| View previous topic :: View next topic |
| Author |
Message |
TheRealOne
Joined: 28 Apr 2005
Posts: 48
|
| Posted: Fri Jun 02, 2006 10:18 pm Post subject: Is there a Virus on this Site?? |
|
|
When I came on to the site tonight it tried to download a WMF file. My AV protection then kicked in to say it was a trojan and managed to delete it. It reported it as Exploit-Onload Trojan. I don't think it's my AV as it's always been very reliable.
Please all be very careful and scan your PCs as soon as possible if you don't have any AV enabled. |
|
| Back to top |
|
RedAlert
Joined: 09 May 2005
Posts: 390
Location: Somewhere in Israel
|
| Posted: Fri Jun 02, 2006 10:21 pm Post subject: |
|
|
I PM the Admin earlier before as I get the Message with Kaspersky.
The Trojan came from this: http://traffsale1.biz/dl/adv745.php which is being opened auto when u log to the site. |
|
| Back to top |
|
InariVachs
Joined: 13 Jun 2005
Posts: 595
Location: PRAGUE, EU
|
| Posted: Fri Jun 02, 2006 10:25 pm Post subject: |
|
|
I'm trying to find how that virus came here, btw Firofox is safe, this problem is with IE only.
I erased all code with JS (ads and trackers) from homepage, nothing changed :-(
It is on homepage only.
Can anybody help, please? |
|
| Back to top |
|
Rogue_hunter
Joined: 12 Mar 2006
Posts: 5
|
| Posted: Fri Jun 02, 2006 10:39 pm Post subject: |
|
|
WMF is the new Microsoft photo format, set to compete with the popular jpeg format. most AVs wouldn't know that though, unless the definitions are recent, like today.
odd that it only shows up as a problem in IE, all things considered |
|
| Back to top |
|
InariVachs
Joined: 13 Jun 2005
Posts: 595
Location: PRAGUE, EU
|
| Posted: Fri Jun 02, 2006 10:42 pm Post subject: |
|
|
| But I can't find anything in the page code, anything what should start this file.... |
|
| Back to top |
|
H
Joined: 07 May 2005
Posts: 815
Location: A Land Of Diminishing Expectations
|
| Posted: Fri Jun 02, 2006 10:51 pm Post subject: |
|
|
InariVachs wrote: But I can't find anything in the page code, anything what should start this file....
I veiwed the page source in FF and using the find command found the line that has the link that RedAlert pointed out.
I pasted all the code into a text editor, and found its line 102. |
|
| Back to top |
|
InariVachs
Joined: 13 Jun 2005
Posts: 595
Location: PRAGUE, EU
|
| Posted: Fri Jun 02, 2006 10:54 pm Post subject: |
|
|
Thanks for help, found it and removed it.
It must be some injection to mysql database, it was in bad hacker, attached to forum description :-( :( :( :( |
|
| Back to top |
|
H
Joined: 07 May 2005
Posts: 815
Location: A Land Of Diminishing Expectations
|
| Posted: Fri Jun 02, 2006 11:03 pm Post subject: |
|
|
OK, yeah, i should have said it was an bad hacker to begin with, sorry about that.
It didn't effect FF right? Because my AV didn't complain or anything.... |
|
| Back to top |
|
InariVachs
Joined: 13 Jun 2005
Posts: 595
Location: PRAGUE, EU
|
| Posted: Fri Jun 02, 2006 11:09 pm Post subject: |
|
|
| No didn't work in FF, just in IE. |
|
| Back to top |
|
InariVachs
Joined: 13 Jun 2005
Posts: 595
Location: PRAGUE, EU
|
| Posted: Fri Jun 02, 2006 11:11 pm Post subject: |
|
|
H wrote: OK, yeah, i should have said it was an bad hacker to begin with, sorry about that.
No problem. I started in html code of the web, I didn't expect problem with the database. |
|
| Back to top |
|
|EPO|
Joined: 12 May 2005
Posts: 378
Location: Basin City
|
| Posted: Sat Jun 03, 2006 8:32 am Post subject: |
|
|
InariVachs wrote: btw Firofox is safe, this problem is with IE only.
