Malware detected
I know we have been having past issues with malware the past few days but per Brian's last post I thought we had a clean chit and no files were infected.
Today I got a popup saying that the website is infected with a Trojan. Anyone else had this experience today?
I've been clean since that hiccup a few days ago.
This is starting to become annoying. Brian, clean this place up.
then don't come to this site. Brian runs this site for free, offering just as much, if not more information than the paysites. Why don't you pay him and then tell him what to do.
You are kind new around here to be coming on so strong. Some of us do assist Brian with financial support. The OP has a legitimate concern. Not all of us are computer engineers and want to make sure we don't end up with problems. I use Bit Defender and hope that is adequate to deal with most threats, but if not, I have a big problem as I need my PC to get work done and it's not cheap to have someone wipe your PC for you to remove some of this nasty crap if you are attacked.
Do you not know how the internet works??
The amount Brian gets paid is directly correlated to the amount of traffic he has on his site. The larger his audience, the more he gets paid, thus, it behooves him to listen to his audience.
The poster you replied to is merely expressing a viewpoint that is shared by a growing number of people in Brian's audience.
Yeah, I'm only checking this site from my phone these days. I practice safe MGoBlog. Too many diseases out there.
iPhones and Android phones can pick up certain malware from the web, FYI. Don't get a false sense of securitybecause of the Apple "brand" (more like cult). They're not paying extra to give you virus protection, trust me!
<br>-Chet
Not sure if it is as much for Brian. But it's definitely an App day at work. Elaydin will be happy. Maybe he's sending the virus. (Kidding).
And more summer time spent making this place, you know, functional. Going on 6 months of off-season, and still can't go on at work? Not good for business.
Yep. As soon as I logged on, I got a notice from Avast stating that it had blocked a malicious URL.
A screen capture of the warnings. If you do this we can avoid a panic and unnecessary virus scans just incase it's you and not the website.
I'm running PeerBlock, Norton, and a couple other security program and I haven't had any warning or seen any attempted connection blocked. I'm running Google Chrome btw.
serious question:
What's the deal with all these malware issues? I'm pretty technologically inclined but I know very little about malware and whatnot - I've always associated that sort of thing with shady websites based out of places where people speak with russian accents. Is Brian (or his readers, us) being targeted specifically? Is the code he uses bad? Is there a human behind this, or is it a self-propogating virus?
The other day during the malware issue Brian wrote a paragraph-long explanation that was gobbledeygook to me. So, for anyone out there who understands this stuff . . . can you answer any of my questions in non-techie speak?
Brian does not control the advertisement, which can become infected and be used to attack users. It's not anything personal, just that the website gets alot of traffic from google and google dorks are everywhere.
I typed a response out on my computer, but for some reason the site thinks my post is spam and won't let me post it. But looks like yesman answered it. It had something to do with Google Ads last time.
You couldn't post a comment? Ok...
Based on Brian's post later in the thread. This has nothing to do with the Ads... it's a direct site compromise.
As far as I understand it, like others have said, the issue is mostly within the dynamic ads on the site, which aren't hosted on Brian's servers, but in fact embedded from elsewhere. Also, the site, if I'm not mistaken, is built with the application Drupal. While its a decent program in itself and probably the best to use for what he's doing, its written in php, which is, alas, a hackers best friend. A little over a year ago, a pretty big breakthrough was made in the hacker world on how to more easily compromise a php based site. And while compromising php based sites was far from uncommon before that point, it really has exponentially increased since then, and it's not necessarily anything to do with sloppy site maintenance.
So basically, the combination of not being able to control what malicious coding may be hiding in the ads he can't really control and the fact he runs an app that he consistently has to run security patches on means Brian most likely has to spend an great deal of time just trying to keep the site clean. I know malware sucks, but for a non-membership site with a shit ton of content, relax a little. My professional opinion as a guy who works with this nonsense for a living is that instead of whining about it, do your part by providing Brian with detailed examples if you think part of the site may be hosting malware and keep your own security software up to date.
