Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Megamek Hackers/Malware Warning
#1
When I typed a google search for Megamek, there's a warning which says 'This Site May Be Hacked'.  When i checked what this actually means, it warns that the site may have been hacked to redirect people to other unsecure sites, or download malware (I did go on the site anyway 'cos I want to play and so took a risk!  I did an anti-malware search after and it did indeed bring up 14 seperate malware threats).

The warning recommends people steer clear of the site until the issue is fixed.  Does anyone know about this? 
Reply
#2
This happened back in March.  From what I've seen, it was just spam URLs that got injected onto the website.  These have been removed for a while now, but we haven't yet gotten the "your site has been hacked" status removed from Google.  You also don't download files from our website: all of the files are hosted on SourceForge, which wasn't compromised.  Plus, the files you download for Megamek aren't executables: they're archives and jar files, so you don't need to actually execute the files.
Reply
#3
You are wise, grasshopper.

Many salutations
Reply
#4
As of Sunday 19 July 2015, I still see the spam links active.

http://megamek.info/ with javascript disabled (NoScript active)

If you mouse-over them, the same link as the line under the Home, About... tabs shows.


Attached Files Thumbnail(s)
   
Reply
#5
Thanks for the heads up, this should be taken care of now.
Reply
#6
Looks like there's residual spam junk on the Google results still. I believe you can use a Google Webmaster Tools account for taking care of this, as I'm not seeing equivalent references in the page source & Sucuri is reporting clean.


Attached Files Thumbnail(s)
   
Reply
#7
Yea, I see that with a search now.  I didn't see that when I searched before...
Reply
#8
The funny thing is that the link takes you to the forums (these forums) so just the name is wrong.
Reply
#9
(07-21-2015, 10:52 PM)SpcWest link Wrote:Looks like there's residual spam junk on the Google results still. I believe you can use a Google Webmaster Tools account for taking care of this, as I'm not seeing equivalent references in the page source & Sucuri is reporting clean.

After spending some time on this, I again cannot find any issues with our page (ie, I'm pretty confident it's clean).  The links you're referring to are the Google generated site links.  We don't have a whole lot of control over those links; they are generated by Google when the website is crawled.  I have requested that our website get re-indexed but it's not clear how long that will take.

It also looks like the "your site may have been hacked" message is gone.
Reply
#10
Looks like the problem is back, i just googled megamek and got this "this site may be hacked" and the "Viagra overnight" thing on the google result :
[Image: EcfxRrMs.jpg]
Reply
#11
Ugh.
This code is embedded in the main megamek.info webpage:
<blockquote style="left: -2578px; position: absolute; color: navy; width: 191px; font-weight: lighter; font-size: 10px; display: block; top: -2323px;">
<a href="http://okay.ro/blog/?view&topic=iskysoft-itube-studio-2-mac">cheap iskysoft itube 2 mac military discount</a>
<a href="http://okay.ro/blog/?view&topic=filemaker-pro-11-advanced-mac">pro advanced mac</a>
</blockquote>
<b style="display: block; left: -3657px; font-family: Arial Black; font-size: 10px; color: blue; font-style: italic; top: -2158px; font-weight: 500; position: absolute; width: 163px;">
<a href="http://www.imaginanet.com/min/build.php?prices=intuit-turbotax-home-business-2012">intuit turbotax home business 2012 on sale</a>
<a href="http://www.imaginanet.com/min/build.php?prices=adobe-illustrator-cs4">adobe illustrator</a>
</b>
Reply
#12
I wonder why always viagra....
Reply
#13
Full disclosure, I'm not a drupal expert, I've focused most of my time to Wordpress development.

BUT the two share a lot of common traits... so I'm hoping my experiences with WP clients being hacked can help.

It sounds like the hacker injected code into your index or footer files. If it's anything like what I've seen in the past, it's hidden in an eval() function and base64 encoded, possibly even backwards.

To be completely sure you are "clean" of any infection you should probably delete the back-end file structure completely and restore the whole thing from clean files. (A backup of your drupal core files, themes, plugins, etc from before the hack.) While you can solve the problem without resorting to this, it's definitely the easiest route.

Update absolutely everything immediately. Especially if you were to use a "clean" file install as your solution. But even beyond that, everything needs to be up-to-date. If you don't update everything, doing the work to clean the file structure isn't worth it. Because the same exploit will be run again.

Check the index and template files for quirky code, especially for eval functions.

Maybe try using Security Review (if you're not already).

Good luck guys, this stuff is a huge PitA.
Reply
#14
We know what to do, mostly it's a matter of finding the time to get it done now.  Thanks for the advice.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)