Forum:Viruses from Wikia?

Okay, the title might be a little misleading, so forgive me.

Yesterday I was browsing Wikia with this computer of mine (IE7, F-Secure Client Security (my anti-virus program), Windows XP Professional Edition) and I had three "tabs" open. One for Wikia main page, one for Collaboration of the month/vote and one for some other page, was it Sannse's or Angela's talk, can't remember that right now.

So, I was reading Collaboration of the month/vote page, when suddenly an alert message from F-Secure popped up, alerting me that "the firewall has stopped this traffic." I later checked and there were two malware attacks.

The details go as the following:

Timestamp: 6.2.2007 (Sitxth of Feb.) 21:11:33 (my time)

Services: Malware - Sasser server in

Protocol: tcp

Direction: Incoming

Computer information:

Remote gate (or port): 2172

Remote address: 88.9.102.140 (WHOIS)

Local gate: 5554

Local address: ''I trust that you don't need to know my IP-adress. The staff can freely CheckUser me if they feel it is neccessary.''

The second attack details are almost same, except for these:

Timestamp: 6.2.2007 21:11:34

Services: Malware - Dabber in

Remote gate: 2452

Local gate: 9898

I'm not blaming Wikia, as I think it's Google's fault, since every Wikia page has Google ads on the right side. I'd appreciate if you'd do something to this. Makes me almost wanting to say that famous Samuel L. Jackson quote from SOAP, but I'll leave that out.

I've had two computers before this. The first one was infected with a Trojan horse, Delf.r and the second was infected with Sasser for some time, until I removed that worm (and BTW, that computer was lame anyway). I really wouln't like to get some worms on this computer just by browsing Wikia.

Thanks.

--Jack Phoenix (Contact) 12:36, 7 February 2007 (UTC)


 * QUESTION! are you using a Web Accellorator that gos and scans the pages?  like Google has a feature that pre-loads the targets of links.  if so, it MAY be a link that your web accelorator was looking at.  or a targetted attack...  but that's unlikely.   ~ 23:33, 7 February 2007 (UTC)


 * If it was an external link, then there's a problem with the Google Ads because then they're not safe to click. G .He (Talk!) 23:46, 7 February 2007 (UTC)


 * then we should KEEL THEEM >. .< hee hee...  maybe someone should go through checking them to contact Google? (maybe me, Im a big strong Development Dragon, and have nothing to fear from Viruses ^_. .^ *knows he is silly*)  ~ 00:53, 8 February 2007 (UTC)

I've talked to Jason about this, and shown him the report from the anti-virus software... he says that the report shows an atempt to access the computer on a port not connected to the Internet. So this wasn't Wikia or Google, but some other problem. I'd suggest checking out the help pages for your anti-virus software and seeing if they can give more advice on where this came from. Good luck... it sounds worrying! -- Sannse 03:25, 8 February 2007 (UTC)

Now that is strange to say the least! I mean, this computer is kinda like "a gift" from a relative of mine who works for the city and it's computer dept. She told me that this was high-security computer...

Well, better look into this. Thanks a lot, Sannse, and say thanks to Jason from me! ;) --Jack Phoenix (Contact) 13:02, 8 February 2007 (UTC)

This IP is from Spain, and the virus is Sasser, surely from a infected PC, not Wikia or Google. As far I know this virus scans random IP's for new victims (I'm not sure because I use WinMe and this virus don't work in this Operative System). There is no reason to research more as this IP is dynamic... -- 14:09, 8 February 2007 (UTC)

Thank you very much for this information, Chixpy. That helped a lot! :)

And now...my take at Sam Jackson's famous line: "Enough is enough! I've had it with this f-ing Sasser on this internet!"

One time is enough for me. Thankfully there are companies like F-Secure that are keeping their virus descriptions updated. --Jack Phoenix (Contact) 15:03, 8 February 2007 (UTC)


 * Just an FYI: Firewalls set to high alert are kind of pointless and just incite paranoia. Every IP on the internet gets random port "attacks" (just scans basically). If you didn't have the firewall set to alert, the port sniff would just find a closed port. Whereas, when you do have the firewall set to alert, the port sniffer finds a closed port, but you get an annoying message whereby the firewall software says it just spent 5 nanoseconds bravely defending your collection of hentai videos from a spambot in Paraguay. --Splarka (talk) 09:29, 11 February 2007 (UTC)