I'm not a techie but based on what Brian says below it sounds like the malware is somehow coming from MGoBlog, not Google Ads.
He doesn't refer to Google Ads at all, rather talks about the site (MGoBlog's) code.
(Furthermore, so many sites run Google Ads.... It's really, really common. But I've only ever heard of Malware issues of this nature here on this site, leading me to believe it's likely a problem with MGo rather than Google.)
It'd be great if someone could provide a definitive answer on this. Is MGoBlog the source of the problem? Or the Google Ads that appear on MGoBlog?
I installed AdBlock on my Google Chrome, hoping this would mitigate any potential issues, but, if the source of the problem is MGoBlog and not the ads, then, AdBlock doesn't solve the problem.
Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page..https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) Those kinds of injections could, theoretically, be embedded in an advertisement, ran at the page level, and executed whenever a transaction happens between the client and server. It would be a really out of the way method of compromising a site but you could hit multiple sites simultaneously without the end-user knowing anything about it until it's too late. Without going into much more detail because, unless you're a computer geek, it's all french anyway there's a hundred different ways you could compromise a weakly secured site or network with just a couple of lines of code embedded into an advertisement. The reason Brian is asking everyone to use adblock or a similar client is because he either suspects the vulnerability is through the ads or because the malware is being transmitted via javascript. Adblock will help you prevent against both of them although that doesn't guarantee anything.
Thank you, this is a helpful clarification.
So basically if I understand you correctly.... What Brian thinks the problem is that something in the ads is altering the code of MGoBlog, which is then infecting people's computers.....yes??
So, if that's the case....and I'm running adblock...am I safe or is it still possible to get infected since the ads are essentially re-writing a portion of MGoBlog's code?
Brian needs to address this. Hopefully his silence indicates he is working on it...
I got hit by an infection and it's a nasty one... won't let you open up the task manager or internet or anything. I restarted my computer in safe mode and downloaded a scanning/quarantining software which managed to clear up everything. I think it has to do with a java applet in some way or another because java opens up on my computer and the virus is stemming from that. But then again... I don't know shit.
Looks like it is a redirecting trojan in one of the files.
If you don't have noscript get off this website, mac and linux are not immune.
Why I don't seem to be getting hit? I haven't been hit by any of these malware scares. I'm using Chrome and windows. Just interested to find out why, and you seem technologically incline from what I've seen and remember from other threads.
Chrome users for the most part have not been effected. Im a linux user so I havent seen what the codes look like, but I would assume that it is targeting an exploit in the firefox and IE browers. I would be careful though, because something coded in java or adobe will infect you no matter what browser or OS you're using.
Yeah... why do you think that Mac and Linux users are not immune? Unless the trojan is cross-platform (it's not) it's going to affect Windows users only.
Also, just because something was written/expoits java, or uses an Adobe exploit doesn't mean that Linux and Mac are also at risk by anymeans. It just means if those OSes also had the exploit that they could be at risk for being compromised using that exploit, if someone wrote something specifically for their OS.
Just because something was written in java doesn't mean it's written to compromise every OS it can. it just means it can potentially be executed on any machine that has Java also installed on it.
There is a huge huge difference there, and trying to imply that a virus can be written in java, and in-turn infect any OS on the market is either misleading, or ignorant.
you guys take a screen shot? AVG didn't find anything, i'm using chrome btw.
Now I'm on my phone. Malware was identified every time I tried to load a page. It kept identifying a "rangetours.ce.ms" URL. I don't feel like continuously exposing my computer to it, so no screens.
the more likely it is to be exposed to different types of web viruses. I run Rockmelt, which is very similar to chrome and uses some chrome apps and gadgets. Malware, trojans, and other malicious bugs are something internet users should become used to. Just download/ buy software to protect yourself from the most harmful stuff. Run regular checks and don't click suspicioius links or pop-ups. Don't freak out every time this happens, just relax because in due time it will most likely get fixed.
