Virus on Pi2?

RetroPie has a new website and forum. Please visit https://retropie.org.uk/ for the new site. The new forum is located at https://retropie.org.uk/forum/. This forum is left here as a read-only archive.

This topic contains 12 replies, has 7 voices, and was last updated by Profile photo of wezzledezzle wezzledezzle 1 year, 11 months ago.

Viewing 13 posts - 1 through 13 (of 13 total)
  • Author
    Posts
  • #93184
    Profile photo of wezzledezzle
    wezzledezzle
    Participant

    So this morning I received and email from my IP(cox) stating that one of my computers are infected with a virus. I of course logged in and checked my IP and it does indeed think that there is a virus on a computer.

    I checked all my computers and found no virus’s on any of them. I did however just tried the RetroPie 3.0Beta for Pi2 and had connected my Pi to the network to send over my roms. Has anyone else had such a problem? I also scanned my computer after seeing the email. Just in case the email was a possible virus but computer is still clean.

    #93266
    Profile photo of labelwhore
    labelwhore
    Participant

    I can’t pull up this website at work. The network security guys come over yelling that it looks like there’s a ddos attack coming from my PC when I do.

    So I think its not the pi, it’s this website.

    http://www.th3rdwave.com/tracks/
    ^^ my other hobby

    #93281
    Profile photo of tank
    tank
    Participant

    what website?
    this one? the petrockblog?!

    #93295
    Profile photo of labelwhore
    labelwhore
    Participant

    That’s correct. I have been using my phone to access the site for a week or so now, and the security dudes have stopped complaining. Make of that what you will. I don’t have any more details, only a suspicion.

    http://www.th3rdwave.com/tracks/
    ^^ my other hobby

    #93296
    Profile photo of labelwhore
    labelwhore
    Participant

    Also, they never found any malware or anything on my PC after a thorough check.

    http://www.th3rdwave.com/tracks/
    ^^ my other hobby

    #93297
    Profile photo of wezzledezzle
    wezzledezzle
    Participant

    See I never found malware, adware, snoopers, nothing.

    Its weird.

    #93333
    Profile photo of buzz
    buzz
    Keymaster

    I don’t see any problem with this site – it doesn’t really make sense regarding a ddos attack unless a browser had a recent exploit that was vulnerable via some software on this website. I see nothing suspicous though.

    • This reply was modified 2 years ago by Profile photo of buzz buzz.
    #93355
    Profile photo of labelwhore
    labelwhore
    Participant

    I have no problems from home as far as I can tell, just from work.

    I just correlated the two, since around the time I started looking at this site at work is when the guys complained of unusually large amounts of traffic coming from my PC. Bear in mind, from work, all I was doing was reading posts, and not DLing anything like retropie images or anything like that. I’m not really certain it’s this site either, tbh, the time-frame just seems right. That there is somebody else with a similar issue just sounds too coincidental.

    http://www.th3rdwave.com/tracks/
    ^^ my other hobby

    #93607
    Profile photo of Robert Wilson
    Robert Wilson
    Participant

    Not saying it is or it not but it is possible one of the ad servers that push ads for this site could have been trying something nasty. Just a few months ago the website that was hosting my towns local paper was infecting people’s computer. It turned out it wasn’t the website it self but on of the many embedded ads. A rogue ad was slipped into an ad server that was used by many sites and when it would popup in rotation boom you got hit. One reason I now do 99% of my surfing from my iPad.

    #95155
    Profile photo of wfraga
    wfraga
    Participant

    i’m facing the SAME PROBLEM !!

    received 2 emails from AT&T and the ONLY device powered in my home is PI2 running retropie 3 beta 2

    and using wireshark is possible see the device is infected !

    PLEASE ANYBODY FROM THE PROJECT CAN SAY SOMETHING ABOUT ?

    Malware infection advisory from AT&T Internet Services Security Center
    AT&T U-verse Site ID: XXXXXXX

    Dear AT&T U-verse customer,

    AT&T has received information indicating that one or more devices using your Internet connection may be infected with malicious software. Internet traffic consistent with a malware infection (“ddos-participant-ssdp-amplifier”) was observed on Apr 14, 2015 at 1:12 AM EDT from the IP address 23.11x.xxx.xxx. Our records indicate that this IP address was assigned to you at this time.

