Malware Detected!

Well, Google Chrome says so...

User avatar
whoami
MM2X Very Active User
MM2X Very Active User
Posts: 1370
Joined: Wed Sep 22, 2010 2:00 am
Location: Has been located.
Contact:

Malware Detected!

Postby whoami » Fri Jan 04, 2013 12:41 pm

I just opened MM2X in Chrome, but it said "Malware Detected!" everytime I tried to open it. Now I've opened it in a VM, but still, what happened?
[color=white]Nobody told me MM2 works on Windows 10![/color]

User avatar
e-cobra
MM2X Very Active User
MM2X Very Active User
Posts: 1627
Joined: Thu Jan 13, 2011 1:00 am
Location: Navi Mumbai, India

Postby e-cobra » Fri Jan 04, 2013 1:56 pm

Oh! 8O You too see this!? I took a screenshot of it to make a topic in this forum..
Image

@Franch88, what can be this?
[img][/img]
[url=https://www.mm2x.com/page.php?name=Forums&file=viewtopic&t=5362&start=52&highlight=e-cobra][color=gold][size=75]MM2X Awards[/size][/color][/url]
[b][size=84][color=blue]If a tree falls in the woods and no one?s around to hear it, does it make a sound?[/color][/size][/b]

User avatar
transdev_joe
MM2X Newbie
MM2X Newbie
Posts: 41
Joined: Tue Dec 20, 2011 1:00 am

Postby transdev_joe » Fri Jan 04, 2013 5:33 pm

It happens on Firefox too, it claims that Google has a blacklist and this site is on it, even though I have never had any problems.

User avatar
sajmon14
MM2X VIP Member
MM2X VIP Member
Posts: 5320
Joined: Wed Feb 13, 2008 1:00 am
Location: Poland
Contact:

Postby sajmon14 » Fri Jan 04, 2013 5:34 pm

Appeared for me today, althought it never appeared before

aaro4130
MM2X Super Active User
MM2X Super Active User
Posts: 2403
Joined: Mon May 26, 2008 2:00 am
Location: Canada
Likes received: 1 like

Malware Warning

Postby aaro4130 » Fri Jan 04, 2013 6:46 pm

Has anyone got this on this site? I just refreshed a topic after last night and it said "MM2X IS BLOCKED, Malware has been detected", So i hit continue and it asked me if i wanted JAVA to be run. :/ Anybody else got anything like that?

WARNING : Guys, on some topics there is a white square for Java on the bottom left. Do not run this, Chrome reports it as malware.

If you guys have seen this square, but Java has run, I advise you to scan your computer.
[img]https://i61.tinypic.com/25zrngo.jpg[/img][color=white]
- Most creative active member
- Most smart active member
- Best MM2 innovation of the year
- Best programmer

[img]https://i60.tinypic.com/2m4c2h5.jpg[/img]
- Most helpful active member[/color]

User avatar
ettieapple
MM2X Active User
MM2X Active User
Posts: 516
Joined: Sat Dec 26, 2009 1:00 am
Location: Frysl?n, The Netherlands

Postby ettieapple » Fri Jan 04, 2013 7:15 pm

same thing for me. when i clicked further avg said it removed a treat.
pc is still working though :wink:
[color=white]!!!Frysl?n boppe!!![/color]

User avatar
Franch88
MM2X Admin
MM2X Admin
Posts: 15707
Joined: Thu May 31, 2007 2:00 am
Location: Italy
Likes received: 1 like
Contact:

Postby Franch88 » Fri Jan 04, 2013 11:02 pm

The website just got infected again today... last time happened in May of past year. So, unfortunately it's not the first time. :|
Surely all the index pages of the server got edited, I'll look into restoring them all, fortunately there are automatic daily and weekly backups. In the next hours everything should be fine.
Fiat 500 = Italian motorization. Franch88, MM2 eXtreme forum and website Administrator.
|Franch88's MM2 Releases|

User avatar
ettieapple
MM2X Active User
MM2X Active User
Posts: 516
Joined: Sat Dec 26, 2009 1:00 am
Location: Frysl?n, The Netherlands

Postby ettieapple » Sat Jan 05, 2013 12:58 am

good to hear that. :P
[color=white]!!!Frysl?n boppe!!![/color]

User avatar
Franch88
MM2X Admin
MM2X Admin
Posts: 15707
Joined: Thu May 31, 2007 2:00 am
Location: Italy
Likes received: 1 like
Contact:

