 | ||||
| ||||
| | ||||
| ||||
| Welcome to the UltraBB public support forum! Did you know there is an inexpensive totally integrated gallery available for UltraBB? Read more here: Gallery Details |
| Moderated by: Fake Mod | Page: 1 2 3 4 5   |
|
|||||||||||||
| Problems, please read. | Rate Topic |
| Author | Post |
|---|
| Posted: Mon Dec 21st, 2009 01:46 pm |
|
1st Post |
|
Jim I work here 
|
As you can probably guess we have a problem affecting many of our web sites. It isn't just us. I have spent 2 days in diagnostics but I will need everybody's help for this because it isn't just a Data 1 problem, it is a world problem. First what you have to do immediately (if you know how. If not PM me and I'll get to it in the order received please): 1. Determine if your computer is affected by running Avast. It will detect it but not get rid of it. Don't be fooled by the fake scrips to get rid of it on the internet that charge you money, they can not work. Manual deletion is the only way. If you are infected, go to another computer or contact me to do the other steps. 2. From an uninfected computer CHANGE YOUR FTP PASSWORD. 3. Next time you log in FTP, DO NOT SAVE THE PASSWORD. This goes for filezilla, WS, WinSCP, Front page and dreamweaver. Probably webdrive also. This is very serious. I have been cleaning computers for years almost weekly and I have never seen anything like it. I am working on a script to flush the server. There is no proactive security measure known to man that can stop this being it uses a legal FTP user and password. You don't have to even click on anything to get it, it is in the web page and uses loopholes in acrobat reader and shockwave flash to infect. IE is worse than firefox but it can still get firefox. THE GOOD NEWS IF ANY, it doesn't jump cross site. It will only go to the site it has the password for. Files affected: Any file that starts with index and ends in .php, .htm, .html (index_12354.htm would qualify) Any file that starts with default and ends in the extensions above. Any file that starts with main and ends with the extensions above. Any file ending in .js It puts an extra line at the very bottom of the file. If you decide to look please be careful to not delete needed tags (mostly the ?> at the end of PHP files) I had to have the info right before making the announcement. Please ask any questions needed- Jim Articles: http://news.cnet.com/8301-1009_3-10244529-83.html http://news.zdnet.com/2100-9595_22-306268.html http://en.wikipedia.org/wiki/Gumblar
|
||||||||||||||
| |||||||||||||||
| Posted: Mon Dec 21st, 2009 02:31 pm |
|
2nd Post |
|
Mag License Holder
|
Jim is this just for those who use or used Avast?
|
|||||||||||||
| ||||||||||||||
| Posted: Mon Dec 21st, 2009 03:10 pm |
|
3rd Post |
|
Jim I work here
|
No, it for everyone. Even if you don't have programs that save FTP passwords it will divert your google searches to sites that spread more malware. This is a world scale attempt to bring google down some have speculated. It's working. This is about as serious as it gets if you read some of the articles. I'm sorry for not announcing sooner but I wanted to make 100% sure what we were dealing with first. Please change your FTP password and don't save it in your FTP program.
|
||||||||||||||
| |||||||||||||||
| Posted: Mon Dec 21st, 2009 03:24 pm |
|
4th Post |
|
Mag License Holder
|
Thanks Jim, I have now done that
|
|||||||||||||
| ||||||||||||||
| Posted: Mon Dec 21st, 2009 03:28 pm |
|
5th Post |
|
John Floyd License Holder 
|
I have Scanned using Avast and Malwarebytes Anti Malware, Getting a Clean Report, Changed FTP Password for my main Account. For the individual Sites I never use those FTP's. Thanks For Your effort, Glad to know you are on our side. I have noticed recently that my computer has been slow, my CPU core Temperature has been running High and my Memory usage has been up to 100%. A Sure sign that something has been working my computer hard, but yet it should have been idling. This morning it is much better John
|
||||||||||||||
| |||||||||||||||
| Posted: Mon Dec 21st, 2009 03:57 pm |
|
6th Post |
|
Jim I work here
|
I have actually been manually flushing servers and most have been fixed. Re infection is immanent if you don't change the password.
|
|||||||||||||
| ||||||||||||||
| Posted: Mon Dec 21st, 2009 06:35 pm |
|
7th Post |
|
Robert Member 
|
Did a full scan of the computer with Avast and no problems. Didn't know I had a password for my Cute FTP 8 program. Ran it and sure enough there was a space for changing the password so have done that. Fingers crossed now as this sounds a real baddy. If it bothers Jim then it sure as hell bothers me.
|
||||||||||||||
| |||||||||||||||
| Posted: Mon Dec 21st, 2009 06:36 pm |
|
8th Post |
|
Mag License Holder
|
Questions from one of our coordinators. Ok it is known as Gumblar or Troj/JSRedir-R From the description, I have not ever been redirected like that to what is described. Does this mean that my computer would not have been affected? If you have another anti virus program, can you use that instead of avast?
