[Fixed] Virus on BAA Site Alert!

[Elmo Zoneball]

Beware:

I just accessed the BAA site, and got a notice that said "unable to display content, click here to download necessary component" (paraphrasing) and MS Security Essentials jumped in and said it's a trojan....


It's "TrojanDownloader: Java/exdoer"

Thankfully, the Virus software caught and removed it.


more info here:

http://www.microsoft.com/security/porta ... 2147644716 <http://www.microsoft.com/security/porta ... 2147644716>

DO NOT CLICK ON LINKS TO DOWNLOAD SOFTWARE FROM THE BAA SITE!

[swiftsam]

Thanks for the warning, I'm looking into it now. If anyone else noticed anything out of the ordinary, please post it here to help me figure out what's going on.

[Elmo Zoneball]

It appeared when I clicked on the PiKA news story.

I'm using Firefox 3.6.1.6 on XP SP3....

[CrzRsn]

It appeared when I clicked on the PiKA news story.

This.

Took me 2 hours of combing through regedit to clean my computer. Looks like this virus downloads a fake "Total Win 7 Security 2011" onto your compute.

Managed to bypass my antivirus. Posting from FF 4.0.1 on Windows 7.

[swiftsam]

Thanks to those that quickly let me know that there seemed to be a problem yesterday, and I am super sorry to anyone that got something nasty from our site.

Thanks to people's feedback, I was able to find and remove malicious code and then put the server into a lock-down sort of a mode. We may have to have some down-time as I wipe and rebuild things, but pending any more trouble I think that can wait until things slow down on the site.

Don't hesitate to post here or email admin@cmubuggy.org if you notice anything else amiss.

[shafeeq]

Symantec AV is still reporting "Web Attack: Malicious ToolKit Iframe Injection 3" on http://www.cmubuggy.org

http://www.symantec.com/business/securi ... asid=24175

I'm guessing this is the first stage of tricking people into downloading the virus.

[swiftsam]

Ok, I thought I had it beat the first time, now I think it's kicked for real, we're back in business.

Again, I am super sorry to those who downloaded something unpleasant from the site, and I appreciate those that alerted me to the problem. If you think you may have clicked "yes" to a plugin/java/extension type of request from your browser while on cmubuggy yesterday or thursday, you should run a virus scan.

If you're the computer/details type, it seems we had a case of the awkwardly-named "jfgjfr5jdfj.vv.cc Malware" which got in through an exploit in wordpress on a different domain on my server. I did a complete wipe of my server, reinstalled everything and carefully copied the content back on, scanning every line of code for the malicious bits. That said, let me know if you see anything funky going on.

[Elmo Zoneball]

Thanks.

[janicesg]

thanks, Sam, for all the work you do on this site, and for how quickly you got it back up and running! Good thing this didn't happen 2 weeks ago!

[shafeeq]

Thanks again, Sam for fixing this, at a time when you have a ton of other important stuff to deal with!