Important note about City of Heroes wikis

Hi all,

So someone pointed me to Wikia's City of Heroes wiki tonight to see something totally unrelated to this post (a new and even more annoying form of advertising, in case you're curious), but when I visited, I discovered something more diabolical. As the creator and administrator of the "competitor" Paragon Wiki, I know that this post may be interpreted as biased and especially self-interested, but it's important enough that I felt like I had to say something here.

I discovered tonight that the Wikia City of Heroes wiki (please note: not the Paragon Wiki!) has been infected with malware. I discovered it when Google Chrome gave me a huge alert box saying that it was trying to load content from a known malware site. After digging around for a while on a sandboxed virtual machine, I discovered a hidden iframe that is being attached to the top ad banner that is, indeed, attempting to load malicious code.

Google Chrome will catch it and warn you. If you are visiting the site using Firefox or Internet Explorer, however, you will receive no warning, and the malicious code will attempt to execute. I haven't dug into it to the point of finding out what it's trying to do, but rest assured, whatever it is can't be good.

Google actually provided a link to a Google analysis of the malware server, and it showed that it exists across many Wikia wikis. I don't think it's in their core code, because I checked a few other wikis and didn't see it across all of their wikis. If I had to guess, I think it's either being injected through one of their third-party advertisers (the malicious script is attached to an ad banner) or by a jerk hacker who has figured out some exploit to infect multiple Wikia sites.

At any rate, I am going to try to alert the contacts that I had from when the Paragon Wiki was at Wikia and let them know that their City of Heroes site is infected. I don't have any love for Wikia, but I have way less love for malware pushers and as a site admin myself, I resent anyone's site being attacked like that.

In the meantime, I highly urge you not to visit the Wikia City of Heroes site. Again, if you have Firefox or Internet Explorer, you will not receive any warning about the malware. (If you have Firefox's NoScript extension installed, though, it won't load the script and you should be safe.) If you use Chrome, you'll get a big red warning about it. Please read and heed.

And yes, this is probably shameless plug, but I'd also like to take a second to remind everyone that the valid addresses of the Paragon Wiki are wiki.cohtitan.com and paragonwiki.com. They both lead to the exact same site and both names are considered official and completely interchangeable. The Paragon Wiki is not affiliated with Wikia, and any site with wikia.com in its domain name is not affiliated with the Paragon Wiki. The Paragon Wiki also has no advertisements and is consistently kept way more up-to-date than Wikia's site. If you are linking an article to a City of Heroes wiki, please make sure you are using the right address!

FanTASTIC!

Malicious code coming from normally 'safe-ish' sites because of their advertising was a huge thing a year ago. The majority of people posting to the tech forum about problems with their machines all showed that same Trojan.

The source? Outdated java.

Update your java... NAO!

And I've read about new Flash vulnerabilities, so, update your Flash.

Also, update Windows, your browser client, your anti-virus definitions, and your real-time browser interceptor.

I'm set my router to block keyword wikia is there a way to do this that won'y block sites about wikia?

i think i saw the link for the wikia site, since i only use and trust paragon wiki, i never even attempted to click on it.

thanks for the advance warning tony

On the note about Flash, Adobe is plotting to kill us all.

NoScript for Firefox is great. I tend to prefer Opera, but there's ways of dealing with the banner ads there. Now that I've got that in place, I don't have to worry so much about infected ads from Wikia sites.

I only use Paragon Wiki and to be honest I didn't even know about the other site.40 months in and still learnin stuff....

I've experienced attempted malware uploads from the wik-crapia since the middle of last year.

edit: I see in the OP that my question is answered; using Titan Network's link should be safe.

Thank god someone pointed me to the One True Paragon wiki site a while back.

Quote:

Originally Posted by Zwillinger GG, I would tell you that "I am killing you with my mind", but I couldn't find an emoticon to properly express my sentiment.

Quote:

Originally Posted by Captain_Photon NOTE: The Incarnate System is basically farming for IOs on a larger scale, and with more obtrusive lore.

Well, I was going to try to help them out and dig deeper into it this morning, nailing down exactly where the malicious script is coming from. The one time I've been able to recreate it, it looked like it was being served up from fastclick.net via doubleclick.net, one of their ad providers. Unfortunately, I'm being stymied by the fact that it seems to only serve up the infected ad intermittently, and that fastclick is causing Firefox on my sandbox machine to crash.

At any rate, there are several reasons we don't run ads on the Paragon Wiki, and the complete lack of trust I have in third-party ad providers is pretty high on the list.

I have to admit, in researching this, I ran across an extremely amusing ad. I won't name who it's for because I don't want to help that company, but it shows a kneeling scantily-clad woman, her hands bound in chains to a tree above her head as she struggles to get free. Creepiness factor aside, there are two quotes alongside the animated image: "'Awesomely deep character skills...' --SomethingAwful Forums," and "'Best Online RPG I have played...' --[censored name], [censored company] Player"

So the two best testimonials they could dig up come from a SomethingAwful forum poster and one of its own players? Wow, yeah. That's just screaming to make me want to try it.

With apologies to my Resistance bretheren - this was just more important.

'tis in the sig, with a link to this post.

See my Guides and Tutorials

I only use Titan's iteration of the wiki, but a couple years ago I got a nasty malware infection from just such a banner Trojan. After cleaning it out (several day's work), I installed the NoScript add-on for Firefox, and have led a much quieter life since.

What about pointing fastclick and doubleclick to 127.0.0.1 in your HOSTS file?

Well if you're also using a router, you could set it to block doubleclick and fastclick, both incoming and outgoing.

EDIT:

Plants Vs Zombies runs ads that are parodies of the Evony ones, so I dunno.