That explains why I haven't seen anything - yet another reason to get rid of IE :badgrin: |
|
| Back to top |
|
RedAlert
Joined: 09 May 2005
Posts: 390
Location: Somewhere in Israel
|
| Posted: Sat Jun 03, 2006 9:45 am Post subject: |
|
|
| The Virus/Trojan is back again... |
|
| Back to top |
|
InariVachs
Joined: 13 Jun 2005
Posts: 595
Location: PRAGUE, EU
|
| Posted: Sat Jun 03, 2006 10:40 am Post subject: |
|
|
| I'm working on it, I will probably change the version of phpbb to the latest, but it will take some (huge amount of) time to install back all the futures (thanks, split and merge topics, attachments, quick reply, all admin futures..........) :grrr: |
|
| Back to top |
|
InariVachs
Joined: 13 Jun 2005
Posts: 595
Location: PRAGUE, EU
|
| Posted: Mon Jun 05, 2006 2:00 pm Post subject: |
|
|
| I hope the problem was solved. |
|
| Back to top |
|
Salseros
Joined: 02 May 2005
Posts: 703
Location: Beira Mar, Fortaleza - CE, Brasil :)
|
| Posted: Mon Jun 05, 2006 2:41 pm Post subject: |
|
|
Oh, I wasn't aware of this thread... anyway as some people already knew my pc got infected heavily. Until now I could not get rid of this virus and tried numerous things without any result, I believe I have to make a clean windows install again and move all my stuff I need to keep to my other HD.
I am getting help from some peops that know quite a lot about this stuff, but after 2 days of struggling, scanning my register and remove several virusses/spyware my pc is a wreck at the moment. I am afraid it is unremovable. |
|
| Back to top |
|
ellroy
Joined: 03 May 2005
Posts: 182
Location: Up north
|
| Posted: Mon Jun 05, 2006 6:47 pm Post subject: |
|
|
I haven't noticed anything, and I'm using IE.
Guess I've been lucky... 8) |
|
| Back to top |
|
stf
Joined: 23 Aug 2005
Posts: 1427
Location: bat country
|
| Posted: Mon Jun 05, 2006 8:52 pm Post subject: |
|
|
please dont misunderstand me, but is ask myself how can a virus signatur came into the forum code?
that would be mean that all forums in net which are using this phpBB-kit having the same problem?
not really or? |
|
| Back to top |
|
TheRealOne
Joined: 28 Apr 2005
Posts: 48
|
| Posted: Mon Jun 05, 2006 10:45 pm Post subject: |
|
|
I did see an article about some new vulnerabilities in mysql, so not sure if it's related to that.
I just make sure I have the latest AV DATs and patches on my PC. As soon as they're released they're on here! And still using IE ;-)
Oh, and thanks a lot for sorting it out guys and keeping this board running! |
|
| Back to top |
|
InariVachs
Joined: 13 Jun 2005
Posts: 595
Location: PRAGUE, EU
|
| Posted: Mon Jun 05, 2006 11:37 pm Post subject: |
|
|
It was sql injection, but I'm not sure if the bug was in the code of phpbb or the sql itself. Probably there were some open doors in the phpbb code.
Note that this board is not a clean phpbb install, we have many add-ons. I hope it's sorted out. If I would start with a latest clean version of phpbb, it would take at least a week of work to add all the futures (quick reply, attachments and so on). |
|
| Back to top |
|
BavSnail
Joined: 07 Jul 2005
Posts: 69
Location: Bavaria/Germany
|
| Posted: Wed Jun 07, 2006 2:43 pm Post subject: |
|
|
Rogue_hunter wrote: WMF is the new Microsoft photo format, set to compete with the popular jpeg format. most AVs wouldn't know that though, unless the definitions are recent, like today.
You're wrong, WMF (Windows Meta File) is a very very old vector graphics format, already present in Windows 3.1! The bad thing is that WMF can contain executable code by design :( But any recent anti virus should detect the known WMF exploit.
What you meant is WMP (Windows Media Photo) which isn't used yet as no current program can read it.
Bavarian Snail (using Firefox so not affected) |
|
| Back to top |
|
| |