Postby Franch88 » Sat Jan 05, 2013 2:49 am

I've taken 2 hours to restore all the files that have got the infection, such as several PHP scripts of this website and all the hosted websites. Now it's all fine, it's left to wait Google bots to scan again this website to find in no more infections and so remove it from its blacklist, this is going to happen tomorrow or in next few days.
Fiat 500 = Italian motorization. Franch88, MM2 eXtreme forum and website Administrator.
|Franch88's MM2 Releases|

User avatar
DjDecibel
MM2 eXtreme Owner
MM2 eXtreme Owner
Posts: 661
Joined: Fri Aug 02, 2002 2:00 am
Has liked: 5 likes

Postby DjDecibel » Sat Jan 05, 2013 3:30 am

i was contacted today from google about the problem..i checked the files but franch already replaced them with a backup...

so i can't see where the malware code was injected.. i just sent the message removal from the google admin page.. i hope it will removed tomorrow..

i think that the malware has been introduced by the HQTM forum or the Riva's site because 26 of the 30 hacked pages are from that 2 sites..

i hope all is working right now..
Image

User avatar
Franch88
MM2X Admin
MM2X Admin
Posts: 15707
Joined: Thu May 31, 2007 2:00 am
Location: Italy
Likes received: 1 like
Contact:

Postby Franch88 » Sat Jan 05, 2013 4:12 am

Good that you've got an advice from Google about the website infection, probably you use their services for the owners of websites. I've been able to fix the problem, like I already did in past with the previous infections, and so I hadn't no important reason to send you an e-mail about what happened, also because could be possible that you could get my message days later (I know that you're busy with personal reasons and that you couldn't have time to spend in this website).
I've restored the infected pages using the weekly backup because when I've connected today I've seen that the daily one got already updated with the infected pages, so, you're in time till the next few hours to check the infected pages present in the daily backup and see how's the inserted code. The infection happened between 12:10 and 12:40 GMT+1 time.
Really the infection has affected pages a bit everywhere in both the servers, and the infected files (HTML, PHP, JS types) were way more than 30.
Fiat 500 = Italian motorization. Franch88, MM2 eXtreme forum and website Administrator.
|Franch88's MM2 Releases|

User avatar
DjDecibel
MM2 eXtreme Owner
MM2 eXtreme Owner
Posts: 661
Joined: Fri Aug 02, 2002 2:00 am
Has liked: 5 likes

Postby DjDecibel » Sat Jan 05, 2013 4:57 am

i checked the files... the code was inserted using a js file wich added a iframe in almost all of the files... but i can't understand how did entered.. it can be from any of the hosted sites...

i'm happy to see that it has been solved for now and i'll try to solve that situation..

thanks a lot franch for your work ;) ;)
Image

User avatar
whoami
MM2X Very Active User
MM2X Very Active User
Posts: 1370
Joined: Wed Sep 22, 2010 2:00 am
Location: Has been located.
Contact:

Postby whoami » Sat Jan 05, 2013 6:49 am

So it's gone then? Thanks, Franch and DjDecibel!
[color=white]Nobody told me MM2 works on Windows 10![/color]

User avatar
A320_Pilot
MM2X Very Active User
MM2X Very Active User
Posts: 1159
Joined: Wed Jul 06, 2011 2:00 am
Location: Home

Postby A320_Pilot » Sat Jan 05, 2013 9:33 am

So let me get this straight.
By infection you mean hack or something?

That happened to many websites (Especially game ones) in the past week.

Or just some damaged script or anything...
[img]https://i.imgur.com/Vj394OU.jpg[/img]
[color=cyan][b]4.6L V8?[/b][/color] [color=white]I think[/color] [color=red][b]YES![/b][/color]

User avatar
Franch88
MM2X Admin
MM2X Admin
Posts: 15707
Joined: Thu May 31, 2007 2:00 am
Location: Italy
Likes received: 1 like
Contact:

Postby Franch88 » Sat Jan 05, 2013 11:38 pm

What happened is an infection of the pages, a malicious code of few rows, an iframe this time, was inserted in many PHP, HTML and Javascript files. So those kind of files got edited. When the infected pages get loaded in a browser, throught the inserted code you get connect to some websites, like the one written in the above image. I don't really know how are possible these things, but I would think that's also because of lacunous protection given by the hoster; can't be excluded issues to the structure of the website and its security.
Possibly, DjDecibel, see to do something to avoid future infections of the pages, also because restore them manually is kinda a pain. Dunno, maybe is possible do the restoring automatically by using one of the two backups, but however the daily one already got updated after the infection, and use the weekly one it's not suggested because a bit outdated.
Fiat 500 = Italian motorization. Franch88, MM2 eXtreme forum and website Administrator.
|Franch88's MM2 Releases|