Forums Down! "Add-on Remote Data Services Data Control" error for users. Help?

Started by TK1994, April 15, 2008, 02:28:00 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

TK1994

April 15, 2008, 02:28:00 PM Last Edit: April 15, 2008, 06:25:14 PM by TK1994
Everyone hitting our website today is getting the following pop up error:

"This website wants to run the following add-on: "Remote Data Services Data Control" from Microsoft Corporation"

It's similar to the error in this topic, which I found in a search.

http://www.simplemachines.org/community/index.php?topic=224858.0


The non-SMF pages on the same domain all work fine, but the index and forums are both SMF based and are both producing this error.  I tried calling my host, they say it's some sort of script exploit or something.

Can anyone help point me in the right direction for a fix?

karlbenson

#1
April 15, 2008, 02:38:38 PM
Can you please post a link to your forum/page that is affected.
View the source code of the page, has anything been inserted?

If is the common sort if code injection into files that I believe it is, it is usually caused by a compromised host.

TK1994

#2
April 15, 2008, 03:02:51 PM
The addresses are hxxp:www.garrisontitan.com [nonactive] and hxxp:www.garrisontitan.com/theboard [nonactive]

I've got redirects up right now, but you can reach the old addresses here:

hxxp:www.garrisontitan.com/error-index.php [nonactive]
hxxp:www.garrisontitan.com/theboard/error-index.php [nonactive]

I just checked the first one 20 seconds ago and it will load for about a minute before producing that error.

unExpected

#3
April 16, 2008, 01:26:17 AM
Hello,

I received a Threat warning from AVG Web shield while accessing your site, see the attached image.

Regards
Mashahood
Newbie :)

Oldiesmann

#4
April 16, 2008, 01:36:24 AM
I'm just getting the standard "Connection problems" error when I visit the "theboard" one...

TK1994

#5
April 16, 2008, 01:54:19 AM Last Edit: April 16, 2008, 11:08:12 AM by Motoko-chan
I've been researching all evening. This may (may) be a problem with a security hole in a Coppermine image gallery on my site that wasn't udpated to the newest version.

Apparently, this hack is well known on the Coppermine boards, and it overwrites every HTML and PHP file on the server with the compromised code. Conceivably, this is how it spread to my SMF boards and main page...and now every page on my website redirects you to some address named:

DO NOT VISIT THIS URL!
Code Select
hxxp://cdpuvbhfzz.com/dl/adv598.php[/color]
DO NOT VISIT THIS URL!

Here's a thread I found with more information:

hxxp:forum.coppermine-gallery.net/index.php/topic,51927.0.html [nonactive]

I'm currently working with my web host company to see what they can do, but I'm totally at a loss right now.  Only fix I can think of is blowing the whole site away and I don't have a very recent back up.....it's a tough situation.


Mashahood, can you tell me what kind of threat your virus program says this is?  Do they have a file or a patch for it yet?  I can't seem to find any info on virus research sites yet.

karlbenson

#6
April 16, 2008, 04:48:27 AM
I put the link in code, so users can't accidentally click it.

青山 素子

#7
April 16, 2008, 11:08:52 AM
Quote from: karlbenson on April 16, 2008, 04:48:27 AM
I put the link in code, so users can't accidentally click it.

I did you one better and changed to hxxp. Gotta protect against copy paste monkeys.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.

karlbenson

#8
April 16, 2008, 06:47:07 PM
I don't know. I wouldn't mind content scrapers following it ;)
Bad boys deserved to be treated badly ;)
Print
Go Up Pages1
User actions
Advertisement: