Sonic and Sega Retro Message Board: UPDATE: Malware distributed through Front Page - Sonic and Sega Retro Message Board

Jump to content

Hey there, Guest!  (Log In · Register) Help
  • 4 Pages +
  • 1
  • 2
  • 3
  • 4
    Locked
    Locked Forum

UPDATE: Malware distributed through Front Page

#31 User is offline Guess Who 

Posted 26 July 2012 - 10:01 AM

  • It's a miracle!
  • Posts: 4258
  • Joined: 22-December 03
  • Gender:Male
  • Location:New Mexico
  • Project:lol
  • Wiki edits:2
The forums are safe. Here's the deal.

Last night it came to our attention that Google had found malware on the front page again. We confirmed that this was indeed the case and promptly took the front page down to sanitize it. As a result of Google's detection, however, any browser that uses Google's safe browsing database - including Firefox and Chrome - will report the entire site (including the forums and wiki, both of which are safe) as having malware until we get removed from that database. We also have a new list of possibly infected IP addresses that we will be posting soon.

#32 User is offline Scarred Sun 

Posted 26 July 2012 - 10:53 AM

  • Rise and shine, ya sleepy layabouts.
  • Posts: 3697
  • Joined: 06-February 05
  • Gender:Female
  • Location:SD/LA/SF
  • Project:Staying woke
  • Wiki edits:36,091
To follow up suuuuper fast:

The infection started at 10:51 p.m. Central time last night and went on until about 3 a.m. the next day.

We did the normal best practices of dealing with an issue like this last time around (security audit, clean install, etc.) but overlooked one file that allowed it to propagate again. At this point, we're fairly confident that's the source.

We have the logs of all IPs affected. The plan right now is to run those against both our forum and WordPress IP user logs to notify people.

Coffee coffee buzz buzz buzz

#33 User is offline Master Emerald 

Posted 26 July 2012 - 11:30 AM

  • Posts: 3159
  • Joined: 14-December 07
  • Gender:Male
  • Location:Rio de Janeiro - Brazil
  • Project:College
  • Wiki edits:22
How did the server get infected in the first place?

I mean was it an attack or something?

#34 User is offline SeanieB 

Posted 26 July 2012 - 12:31 PM

  • errno -1 (Not system error)
  • Posts: 436
  • Joined: 26-February 08
  • Gender:Male
  • Location:San Diego, CA
  • Project:Fixing Sonic Retro
  • Wiki edits:12
It's just people managing to crack Wordpress. Unfortunately this is a relatively new attack and it hasn't been patched yet. I reinstalled wordpress to the very latest version personally last night, so my best guess is they still have some vulnerability to squash.

#35 User is offline The KKM 

Posted 26 July 2012 - 02:15 PM

  • Welcome to the nExt level
  • Posts: 2114
  • Joined: 12-February 09
  • Gender:Male
  • Location:Portugal
  • Project:Taking control of my life
  • Wiki edits:6
Posted Image

Be reasonable, Google
This post has been edited by The KKM: 26 July 2012 - 02:19 PM

#36 User is offline SeanieB 

Posted 26 July 2012 - 02:39 PM

  • errno -1 (Not system error)
  • Posts: 436
  • Joined: 26-February 08
  • Gender:Male
  • Location:San Diego, CA
  • Project:Fixing Sonic Retro
  • Wiki edits:12
Okay, so I realised that the "block" (applied by ScarredSun while I was asleep) for the homepage was done improperly, and some files were left available (not accessible unless you were looking for them) and Google found all the files used in the backend for the malware and those were left available, so I did it properly like I had done it when I found the first infection, making those files unavailable and hopefully Google will notice they are gone soon and drop the warnings.


Basically, since Google indexes every page on a website, they're able to make a list of every infected file and keep the warning up unless all of them disappear. I made them all disappear, we're just waiting for them to realize.

#37 User is offline Jimmy Hedgehog 

Posted 26 July 2012 - 05:19 PM

  • Posts: 1695
  • Joined: 13-December 07
  • Gender:Male
  • Location:England - Slough
  • Project:RAoSTH (Sprite Comic), Sawnik (Still need a better name)
  • Wiki edits:2
Only just came up for me today and I got it again just now...that Google warning I mean. I sure hope the issue goes soon.

#38 User is offline Master Emerald 

Posted 26 July 2012 - 05:30 PM

  • Posts: 3159
  • Joined: 14-December 07
  • Gender:Male
  • Location:Rio de Janeiro - Brazil
  • Project:College
  • Wiki edits:22
According to google, the webmasters here should ask for a review.

#39 User is offline Rika Chou 

Posted 27 July 2012 - 01:10 AM

  • Adopt
  • Posts: 5180
  • Joined: 11-January 03
  • Gender:Not Telling
  • Location:CA US
  • Wiki edits:4
Chrome finally stopped freaking out for me.

#40 User is offline SeanieB 

Posted 27 July 2012 - 01:45 AM

  • errno -1 (Not system error)
  • Posts: 436
  • Joined: 26-February 08
  • Gender:Male
  • Location:San Diego, CA
  • Project:Fixing Sonic Retro
  • Wiki edits:12
Yes, it did! We're waiting on some words from some people before we put the homepage back up.

#41 User is offline Retroman 

Posted 27 July 2012 - 01:50 AM

  • Unlike Sonic I chuckle
  • Posts: 606
  • Joined: 18-September 09
  • Gender:Male
I wonder how the site got attacked in the first place?

Wait, it didn't got attacked, a malware code was found in the wordpress login. Could it be that someone hacked it and put their malware code, or it's just a case of an infected machine?

I would guess the answer is the infected machines accessing wordpress, maybe a member logged in to comment while not realizing the computer was infected by a type of malware, and the person didn't clear his cookies and somehow the malicious software injected a harmful code with the user session not logged out.
This post has been edited by Retroman: 27 July 2012 - 01:54 AM

#42 User is offline SeanieB 

Posted 27 July 2012 - 01:53 AM

  • errno -1 (Not system error)
  • Posts: 436
  • Joined: 26-February 08
  • Gender:Male
  • Location:San Diego, CA
  • Project:Fixing Sonic Retro
  • Wiki edits:12
No, it was vulnerable code somewhere in wordpress. It's a widespread problem as of right now.

#43 User is offline Crasher 

Posted 27 July 2012 - 01:56 AM

  • Why hello there!
  • Posts: 342
  • Joined: 11-April 11
  • Gender:Male
Well, it's stopped saying: LOL MALWARE. I guess that's good.

#44 User is offline SeanieB 

Posted 27 July 2012 - 02:32 AM

  • errno -1 (Not system error)
  • Posts: 436
  • Joined: 26-February 08
  • Gender:Male
  • Location:San Diego, CA
  • Project:Fixing Sonic Retro
  • Wiki edits:12
Okay, I've put a "dead man's switch" in place, where if code gets inserted (I am fairly sure at this point it's being done by bots) it will kill the front page, and no output will be sent at all. This should prevent the chance that infected code is ran and will provide a fail-safe until attention can be paid.

#45 User is offline Master Emerald 

Posted 27 July 2012 - 09:58 AM

  • Posts: 3159
  • Joined: 14-December 07
  • Gender:Male
  • Location:Rio de Janeiro - Brazil
  • Project:College
  • Wiki edits:22
Still receiving warnings through google search.

  • 4 Pages +
  • 1
  • 2
  • 3
  • 4
    Locked
    Locked Forum

2 User(s) are reading this topic
0 members, 2 guests, 0 anonymous users