UPDATE: Malware distributed through Front Page

Discussion in 'Announcements' started by SeanieB, Jul 22, 2012.

  1. Crasher

    Crasher

    Why hello there! Member
    388
    1
    18
    OK, this is weird. Google Chrome decided to mark Retro as 'hosting' malware right now. This just happened right now. I have no idea why as well. Lemme restart me browser, just in case :P

    I use Avast!, which says this site has a good rating but Chrome decided to freak all out right now :l Any idea why? Does anyone else have this problem?

    Edit: Oh hey, there's this thing called Test Take 2 on the front page. No idea what it is :P Could anyone shed some light?
     
  2. Guess Who

    Guess Who

    It's a miracle! Oldbie
    4,263
    0
    16
    Texas
    lol
    Long story short, it seems we may have been compromised again and are looking into the issue.
     
  3. JaxTH

    JaxTH

    Pudding Deity Oldbie
    8,819
    55
    28
    Los Angeles
    Jack shit.
    I'm kinda glad I'm using the shitty PS3 browser during these times. :v:

    I was using Firefox 12 before my computer went to shit last month bytheway.
     
  4. FeliciaVal

    FeliciaVal

    Member
    im using Firefox and the same thing just happened, I open the page and firefox blocks it as suspicious. I open the report page and says there is nothing wrong with the site yet it still blocks it. My antivirus is Avast.

    EDIT: forgot to mention that I wasn't checking the frontpage (sonicretro.org) but I have the forum bookmarked and clicked it, so basically I've got the blocking when entering the forum.
     
  5. Ell678

    Ell678

    Am I Annoying You? Member
    2,369
    15
    18
    Barrow, England
    Sonic Incursion
    I'm getting Firefox warnings among the forums. Anti virus is AVG.
     
  6. Dark Sonic

    Dark Sonic

    Member
    12,533
    169
    43
    Working on my art!
    Using Google Chrome. Only reason I choose not to care about said malware is because I'm using a temporary loaner computer from the school while mine is being fixed, so I don't care what the hell I do to this thing.
     
  7. dsrb

    dsrb

    Member
    3,149
    0
    0
    Antivirus programs have nothing to do with it. I'm running Firefox on OS X with no AV (lol mac) and got this warning:
    [​IMG]
    …and eventually a link to this site:
    http://www.stopbadware.org/firefox?hl=en-US&url=http%3A%2F%2Fforums.sonicretro.org%2F
    So, this feature is intrinsic to Firefox, regardless of whether one has an AV and of its identity.
     
  8. dsrb

    dsrb

    Member
    3,149
    0
    0
    Oh yeah, I got that too. I honestly can't remember the order in which, and exactly how, I got to each page – but I got them both.
     
  9. Dr. Mecha

    Dr. Mecha

    Member
    1,082
    0
    16
    Dallas, TX
    3d Models
    Seems that the malware has infected the forums as well.
     
  10. Guess Who

    Guess Who

    It's a miracle! Oldbie
    4,263
    0
    16
    Texas
    lol
    The forums are safe. Here's the deal.

    Last night it came to our attention that Google had found malware on the front page again. We confirmed that this was indeed the case and promptly took the front page down to sanitize it. As a result of Google's detection, however, any browser that uses Google's safe browsing database - including Firefox and Chrome - will report the entire site (including the forums and wiki, both of which are safe) as having malware until we get removed from that database. We also have a new list of possibly infected IP addresses that we will be posting soon.
     
  11. Scarred Sun

    Scarred Sun

    Be who you needed when you were younger Administrator
    7,607
    41
    86
    Tower 8 ️
    Welp, this.
    To follow up suuuuper fast:

    The infection started at 10:51 p.m. Central time last night and went on until about 3 a.m. the next day.

    We did the normal best practices of dealing with an issue like this last time around (security audit, clean install, etc.) but overlooked one file that allowed it to propagate again. At this point, we're fairly confident that's the source.

    We have the logs of all IPs affected. The plan right now is to run those against both our forum and WordPress IP user logs to notify people.

    Coffee coffee buzz buzz buzz
     
  12. How did the server get infected in the first place?

    I mean was it an attack or something?
     
  13. SeanieB

    SeanieB

    Chief Server Monkey Administrator
    449
    0
    16
    San Diego, CA
    Fixing Sonic Retro
    It's just people managing to crack Wordpress. Unfortunately this is a relatively new attack and it hasn't been patched yet. I reinstalled wordpress to the very latest version personally last night, so my best guess is they still have some vulnerability to squash.
     
  14. The KKM

    The KKM

    Welcome to the nExt level Member
    2,147
    1
    18
    Portugal
    Kyle & Lucy Wonderworld
    [​IMG]

    Be reasonable, Google
     
  15. SeanieB

    SeanieB

    Chief Server Monkey Administrator
    449
    0
    16
    San Diego, CA
    Fixing Sonic Retro
    Okay, so I realised that the "block" (applied by ScarredSun while I was asleep) for the homepage was done improperly, and some files were left available (not accessible unless you were looking for them) and Google found all the files used in the backend for the malware and those were left available, so I did it properly like I had done it when I found the first infection, making those files unavailable and hopefully Google will notice they are gone soon and drop the warnings.


    Basically, since Google indexes every page on a website, they're able to make a list of every infected file and keep the warning up unless all of them disappear. I made them all disappear, we're just waiting for them to realize.
     
  16. Jimmy Hedgehog

    Jimmy Hedgehog

    Member
    1,728
    8
    18
    England - Slough
    Getting the motivation to continue old projects
    Only just came up for me today and I got it again just now...that Google warning I mean. I sure hope the issue goes soon.
     
  17. Rika Chou

    Rika Chou

    Tech Member
    5,252
    113
    43
    Chrome finally stopped freaking out for me.
     
  18. SeanieB

    SeanieB

    Chief Server Monkey Administrator
    449
    0
    16
    San Diego, CA
    Fixing Sonic Retro
    Yes, it did! We're waiting on some words from some people before we put the homepage back up.