Anon Files may be compromised

cvxcvgg · Sep 30, 2021

Today I have attempted to download a few different .7z archives and was instead presented with a .exe file with the exact same name. Out of curiosity, I looked at the file and found that what I actually downloaded was some fake as hell weather program built with nw.js but I'm not sure what the purpose of the program is. Probably just your standard trojan.

Not sure if this will be resolved quickly but wanted to warn other users to either avoid Anon Files for now or otherwise be very mindful of what you are actually downloading.

anne O'nymous · Sep 30, 2021

cvxcvgg said:
Today I have attempted to download a few different .7z archives and was instead presented with a .exe file with the exact same name.

It's a dumb question, sorry for that. I try to eliminate the possible cause before stating that anon is effectively in cause.
Are you sure that you effectively clicked on the right download link ? It's more than frequent on hosting site to have the page filled with thousand of false link trying to lure you. And even when you're perfectly aware of it, there's days where you're too tired and just totally mess where you click.

cvxcvgg · Sep 30, 2021

anne O'nymous said:
It's a dumb question, sorry for that. I try to eliminate the possible cause before stating that anon is effectively in cause.
Are you sure that you effectively clicked on the right download link ? It's more than frequent on hosting site to have the page filled with thousand of false link trying to lure you. And even when you're perfectly aware of it, there's days where you're too tired and just totally mess where you click.

Yes, I am aware that Anon likes to open new tabs and all that, but after following multiple links I wound up getting the same fake program with the same names as the .7z archives. This is several different archives, and after several attempts to download each of these archives, with the same result.

Niv-Mizzet the Firemind · Sep 30, 2021

Would you mind sharing the links or the threads of the games you downloaded?
I downloaded 2 games out of curiousity from anonfiles (from the latest updates page) and are clean, as expected.
Maybe it's something on your end?

fitgirlbestgirl · Sep 30, 2021

cvxcvgg said:
Yes, I am aware that Anon likes to open new tabs and all that

Kind of begs the question why it's an approved file host in the first place.

F4C430 · Sep 30, 2021

Niv-Mizzet the Firemind said:
Would you mind sharing the links or the threads of the games you downloaded?
I downloaded 2 games out of curiousity from anonfiles (from the latest updates page) and are clean, as expected.
Maybe it's something on your end?

Same, i checked a couple as well and there's no problem. I've never seen anonfiles spawn new tabs.

Niv-Mizzet the Firemind · Sep 30, 2021

F4C430 said:
Same, i checked a couple as well and there's no problem. I've never seen anonfiles spawn new tabs.

It may have to do with any ad/js blocker you're using. It doesn't spawn for me either, but my browser is rather locked up in that respect.

cvxcvgg · Sep 30, 2021

Niv-Mizzet the Firemind said:
It may have to do with any ad/js blocker you're using. It doesn't spawn for me either, but my browser is rather locked up in that respect.

Yeah, Anon is shady as hell, but the ad-blocker would definitely help.

Also, this isn't the first time that the site has had a few hours of download links sending some bullshit virus weirdness instead of what you're looking for, and generally I've seen it resolve itself after an hour or two like nothing happened and with no mention of the issue. We really should just toss it off the approved list, because it's happened before, and the pop-ups are kind of gross.

anne O'nymous · Oct 1, 2021

scrumbles said:
But maybe anonfiles did nothing wrong and those actually infected were our browsers, not their servers. [...]

There definitively something odd anyway.

I just tried to see if I get strange result myself, and, well, anonfiles is now unknown of all DNS. And I also tried root A and root K DNS, as well as the cloudfare DNS linked to the domain. Those who achieve to reach them do it because the entry is still in cache for the DNS they use, or in the cache of their OS.

I don't know about cloudfare policy in case of non-payment, but well, it was past 00:00 GMT the first of the month when I tried, so it can be that.
And if effectively they didn't payed, it's not impossible that used their last days online doing a dick move to earn some money in another way.

scrumbles said:
If anonfiles is actually compromised, you should download the same malware.

I depend how deeply it have been compromised. It's not really difficult to put a script that will randomly pick the malware sent in place of the requested archive.
It's not trivial, since you still need the writing rights for the HTTP server, but it's all you need. And if the server isn't correctly protected, it's something that can possibly be achieved more easily that being granted root access.

MissFortune · Oct 1, 2021

Niv-Mizzet the Firemind said:
It may have to do with any ad/js blocker you're using. It doesn't spawn for me either, but my browser is rather locked up in that respect.

If someone's not using uBlock Origin for every website, then they're just outright asking for it. Especially on websites with intrusive ads.

Hagatagar · Oct 1, 2021

I wanted to test how the Firefox addon Popup Blocker (strict) handles it, but I can't even access ************* anymore.

rickyabp · Oct 1, 2021

Hagatagar said:
I wanted to test how the Firefox addon Popup Blocker (strict) handles it, but I can't even access ************* anymore.

It's

You must be registered to see the links

now.

Hagatagar · Oct 1, 2021

rickyabp said:
It's
You must be registered to see the links
now.

Just now I tried the links of the 3 newest updated games and it seems they are still uploaded to the old url (*************).

anne O'nymous · Oct 1, 2021

Hagatagar said:
Just now I tried the links of the 3 newest updated games and it seems they are still uploaded to the old url (*************).

Look my comment above, it's because the entries are still the the cache of the DNS they use, or the one of their OS.

Edit:
Also I wonder what make them pass from a domain name they registered until 2030, to one registered for only two years.

rickyabp · Oct 1, 2021

Anonfiles seems to be working again. I can access my old files again.

Darth Vengeant · Oct 8, 2022

It just did this to me. Many Add blockers, etc. It download a .iso instead of your .zip that has spam/garbage in it. This has only started since the "We need help" stuff started popping up recently.

Odinn7 · Oct 8, 2022

Darth Vengeant said:
It just did this to me. Many Add blockers, etc. It download a .iso instead of your .zip that has spam/garbage in it. This has only started since the "We need help" stuff started popping up recently.

If one were to have downloaded and executed this, what would you do to solve any problems? It seems to be adware but I’m unsure if there’s anything more dangerous involved. Malwarebytes doesn’t register any threats, rKill doesn’t find any processes to terminate.

I found stream link-twitch-gui files within my local and localLow file space and promptly removed them. Though I’m concerned there’s stuff leftover. I also ran Combo Cleaner which identified spam in the Edge file space and removed it. Am I missing anything?

Anon Files may be compromised

cvxcvgg

Newbie

anne O'nymous

I'm not grumpy, I'm just coded that way.

cvxcvgg

Newbie

Niv-Mizzet the Firemind

Active Member

fitgirlbestgirl

Well-Known Member

F4C430

Active Member

Niv-Mizzet the Firemind

Active Member

cvxcvgg

Newbie

anne O'nymous

I'm not grumpy, I'm just coded that way.

MissFortune

I Was Once, Possibly, Maybe, Perhaps… A Harem King

Hagatagar

Well-Known Member

rickyabp

Newbie

Hagatagar

Well-Known Member

anne O'nymous

I'm not grumpy, I'm just coded that way.

rickyabp

Newbie

Darth Vengeant

Well-Known Member

Odinn7

New Member