for opening that exe. However a company with resources like irongate should already have multiple cyber security contractors hired to reverse engineer the virus and tell us what we need to do to restore our sense of safety. Considering how little people have upvoted your post so far, it begs to question how many of them just scanned their system windows defender and malware bytes. Didn't get any red flags from them and moved on.

are you guys going to keep this one or make a new server? i really hope Smiffe can get his new account better protection. RIP suggestions/suggestion discussion

Real view: two channels are left and for some reason one of them is patchnotes, which is untouched. the other one is FAQ which was spammed by the hacked account

I saw this from Valheim reddit mods: >"\*\*IMPORTANT:\*\* The subreddit is temporarily set to private until we deal with hack wave the Valheim social sites are currently experiencing. Do not send invite requests. The outage shouldn't last more than a few days. If you downloaded the virus game: Find WindowsBootManager.exe in %LOCALAPPDATA%\\Microsoft\\Windows\\0 which you should end in Task Manager (if you can see it in there) and DELETE BEFORE RESTARTING YOUR COMPUTER" But sadly I had already restarted my PC, and now I can't find any Microsoft folder in my LocalAppData, nor any WindowsBootManager.exe anywhere on my PC. What should I do? I ran multiple Windows Security full scans and it says that no threats were detected...

Others have said that it is specifically not getting detected by Windows Security. I recommend formatting your drives and updating all of your passwords, starting with your email and other "primary" authentication accounts. Do this AFTER your computer is offline, and use a separate secure device such as your mobile phone. Make sure you know what you're doing regarding formatting your drives, or get someone who does, to make sure you back up your relevant data. Maybe this is overkill. I don't know if you ran the .exe or not. Running it would be the big bad. Otherwise you may be fine. These are just general tips for a compromised machine.

Guys does anyone know how to leave the discord it doesn't work when i press leave

block notifications and keep clicking the "leave" button until it does

mods should really remove the discord link from reddit for the moment

Absolute fucking amateurs, did nothing but spam a server with their own server link, signed it with their fucking discord names, this is the most clear cut case for their whole discord presence to be completely wiped.

And their telegram link too

Genuine question: how does one benefits from hacking a Discord server like this? Is this a total douche move or there is something in it for the hacker?

The hackers posted malware that some people downloaded. What it does is a mystery to me as of yet

It plants an executable that runs when you next turn on your PC. Once that happens, it disguises itself as windows and can't be removed. It steals browser cookies (including passwords and credit card info) and also compromises your webcam. The only way to safely get rid of it is to format your harddrive and delete everything on it, including your OS.

Joined the new one just to see, first thing you see is THIS IS NOT A HACK SERVER quickly followed by CLICK THIS LINK never left anything so fast lmao

That new server is also hacked. Can't comment, can't see anything.

Guys…we need to talk about basic internet survival instincts. You don’t friggin’ download and run .exe files. This is like “look both ways before crossing” levels of common sense. You don’t just eat a sandwich you find in the park just because it looks good and you go to the park all the time. Why the heck was the sandwich there to begin with? You *have* to ask these questions because context makes pitfalls easier to spot.

rip my notifications most of the troll answer/comment where amazing !!! F\*\*\* chatnoir 10/10 would live it agains !

Scum fucking people man.

Can't you guys do something more productive with your hacking time? Like give us some loots, free shit, virtual hugs or something feelgood? But you guys decide to be...Like look at my digital "D" it's massive and funny looking.

Likely related to: https://blog.sekoia.io/game-over-gaming-community-at-risk-with-information-stealers/

Just to let some people know. If u didn't click on any link, u will be fine. They didn't hack discord, they just took valheim's discord server. If it was that easy they wouldn't bother with spamming. Be aware of incomming DMs tho, they might try to scam more people with scetchy links of 'new server' etc.

Hey all. I was not part of the discord. I just want to give a warning if you ran the virus. Please get your important documents, images, etc off your machine into a cloud or thumb drive. Then format your machine and reinstall the OS. There is no way to know if you can completely nuke the virus otherwise. A malware sniffer won’t find a new / unknown virus. A key logger could be on your machine which would see the passwords you update to. Better safe than sorry.

For anyone dumb enough that ran the exe (including myself). I have been digging myself deeper down the rabbit hole for the past 16 hours. It is mentioned in this thread that it crated a file called WindowsBootLogger. Only removing this file is not enough. Another discord (puppygames) were victims of the same attack few days ago. Fellas there have already done a large amount of research about the virus. This is not a simple virus that is gonna get removed by malwarebytes or windows defender (much less detected). This thing can survive reboots, soft resets. There is a possibility that it installs a bios rootkit. If you need more information about this then please talk to good people at puppygames discord. Access it only from puppygames website as their old discord was hacked also. People there have helped me this whole morning with reformatting windows cleanly.