Our status:
- We dis-aggregated the JS to make them static, which cleared the JS.
- The iframe exploit moved to CSS, which I didn't even know was possible. It only does this every once in a while, like about once a day.
- We have the server checking the main css file constantly for the exploit and deleting it if found.
- We are still looking for the vulnerability.
#2 and #3 should mean there is a very brief window, maybe 30 seconds per day, where the site serves something bad. We are working as fast as possible to close this window and have found a couple of possibilities; nothing untoward has happened since and it's possible we are clear. I'm just as frustrated as everyone else.
from antivirus all of yesterday. Nothing today, at least as of yet. Recommend that if you don't have it, get malwarebytes. You don't need the paid version, the free version works just fine. This will take care of any bad stuff that got through.
I have NO idea what those words mean. So... uh, keep doing that thing you said. Yeah.
My free Avast antivirus tells me not to visit, so I wait until later. It's really just a minor inconvenience if your antivirus program is running.
Two different machines. At home (Win7/64 & Firefox 4.latest) got Avast warning two days ago and I simply made mgoblog an exception. Today at work (WinXP & Firefox 4.latest), Avast reports:
Object: 1546054079/loading.class
Infection: URL:Mal
Process: C:\Program Files\Java\ire6\bin\new_plugin\npip2.dll
Long-time lurker. I made this account just to report in to see if this helps.
Malware, took me all night to clean it out. Unfortunately, Internet browser and antivirus are selected by work, not by me. Second time this has happened in a month, I'm going to resort to mgoblog iPhone app only going forward.
I have had zero issues. This nothing like the last out break. Doctor says it will always flair up now and then.
good free antivirus, like Avast will stop the malicious script from executing. For those that use Firefox, install the noscript addon found here:
https://addons.mozilla.org/en-US/firefox/addon/noscript/
With the addon installed, only you will decide what executes for any site you visit. If your already infected, run malwarebytes along with antivirus to clean your system. Malwarebytes is free, and should clean up anything you have picked up.
I use Chrome and my avast had popped up the last 2 days saying malware was detected, but today I can view the site again. Hopefully it's on the way out for everyone else too.
my norton continues to say "blackhole toolkit-activity 15". running ie.
i posted this last night in the last 'malware' thread - pretty sure nobody saw it - but -
>>>>>>>>>
i would have started my own thread on this but lost some of my privileges from expiring points
don't know if anyone else has been getting this today - seems like a malicious .exe is trying to load itself everytime i visit mgoblog - possibly via java? i'm computer literate to a point, but don't know how to explain exactly what it's trying to do.
here is the pertinent info from my firewall log
i am using comodo firewall 3.11 in case that matters to anyone else out there
applications:
\AppData\Local\Temp\0.8495793354581269.exe
\AppData\Local\Temp\0.48823716269609074.exe
destination IPs :
192.150.16.117
92.38.233.191
64.131.75.19
>>>>>>>>>
there have been more as of this morning - and MSE detected them as a Kargany.A trojan downloader this morning - don't really know if that means anything to anyone more knowledgeable.
You need to run malwarebytes ASAP, because it looks like you have been infected. Good thing your firewall is stopping access to the internet.
Symantec on my work laptop was giving me all sorts of notifications last nite, but today my work desktop has not popped anything up at me. Maybe I should surf mgoblog on the iMac in my work area.
Damn infected ads.
Can someone post (in normal person language) things not computer engineers should or shouldn't do? I do appreciate Brian and the site, but I have no interest in becoming a script expert to view the site. I am a computer DA. I use a Mac and click Safari and read the site or use the iPhone app. If I am going to get Internet herpes from the site by using these 2 methods, can someone please just let me know? Again, I don't know how to do anything else, but click the app or safari and have little interest in workarounds.
<br>
<br>Thanks
There are hardly any viruses for Apple products, so you're effortlessly safe.