UPDATE: Malware distributed through Front Page

Discussion in 'Announcements' started by SeanieB, Jul 22, 2012.

  1. SeanieB

    SeanieB

    Chief Server Monkey Administrator
    449
    0
    16
    San Diego, CA
    Fixing Sonic Retro
    Quick note to those who do not check the front page:

    Malware was detected embedded in the Wordpress' code, and could have been there as far back as June 23rd.

    I found a file full of potentially infected hosts, hosted here: https://blessedra.in/files/docs/hits.html

    As far as I know it only infects Internet Explorer and Firefox users with out of date Java installed. If your IP is on that list, I urge you to check your machine.
     
  2. Chibisteven

    Chibisteven

    Member
    1,295
    8
    18
    US
    Yes, I found it odd that Avast said malware on the network bound traffic scanner. Atleast I know I wasn't crazy.

    Edit: My IP is on the list, yes. But nothing is my machine... My Anti-Virus has been very good at stopping infections before getting on my machine and do damage. It can detect while .zip files download and attemp to remove during the download before it even gets on my hard drive. It's why I Sonic 2HD demo download kept getting corrupted and unreadable.

    But I'm double-checking again to be sure.

    2nd Edit: I like to add that I'm checking right now and will post anything suspicious that I found. I keep all parts of Winodows fully update to date. Hi-Jack This, I see nothing odd there. Anti-Virus and Anti-Spyware check in progress.

    3rd edit: Nothing found.
     
  3. SoullessSentinel

    SoullessSentinel

    Member
    257
    0
    16
    Grimsby, England
    Cxbx-Reloaded
    My IP is also on this list, my usual antivirus found nothing, but I am currently doing a scan with malwarebytes. Thanks for the heads up.

    Is there any information available on the nature of this malware?
     
  4. Chibisteven

    Chibisteven

    Member
    1,295
    8
    18
    US
    Kind of curious how it got there in the first place on the front page.
     
  5. Vinchenz

    Vinchenz

    Yo! Hustle! Hustle! Member
    I was wondering why my computer picked up a virus. I've haven't got one since before college...

    Regardless, Avast! cleaned it up for me so its not a fatal kind of virus at least.
     
  6. Shadow Fire

    Shadow Fire

    Ultimate victory! Member
    1,557
    0
    0
    The Land of Darkness
    Sonic: The Lost Land (Series), The GCN (site)
    I was wondering why NOD32 was picking up virii at this site. Glad I invested in it.
     
  7. GeneHF

    GeneHF

    SEGA-ier than you'll potentially ever be. Site Staff
    8,389
    0
    16
    Scenic Studiopolis
    Complete Global Conquest
    IP was on list, no hits from avast and Bytes.

    (shruuuuug)
     
  8. I have Internet Explorer, but I only ever use Chrome. Is that a problem?
     
  9. SeanieB

    SeanieB

    Chief Server Monkey Administrator
    449
    0
    16
    San Diego, CA
    Fixing Sonic Retro
    Nope, you'd have known if something would have happened, you'dve gotten a broken page and Java would have popped up, and you'd have to actually been using IE at the time.
     
  10. SeanieB

    SeanieB

    Chief Server Monkey Administrator
    449
    0
    16
    San Diego, CA
    Fixing Sonic Retro
    While I have the ability to, I thought I'd give you all an update.

    I've dis-infected the home page, and we've switched Retro over to a CloudFlare setup.

    CloudFlare is basically this really fancy service that a lot of people are using these days, which claims to protect and speed up websites by bringing advantages of "the cloud" to conventional sites. Because the system they use is so simple, it's also quite a bit less susceptible to security problems than the webserver we use.

    They also actively monitor incoming connections for people doing things they shouldn't do, and challenges their ability to connect to the site.

    Being in the cloud, it geographically distributes cached content from the site, so people far away from Retro's actual server may notice an increase in speed, and it reduces Retro's bandwidth usage as well.

    It's not perfect though. You may notice occasional cloudflare error pages, or sometimes Cloudflare goes down when the site does not. I made a whole report and everyone else weighed the options and decided to just use Cloudflare, that the potential hiccups every so often were worth the no-effort security layer.

    Some people may still not be able to reach Retro yet because we had to overhaul the DNS setup to use Cloudflare. Everyone should hopefully be caught up within a matter of hours after this post. If you know someone who's STILL stuck over 4 hours past the timestamp on this post, let me know.
     
  11. SpeedStarTMQ

    SpeedStarTMQ

    Here for The Hedgehog. Member
    2,363
    19
    18
    UK
    Any idea on the nature of the Malware?
     
  12. SeanieB

    SeanieB

    Chief Server Monkey Administrator
    449
    0
    16
    San Diego, CA
    Fixing Sonic Retro
    I went over it in the original post, all it was was a Wordpress "0-day" exploit that tried to exploit outdated versions of Java and Adobe Reader in vulnerable Firefox and IE versions, and dropped a list of IPs it tried to infect on the server to come back and get later.
     
  13. Caniad Bach

    Caniad Bach

    is a peanut Member
    AVG just blocked an "Exploit Blackhole Exploit Kit (type 2170)" from me just opening up the RSS feed o.0
     
  14. PicklePower

    PicklePower

    Wiki Sysop
    581
    2
    18
    Would someone be able to explain how it was possible to list which IP addresses were affected, and why that list was hosted outside of Retro?
     
  15. SeanieB

    SeanieB

    Chief Server Monkey Administrator
    449
    0
    16
    San Diego, CA
    Fixing Sonic Retro
    Read my post, and I hosted it outside of Retro because retro was down when the story broke.
     
  16. Chibisteven

    Chibisteven

    Member
    1,295
    8
    18
    US
    It seems to be back again... My Anti-Virus just flashed a warning and blocked the front page. Is there a bug in the version of WordPress being used? This is unnerving.
     
  17. Overlord

    Overlord

    Aros gartref, diogelu'r GIG, achub bywydau Moderator
    17,742
    106
    43
    Berkshire, England
    Learning Cymraeg
    AVG's blacklist (assuming you're using AVG) takes a few days to clear, even if the website itself is clean (which Retro now is). No need to panic.
     
  18. Chibisteven

    Chibisteven

    Member
    1,295
    8
    18
    US
    Not using AVG. Didn't this server run on a cloud? Could it be cached copies from my ISP or something else?
     
  19. Guess Who

    Guess Who

    It's a miracle! Oldbie
    4,263
    0
    16
    Texas
    lol
    What software is giving you the warning?
     
  20. Chibisteven

    Chibisteven

    Member
    1,295
    8
    18
    US
    Just happened once (around the time I posted it). Avast (Internet Explorer - Lastest Version), I don't really use Java for anything when I browse the web that I'm aware of. Be nice to know if I needed or not, I guess.

    It probally was a fluke as my ISP probally didn't clear it's servers.