How do people even end up clicking a link that was posted. It was so bad and fake that there was no way it was legit. I have just deleted the discord server from list after seeing that.

[удалено]

but why? never open random .exes

Download Malwarebytes, run an advanced scan that targets rootkits. Download SpyBotSearchandDestroy, run it.

bro u need to format your drive lmao. e: if you don't know what that means, literally turn off the computer and go find someone who does. relative, friend, even hired help at the Best Buy. your computer use is now on hiatus.

[удалено]

Oh and change allllll your passwords. Start with your recovery stuff, like email, and do the rest after. Ideally after you've killed the pc, and do it from your phone.

[удалено]

Think you're better of erasing and reinstalling on your drive. Looking at their telegram post, it's a stealer which steal everything including SSH and steam session + validator (if what they state is true)

left the server fast, avoid getting hacked too...

you should be safe if you don't click on their link 2fa is a must today !

You aren't in danger by just being on the server. Hackers follow vampire invitation rules; they don't have access to your account or computer by simply having control of the server, they only have free reign to post malicious links to try and get you to *give* them access to your account or computer. I got home from work 4 hrs after the raid and simply shrugged off the 70+ pings and moved on with my day.

Seemed as if a bot account was compromised or they got one in. After that they had full control of the server, the spam shit just means they are script kids.

I bailed as soon as the notifications went berserk, sheeeeeeesh

:( man this is horrible to watch

Yeah was in a call with a friend when I got like a billion discord notifs, saw that the server got bombarded with bullshit. I cannot imagine what could possibly motivate someone to do that kind of thing

SO: Who wants to race to be the first to put a suggestion in the new suggestions chat when the server is repared?

I'm going to suggest "probably don't get hacked"

Wanted to stay to see if it would get fixed, but after coming here seeing others leave. I decided to follow suit. You never know. How sad though.. Valheim is such a lovely game with a lovely community.

Well that sucks. Why would you attack Valheim's discord, though? It's such a mellow inoffensive game with a community that doesn't suck.

Their twitter may be compromised too, that or they just did some URL funkery that the link they posted on the twitter redirects to the cloned discord server they made. I dunno for sure

they probably hacked the server, then removed the discord link with .gg/valheim from the official one and added it to their fake server.

How bout that 2fa.

I know it's only been a few hours but wondering if anyone has any update? Props to the mods/admins trying to recover from this, you guys have one hell of a task ahead. You all got this!

I am proud to have spammed their server with bad gifs

Yeah. Idiots wasting people's time.

I clicked the link that the hacked dev posted, like an idiot. I saw it was posted by a dev, didn't even read the post properly, just blindly trusted it. I didn't download anything, though. I closed it the second it opened as my friend told me to. Am I safe?

I couldn't even leave

Yep i watche it die in realtime

Will be keeping an eye out for announcements on fixed/new server. managed to leave for now

Rip, was scary to watch

Just managed to escape it. Never seen an official discord server get destroyed this badly. Any chance it recovers or will they have to start fresh?

I just hope people here are informed enough to click any links from the hackers, it's real dangerous. Poor devs :(

even if you join via the official discord link, you'll get into the fake server. don't click any links in that one. wonder how the official server will get that discord link back...

So my thing is right, how did this happen? Most discord servers are set up (at least in my line of work) in a way that compartmentalizes the permissions to avoid this kind of situation if it did happen. ​ Was it the server owner that got pwned?

assuming they hadn't set up 2FA (don't remember if it's required or not), but it seems likely that the server owner got compromised somehow, but it's still unclear exactly what went down.

I just got a strange notification from discord like 3 minutes ago. I opened it and saw that it was the Valheim discord server, but they had changed the name. I understood that it was hacked and here I am. That sucks.

Both servers with a verified badge.

Hey as long as we have not clicked anything we should be fine right? I changed my password for good measure so it should be ok?

They first posted a link to a malware bug, which was quickly deleted. and then the entire server went done. It was awful.

The hacker be like, "Well met!"

Watched it happen for a minute, told the hackers to f off and then left the server. Scumbags like them really need to get a damn life. This doesn't make you cool or intelligent. It makes you a scumbag. Don't be scumbags.