What the heck is happening over at Hamster Republic's site?

[jcenterprises]

Whenever I try to go to the Hamster Republic home page, instead of getting Bob waving at the front page, I get a message saying I could have a virus. Did Hamster Republic get hacked? I used an old bookmark to link to it and it never did this before this week.

[RMSephy]

You know, I've been getting a "malicious software" warning lately when I try to access hamsterrepublic.com at work. Might be related?

[Master K]

Bob got sick with the flu, and he's warning you that he doesn't want to spread it. That's all.

[Gizmog]

I've been getting anti-virus warnings when I run OHR games or custom for awhile now too. I assumed my scanner was being paranoid but now I'm not so sure. Has anyone looked into this?

[Bob the Hamster]

It seems okay to me, but I will double-check. If you could post the exact text or even a screenshot of any virus warnings you see, that would be a big help

[jcenterprises]

Did you try http://hamsterrepublic.com instead of www.hamsterrepublic.com because I got the message from the bookmark that didn't have the www part. Also, all I can remember about the message is that it seems to show some progress meter like it's checking or downloading something, and after closing it out, I checked my history later and it showed two extra sites, one that seems to redirect to this message (kinda looked like it had a Google+ logo), and the message's site itself:security-storage.info

Anyone recognize that site in their history?

[Bob the Hamster]

Now that is strange. security-storage.info is a box storage place in Ithica New York, not an antivirus provider.

What antivirus program are you using? Is it up-to-date?

Have you seen messages like the one you saw on hamsterrepublic.com on any other sites?

I am currently downloading a full backup of the hamsterrepublic site so I can run a virus scanner on it, just to make sure nothing is infected.

[jcenterprises]

I actually first encountered this message last week, I used Microsoft Security Essentials after closing it, updated it, and did a full scan and found some malware in windows.old. I figured that might be it, so after deleting it, I figured I would be safe. I then deleted most of windows.old and waited until today to update MSE and then did another full scan to be safe. After finding nothing, I figured it was safe to go to Hamster Republic, but then I got the virus message again.

I haven't seen this message on any other site, although I haven't visited that many sites since first seeing it, and other users seem to be getting it while visiting Hamster Republic too. I got the message twice, both times after clicking on the Hamster Republic homepage bookmark.

I tried to re-visit the site to get the message to appear so I could take a picture, but it showed the normal page instead. It acted normal both times after I got the message. Maybe it only activates if it hasn't already been triggered a certain number of times for a certain amount of time.

[Bob the Hamster]

Maybe it only activates if it hasn't already been triggered a certain number of times for a certain amount of time.

Ooh! i think you are exactly correct! I just examined the source code of my index.php and noticed that it has some crazy obfuscated code inserted at the beginning. Thank you so much for finding this!

Now I have to get to work at cleaning it up :(

EDIT: looks like I was a victim of this: https://threatpost.com/en_us/blogs/site ... cktabs_2=0

I carelessly ignored dreamhost's warnings about changing my ftp password, because I only ever connect with ssh public keys, and I mistakenly assumed that I did not even have a password. Apparently I assumed wrong :(

Fortunately the damage looks pretty easy to clean up. Somebody went in there with a script and inserted some obfuscated malware at the top of every PHP file, and that only activates for random visitors, not everybody.

It looks like the ohrrpgce downloads are all untouched. I compared all the stable releases to my backups and they are unchanged. The nightlies are re-uploaded, well, nightly, so they are okay :)

I think Giz's warnings are probably false-positives that are unrelated to this website problem, but I would still love to see screenshots or full-text of the warnings, because PARANOID is the safest way for me to be :)

EDIT2: I have a theory on why Giz's antivirus might have flagged the OHRRPGCE. Starting with Windows 7 (or maybe it was Windows Vista?) Windows keeps track of the site that you downloaded a zip file from. An antivirus program could easily check that data to see if the site it was downloaded from has any known problems. Now that I have cleaned up the problems, it will probably take a few weeks to a few months before all antivirus vendors that check for that sort of thing to re-check hamsterrepublic.com, but then it should be okay.

Of course I could be wrong about that guess, and it might be a false-positive for some other reason. I know for a while ZoneAlarm Pro was incorrectly identifying the OHR as a keylogger trojan because gfx_directx used to do keyboard handling in a way that is similar to how a keylogger might do it.

[TMC]

Yikes!

I carelessly ignored dreamhost's warnings about changing my ftp password

It seems that Dreamhost changed everyone's passwords, so hamsterrepublic.com must have been attacked before that happened, on/before Jan 23rd.

I know for a while ZoneAlarm Pro was incorrectly identifying the OHR as a keylogger trojan because gfx_directx used to do keyboard handling in a way that is similar to how a keylogger might do it.

That was gfx_fb actually.

[Gizmog]

My virus warnings probably are false positives. It doesn't actually say that it's found anything, just that this file (custom.exe or game.exe) "might" be dangerous to my computer, and suggests I open it in a sandbox or somesuch. It also doesn't seem to matter where the file came from. My guess is it's a goofy DLL thing.




What pops up when I open one of the beta-builds of Alice that Sephy and I were working on.

[Bob the Hamster]

Interesting.

Just out of curiosity, is it actually playable inside Avast's "sandbox"?

[Gizmog]

Oh, I'd never tried before. After 12 seconds it closed the game and said that it had found "No evidence of malicious behavior" but recommended further caution and asked whether or not I wanted to open it in a sandbox again next time. Seemed to run okay in the sandbox for those 12 seconds though.