Malware Update

Submitted by Brian on January 25th, 2011 at 1:31 PM

Yesterday people started telling me the site had been flagged by Google for hosting malware, and we found it. It appears to be a database thing not actually related to Drupal since another site on the server running Wordpress got hit at the same time, and it only places the bad code in the files intermittently—so when it was gone yesterday I thought it was gone for good. If you actually get infected it will be very obvious. Instructions on how to remove "System Tool" are all over the google, but usually the best course of action is to do a system restore.

We've locked the server down so that nothing should be able to write to the files that were problematic; unfortunately this has the secondary effect of disaggregating all the javascript and css files. That will make initial loads kind of painful, but it should also get us out of the woods until we can find a better solution.

I'm going to be monitoring this closely the rest of the day, but my body has its own malware—zing!—and I feel miserable so other than watching for iframes like a hawk I am taking a sick day.

A thousand apologies for any trouble this caused people.

Comments

BlockM

January 25th, 2011 at 1:42 PM ^

With great power comes great responsibility. I can't even imagine the insane number of emails you got in the last 24 hours. Thanks again for the hard work.

crum

January 25th, 2011 at 2:33 PM ^

I got this malware from another site a month or so ago and did a system restore, it removed the malware but i started getting a ton of svchost errors and then internet commercials from wtka and 97.1 online started playing at all hours of the day/night. Had to leave the thing on mute. It got so bad with svchost errors the pc wouldnt stay up for more than 3 minutes, even in safe mode.

I had to rip the HD out and get a sata cable to pull the data off and load a new copy of the OS.

BlockM

January 25th, 2011 at 3:00 PM ^

The only way this happened is if you didn't completely wipe your hard drive. Viruses don't just lurk around in your keyboard waiting to reinfect your system. If you wiped the drive, the viruses are gone.

crum

January 25th, 2011 at 3:31 PM ^

Not sure what you are talking about, all I said was after the malware attack I did a system restore and my computers functionality deteriorated over a few weeks. It wouldnt stay up for more than a few minutes.  It got so bad I had to reload the OS.  Maybe you misunderstood my post.

Eyebrowse

January 25th, 2011 at 2:36 PM ^

I've been wandering in the desert of ESPN and (dare I say it) Mlive, just attempting to eek out a little bit of pertinent information.  Thanks for your diligence Brian, and get better.

Swazi

January 25th, 2011 at 4:31 PM ^

I still get the attack page screen when I come here on firefox, so I had to disable that on my options.  But now it pops up saying it can't run some protocol the blog runs called I think htc, or htp, something like that.  Weird.

WillieMaizeHayes

January 25th, 2011 at 4:32 PM ^

Is it just coincidence that the main site identified as the culprit by Google starts with osu (osufoyysdf.co.cc)? Or is something more sinister going on? Has cyberwar been declared on us?

M.I.Sicks

January 25th, 2011 at 4:59 PM ^

This same thing happened to the guy who runs a Red Wings forum called http://letsgowings.com. Some trouble with ads slipping things through the cracks. But he seemed to get control of the problem. If needed maybe you could contact him for some advice on the matter. This sucks, this is a great site.

Good Luck

Bb011

January 25th, 2011 at 5:10 PM ^

Would the malware affect macs at all? I know I got on mgoblue on my friends mac at the time of the outbreak and was wondering if I need to inform him of anything...

Milty87

January 25th, 2011 at 7:56 PM ^

Not hit by the main page, but while attempting to open the MGoBoard links in new windows.  Got the following warning:


This page may be a forgery or imitation of another website, designed to trick users into sharing personal or financial information. Entering any personal information on this page may result in identity theft or other abuse. You can find out more about phishing here.

I assumed that it was an "old warning," so I told AVG to let me through, then got hit.  I just tried again, 755pm (after cleaning off my computer), and still got the same message.

 

M - Flightsci

January 26th, 2011 at 2:53 PM ^

If you managed to snag anything from the site, Malwarebytes should remove it.  Download it from malwarebytes.org, update, and run a quick scan.  You should be good after that.