    Infected computers are often used as part of a zombie computer network (“botnet”). Botnets are networks of computers which have been infected with malware and placed under the control of a hacker or group of hackers. They are often used for attacks on websites, spamming, fraud, and distribution of additional malware.

    Because malware is designed to run in secret, an infected computer may display no obvious symptoms.

    To address this matter we ask that you take the following actions. If your computer(s) are managed by an Information Technology (IT) group at your place of work, please pass this information on to them.
    If you use a wireless network, an infected computer may be using your Internet connection without your knowledge. Ensure that your wireless router is password-protected and using WPA or WPA2 encryption (use WEP only if WPA is not available). Check the connections to the router and ensure that you recognize all connected devices.
    Ensure your firewall settings and anti-virus software are up-to-date, and install any necessary service packs or patches. Scan all systems for viruses and other malware.
    Additional tools and information:

    Tools for removing rootkits, bots, and other crimeware:
    Norton Power Eraser: https://security.symantec.com/nbrt/npe.aspx (Windows)
    McAfee Rootkit Remover: http://www.mcafee.com/us/downloads/free-tools/rootkitremover.aspx (Windows)
    Tools for general virus and malware removal:
    Microsoft Safety & Security Center: http://www.microsoft.com/security/ (Windows)
    Malwarebytes Anti-Malware: http://malwarebytes.org/ (Windows, Android)
    Spybot +AV: http://www.safer-networking.org/ (Windows)
    OS X Gatekeeper: http://support.apple.com/kb/HT5290 (OS X)
    AT&T Malware and Network Security analysts gather weekly to give you the information that you need to know about the latest security news and trends. Visit AT&T ThreatTraq at http://techchannel.att.com/showpage.cfm?ThreatTraq

    Regards,
    AT&T Internet Services Security Center

    Incident details for 23.1xx.xxx.xxx

    Type: ddos-participant-ssdp-amplifier
    Source port: 1900
    Destination IP: 99.xx.xx.66
    Hostname: CPE84948cced691-CM84948cced690.cpe.net.cable.rogers.com
    Destination port: 80
    For security reasons, the destination IP is partially obscured.

    DISCLAIMER: The information above contains links to software by third-party vendors (hereafter, “the Software”). AT&T is not responsible for support or assistance for any of the Software. If you need support or assistance with any of the Software, please contact the Software’s vendor directly. AT&T is unable to provide a warranty or guarantee, either expressed or implied, for any of the Software. You will be responsible for your own system software and system security and not hold AT&T, its partners, agents or affiliates liable for any costs or damages whatsoever (including, without limitation, damages to access system, hardware and/or software) to your computer as a result of installing or using any of the Software. You also understand that use of all hardware and/or software must comply with the AT&T Acceptable Use Policy.
    Important Note: This email contains links to various websites. You may copy and paste the URL(s) into your browser rather than clicking directly on the link.

    #95192
    Profile photo of labelwhore
    labelwhore
    Participant

    Is your PC at home? I’m still convinced its this website,as I don’t bring my pi to work but do sometimes read this site. I’ve only had the problem occur at work. In addition, occasionally when bringing up this site in Firefox at work completely locks up my PC with no other software running. The symptom was described to me yesterday as GBs worth of DNS queries in s matter of seconds.

    http://www.th3rdwave.com/tracks/
    ^^ my other hobby

    #95202
    Profile photo of theguyonthecouch
    theguyonthecouch
    Participant

    Hmm, I’d be very interested to see some PCAP captured with Wireshark so as to establish what the device is doing to cause the alert(s). I may power mine on later and capture some traffic to look for anomalous activity…

    #96896
    Profile photo of wezzledezzle
    wezzledezzle
    Participant

    I still don’t know what caused this warning. Currently my systems are all clean and I have not received another notice. I guess its fine for now?

Viewing 13 posts - 1 through 13 (of 13 total)

Forums are currently read only - please visit the new RetroPie forums at https://retropie.org.uk/forums/

Skip to toolbar