Malware Warning, Terraria Topic, Pg 33

[Chaos]

When I visit the last page of the Terraria topic, page 33, I am receiving a malware warning from my anti-virus.  Information is as follows:

Trojan program HEUR:Trojan.Script.Generic

Code Select Expand

http://start-massage.ru/upday/index.php//index

According to Adblock Plus's ability to block elements of the page, it is, allegedly, an 'image'.  It appears to be attempting to run a script, however.



I am unsure what is calling this script/image, I'm still investigating. 

Additionally, I would recommend a mod look into it on their end, and anyone who recently viewed the Terraria topic, page 33 a page 11clock, Matty_Richo, and/or Crozier has posted in , to run a precautionary virus/malware scan.  Malware Bytes is a nice free program for removing malware.

EDIT:  Found it.  It's in some way attached to 11clock.  I've blocked it loading with Adblock Plus and started hopping around the forum, and it comes up on the list on any topic 11clock has posted in, and even when I view his profile page.  I am not sure what aspect of him is calling it, whether it is in his signature or avatar or what, but I recommend Meiun or possibly another mod look into and deal with it.

Double EDIT:  Matty_Richo is setting it off as well.

Triple EDIT:  As is Crozier.

[ARTgames]

This may be related:

also btw: RayRay your avatar is setting off google chrome's website no trust filter. May want to look into that. 

I looked them both up and it seems like both there avatars come from http://[forbiddensite]/ . My best guess is something bad happen there and now there blacklisted by many other things. BTW the website has been down for a while.

[Scotty]

That's Matty_Richo's site for image hosting.  I'd advise him to look into it. 

EDIT:  It's definitely coming from Matty's image hosting site.  Luckily though, it's just 404'ing when it tries to redirect to the site in question, so hopefully it's just the domain name http request that's setting off a false positive with your anti-virus:



I'd still recommend an Admin go through and get rid of all the iliveinavillage links since it's not exactly going to attract community members when it's redirecting, and Matty is posing a potential threat should the 404's decide to correct themselves in the future.  Or someone with SQL access can run the following two commands to clean it up nice and quick:

Code Select Expand

UPDATE
  `smf_members`
SET
  `avatar` = ''
WHERE
  `avatar` LIKE 'http://www.[forbiddensite]/%'
;

Code Select Expand

UPDATE
  `smf_members`
SET
  `signature` = ''
WHERE
  `signature` LIKE '%[forbiddensite]%'
;

[Meiun]

Should be all taken care of. I've also noticed the individuals who were using it to please choose a different host in the future.

[RayRay]

I seriously do not know why that website went wrong. I still have all of my maps in Forum Adventures. I have posted like 100 images from that host. If they are all infected now, I guess I'll give a warning to anyone who wants to read that topic.

[Scotty]

I seriously do not know why that website went wrong.

I'd imagine it was some very simple security flaw dealing with file uploads.  All it would have taken was a file upload when the content is not properly sanitized and blamo, now he has a permanent 3xx redirection status code, irregardless of the URL so long as it points to the domain.

[Matty_Richo]

Sorry about that, just saw this topic now. I've been having this problem with a few of my websites recently, I spoke to my web host (dreamhost) and apparently a number of people with them are having similar issues.
All should be fixed now, [forbiddensite] has sadly had to be cleared of most of it's images but I'm working on setting it back up, hopefully with a much better system than last time, so if it was hidden in an image then hopefully that won't be too much of a risk.

[Scotty]

Sorry about that, just saw this topic now. I've been having this problem with a few of my websites recently, I spoke to my web host (dreamhost) and apparently a number of people with them are having similar issues.
All should be fixed now, [forbiddensite] has sadly had to be cleared of most of it's images but I'm working on setting it back up, hopefully with a much better system than last time, so if it was hidden in an image then hopefully that won't be too much of a risk.