|
|||||||||||||
| ||||||||||||||
| Posted: Mon Dec 21st, 2009 06:52 pm |
|
9th Post |
|
Robert Member
|
Are members computers in any danger from using an infected forum? Last edited on Mon Dec 21st, 2009 06:52 pm by Robert |
||||||||||||||
| |||||||||||||||
| Posted: Mon Dec 21st, 2009 07:14 pm |
|
10th Post |
|
Jim I work here
|
Robert wrote: Are members computers in any danger from using an infected forum? No. The forum software didn't spread the virus at all, it was injected incorrectly. The code was in there but not in a spot it could be read properly to redirect. Word press is a bad one for spreading it and mostly static html sites.
|
|||||||||||||
| ||||||||||||||
| Posted: Mon Dec 21st, 2009 07:18 pm |
|
11th Post |
|
Mag License Holder
|
Jim I think you missed my question Questions from one of our coordinators. Ok it is known as Gumblar or Troj/JSRedir-R From the description, I have not ever been redirected like that to what is described. Does this mean that my computer would not have been affected? If you have another anti virus program, can you use that instead of avast?
|
||||||||||||||
| |||||||||||||||
| Posted: Mon Dec 21st, 2009 07:18 pm |
|
12th Post |
|
Robert Member
|
That's a heck of a relief Jim. I would hate to think I might be responsible for spreading this thing.
|
|||||||||||||
| ||||||||||||||
| Posted: Mon Dec 21st, 2009 08:07 pm |
|
13th Post |
|
wingnutter Forever Learning 
|
Well this is a bolt out of the blue. I will download Avast now and check. I don't save the ftp password myself.
|
||||||||||||||
| |||||||||||||||
| Posted: Mon Dec 21st, 2009 09:11 pm |
|
14th Post |
|
snooze License Holder
|
I've had a complaint from my co-admin that our site has the Trojan.JS.agent.axl, is this what this thread is about? I'm not having a problem with Chrome, but I get a window saying Explorer is shutting down, even though I don't have any explorer windows and nothing seems to change before or after. 
|
|||||||||||||
| ||||||||||||||
| Posted: Mon Dec 21st, 2009 09:43 pm |
|
15th Post |
|
Jim I work here
|
Right now? I'll change your password from here since I know it's safe and PM you with the new one.
|
||||||||||||||
| |||||||||||||||
| Posted: Mon Dec 21st, 2009 10:21 pm |
|
16th Post |
|
snooze License Holder
|
thanks... stephanie may have fixed it already. I'm directing her here.
|
|||||||||||||
| ||||||||||||||
| Posted: Mon Dec 21st, 2009 11:19 pm |
|
17th Post |
|
jordiwes Member
|
So I removed some trojan code from index.php and gui.js. I don't have ftp set up for this site, I just use cpanel. I think our site may have infected me with the trojan by navigating to the website before I cleaned it. Running Avast to make sure.
|
||||||||||||||
| |||||||||||||||
| Posted: Mon Dec 21st, 2009 11:51 pm |
|
18th Post |
|
John Floyd License Holder
|
I have Turned off my boards at Nashpropicker.com and dekleyforum.com. I got in thru a link to a post and then got into the admin panel and turned dekleyforum.com off Dekleyforum.com is infected, dekley.com is not Have scanned my computer on the Win 7 64 bit op sys and Xp Pro 32 bit operating system and they are coming up clean on Avast and Malwarebytes Anti-Malware Just going to sit tight and wait for further word from Jim John Last edited on Tue Dec 22nd, 2009 12:26 am by John Floyd |
|||||||||||||
| ||||||||||||||
| Posted: Tue Dec 22nd, 2009 12:37 am |
|
19th Post |
|
Jim I work here
|
I'm in and back at it.
|
||||||||||||||
| |||||||||||||||
| Posted: Tue Dec 22nd, 2009 12:42 am |
|
20th Post |
|
John Floyd License Holder
|
I was able to get back into the Admin panel and fire off this Mass Email to all of my members "UNTIL FURTHER NOTICE, DO NOT ATTEMPT TO GO TO DEKLEYFORUM.COM. I HAVE GOTTEN IN THRU THE BACK DOOR AND SENDING THIS WARNING. YOU SHOULD NOT GET INFECTED VIA EMAIL. I WILL SEND ALL OF YOU AN ALL CLEAR MESSAGE AS SOON AS DATA1 SYSTEMS HAS THE SERVER PURGED OF THIS OF YOU NEED ANY CLARIFICATION EMAIL ME AT Admin@Dekley.com Sorry for the inconvenience John"
|
|||||||||||||
| ||||||||||||||
| Current time is 08:46 pm | Page: 1 2 3 4 5 |
| UltraBB Forums > UltraBB > Troubleshooting > Problems, please read. | Top |
 |
