CoHTitan Infected by Virus?

Hey -

CoHTitan (and their Wiki) appear to be compromised with a fake antivirus ad. It's pretty clearly malignant.

Can we get a mass community warning to stay away, do NOT obey the instructions on the screen, and the site shut down until the system is purged and verified to be bug-free?

Thanks.

Sounds like ur PC is infected.

I saw nothing what u described on the site.

Totally possible. Hopefully not the case. I'd be way relieved if it was just me.

A few more posts like yours, and I'll kill the topic, just want to be sure.

When I visit http://www.paragonwiki.com or http://wiki.cohtitan.com I don't see any ads at all. I do see this statement:

i have never seen ads on the site before and still didn't two minutes ago.

*points down to sig*

Wikia's horrible for just that sort of thing. Which is one of the reasons Paragonwiki's not there. Unfortunately, it (Wikia) is still at the top of Google searches for PW.

Make 100% sure you're not going to wikia.

See my Guides and Tutorials

Unfortunately, I think more people go to Wikia not only because it's easy to confuse with ParagonWiki, but because ParagonWiki is exclusively about CoX and Wikia seems to be about many games.

They had been infected with a nasty virus before. Some of those areas are still down since they're not restored from the clean-up effort yet.

Hopefully they haven't gotten infected again. But I don't see anything getting blocked from popping up by NoScript or Adblock on the paragonwiki site though. Might've just typed out the wikia and gotten led to a sleazy site designed to look like the titan network or something.

We didn't have a "virus" before, technically. Some poophead injected crap into a loophole in the Faces site. That loophole has been closed (Faces got a bottom-up rewrite), and all sites have been restored that will be restored. Anything you don't see back up likely will never come back.

OP: ParagonWiki does not have ads. Aside from approximately a year when hosted by Wikia, ParagonWiki has never had ads. And the ads served by Wikia were not by our choice, but forced on us by the folks at Wikia.

(We don't own cohfaces.com anymore so that isn't us doing weird things.)

Quote:

Originally Posted by Dispari I don't know why Dink thinks she's not as sexy as Jay was. In 5 posts she's already upstaged his entire career.

Hey all, sorry I just now saw this thread.

I did a quick once-over of our sites and I don't see anything obvious wrong. I'll keep digging to see if I missed anything.

Something mentioned above is a good question. Rakeeb, are you absolutely certain that you were on the Titan Network's sites? The Titan Network is completely ad-free, including the Paragon Wiki. The closest thing we have to ads are a couple of links on the main home page, one to HeroStats (which we host) and one to Imaginator Central (Liz "Syrusb", our graphics guru, who hosts her own site), and during the holiday season we put a link to the Real World Hero charity drive on the wiki sidebar. None of those are dynamic or third-party ads, though; they're static links with the images and code behind them hosted locally on our own server.

The Wikia theory actually sounds plausible to me. They do run third-party ads, and I have gotten nailed with malware served by those third parties before. That's why I hate running third-party ads on sites, because you're not in full control of the content you're serving, and it opens up another vector (the third-party ad provider) by which your sites can become infected.

The following is a full list of Titan Network sites. If you're visiting a URL other than these, you're almost certainly not on our site. Note that after the domain name, there should either be nothing (e.g. http://cohtitan.com) or a slash (e.g. http://www.cohtitan.com/forum). If there is anything else, you're not on our site (e.g. http://cohtitan.com.other.stuff/mydata)!

http://[www.]cohtitan.com
http://[www.]cohplanner.com
http://[www.]paragonwiki.com
http://[www.]ouroportal.com
http://wiki.cohtitan.com
http://cit.cohtitan.com
http://faces.cohtitan.com
http://tomax.cohtitan.com
http://avatars.cohtitan.com

There is also a "hidden" domain, webservice.cohtitan.com, that Sentinel talks to, and though we don't directly maintain it, we also host herostats.org.

Anyway, my immediate thought is that we are not infected. If we are, then obviously, I want to know as soon as possible. It might be helpful if you can send me screenshots of exactly what you're seeing. You can reach me by e-mail (tonyv@cohtitan.com) or hit me up on Skype (tonyv.paragonwiki). I am at work today, so I might not be able to respond immediately, but I'll try to respond as soon as I can.

In the meantime, I highly encourage everyone to make sure your computer is protected against malware. This isn't an alarmist "we might be infected!" suggestion, this is just a good idea in general, even if you don't ever visit the Titan Network sites. You need two main things: antivirus and anti-spyware. Make sure they're up-to-date and that you run them periodically. I actually suggest against the 800 pound gorilla in the market, Norton/Symantec anti-virus, because it puts lots of tentacles into your system that make it almost as bad as a virus itself. Besides, there are some decent free solutions, such as AVG Free and Avast!. For anti-spyware, try Ad-Aware or Spybot Search & Destroy.

Also, if you're using Chrome, I would suggest turning off cookies and whitelisting only the ones you need. If you're running Firefox, Adblock Pus is a godsend.

Oh, and as for our site compromise from before, the nutshell version of what happened was that someone used an exploit in an old version of CodeIgniter (the framework that underlies a bunch of our sites) to upload a php file that injected malware links in all of our index.php sites. It affected most of our sites, and we've since taken some pretty good measures to avoid such a thing happening again. The best thing I think we did (other than upgrade all of our software to patch security holes) was we took write permissions away from the web service account to all content directories except ones that it specifically requires for uploaded files. I'd never be so arrogant to say that our server isn't compromisable (which is the sure fire way to see that it does get compromised), but hopefully it minimizes the risk of being hit with these drive-by mass attacks that every server undergoes.

We take security very seriously, and if I find out that it's been compromised, I will shut down the sites if I have to (which I did last time) until I'm confident that we're not posing a security risk to people--even if it means we're offline for days (which we were) or longer (*ahem...* Faces...).

Edit: Oh, there's one more thing folks might want to know. We do use a Content Distribution Network named CloudFlare that is a front-end to several of our sites. For most people, it's completely transparent. However, one of the things that CloudFlare does is set up so-called "honeypots" to detect machines that are infected or that otherwise try to spread malware. Because addresses on the Internet are dynamic, now and then you might get some kind of page asking you to validate you're a person via a captcha. This is another security measure on our part to try to prevent known malware bots from accessing our server by filtering out malware traffic. So if you try to access one of our sites and you get something from CloudFlare, don't panic.

You can read more about CloudFlare's security at their site if you're interested.