You do realize your avatar image is still trying to redirect, and now it's even hit Chrome's malware blacklist.  I would suggest changing your avatar to nothing until you figure out how to remove the redirects.

[Matty_Richo]

Sorry about that, just saw this topic now. I've been having this problem with a few of my websites recently, I spoke to my web host (dreamhost) and apparently a number of people with them are having similar issues.
All should be fixed now, [forbiddensite] has sadly had to be cleared of most of it's images but I'm working on setting it back up, hopefully with a much better system than last time, so if it was hidden in an image then hopefully that won't be too much of a risk.

You do realize your avatar image is still trying to redirect, and now it's even hit Chrome's malware blacklist.  I would suggest changing your avatar to nothing until you figure out how to remove the redirects.

Thanks for pointing that out. I've spoken once again to my host who have said they are taking the necessary steps to ensure that any malware contained on my webserver is gone. So it should hopefully be all cleared up in no time.

[Scotty]

Sorry about that, just saw this topic now. I've been having this problem with a few of my websites recently, I spoke to my web host (dreamhost) and apparently a number of people with them are having similar issues.
All should be fixed now, [forbiddensite] has sadly had to be cleared of most of it's images but I'm working on setting it back up, hopefully with a much better system than last time, so if it was hidden in an image then hopefully that won't be too much of a risk.

You do realize your avatar image is still trying to redirect, and now it's even hit Chrome's malware blacklist.  I would suggest changing your avatar to nothing until you figure out how to remove the redirects.

Thanks for pointing that out. I've spoken once again to my host who have said they are taking the necessary steps to ensure that any malware contained on my webserver is gone. So it should hopefully be all cleared up in no time.

It looks like there's a mod_rewrite going on with the apache configuration.  If you want to help out, check your .htaccess files.  If you have SSH access, that'll probably be easiest to check.  Start at the DocumentRoot level and move your way up.  go through each subdirectory's .htaccess file and look for rewrite rules.  If you have SSH access, try running the following commands from your initial home directory so that it covers everything:

Code Select Expand

find -name .ht* -exec grep start-massage {} /dev/null \;
(I can't remember if you need to escape the period, try both, one verbatim from above, and another with -name \.ht*)

If that doesn't come up with anything, go with a blanket check without filtering it to just .htaccess files:

Code Select Expand

find -type f -exec grep start-massage {} /dev/null \;

That'll tell you any files that include a string matching "start-massage" in it, which matches what's in the URL.  From there you can go through and remove the rewrites.

If you find anything, feel free to post up the contents of the file and I can help you trim out the rewrites.  Simply take the file path, and run the command:

Code Select Expand

cat /path/to/file.extension

Then copy and paste here or send it to me in a PM.

[Matty_Richo]

Okay, everything should be fine now. Those using Chrome may have to clear their cache as cached versions of the website may still be interfering.
As far as I can tell there is no problems for people using firefox, though anyone who tries to access the website via Google will get a malware warning simply because they are yet to do an updated review but that should be done within 24 hours.
I have totally redesigned the website as well with a much nicer interface and one that is potentially less open to exploits.

[Scotty]

Okay, everything should be fine now. Those using Chrome may have to clear their cache as cached versions of the website may still be interfering.
As far as I can tell there is no problems for people using firefox, though anyone who tries to access the website via Google will get a malware warning simply because they are yet to do an updated review but that should be done within 24 hours.
I have totally redesigned the website as well with a much nicer interface and one that is potentially less open to exploits.

Judging by your PM, there aren't any files that are the culprit, just traces of its occurrence in the logs at this point.  My guess is that by the time you ran it, your provider already cleaned it up. 

[RayRay]

Reusing this topic. Crozier's avatar is still triggering a Chrome alert.

[crozier]

Sorry, kinda didn't read this topic a month ago.
My avi has been switched out, so don't worry.
Hope nothing bad came out of this dilema.

[sayers6]

Iliveinavillage is no longer tripping chrome's security, just so you guys know.