 | ||||
| ||||
| | ||||
| ||||
| Welcome to the UltraBB public support forum! Did you know there is an inexpensive totally integrated gallery available for UltraBB? Read more here: Gallery Details |
| Moderated by: Fake Mod | Page:   1 2 3 4 5   |
|
|||||||||||||
| Problems, please read. | Rate Topic |
| Author | Post |
|---|
| Posted: Tue Dec 22nd, 2009 01:29 am |
|
21st Post |
|
martin_wynne Licence Holder 
|
Hi Jim, Could you clarify how this virus works? All my saved ftp passwords are encrypted in the ini files, so I'm a bit puzzled how the virus would manage to decrypt them -- or if it can, what's the point of having them saved in encrypted form? If I don't save them, and have to enter them manually, that surely makes them vulnerable to keylogger viruses? I suppose I could copy and paste them into the ftp login from somewhere else. Whatever, I'm extremely reluctant to change them. NOD32 reports my system clean and I can't detect any problems on any of my sites. It will be a big headache to change them all -- I have half a dozen different ftp accounts, and some are used in other software such as Help&Manual and Camtasia to automate uploads. One of them is hard-encoded (with obfuscation) in one of my own programs distributed to users. If I change it I shall have to issue an upgrade version to everyone using it. I'm also puzzled that all the links you gave are 6 months old. I can't find any news reports that this has suddenly become a panic in the last few days.  regards, Martin.
|
||||||||||||||
| |||||||||||||||
| Posted: Tue Dec 22nd, 2009 01:58 am |
|
22nd Post |
|
snooze License Holder
|
I wasn't having a problem other than a notice that an explorer file was closing, even I never had the ie browser open (i'm using chrome), but i just installed avast (my mcafee just ran out) and now I'm getting the notice about this one: JS:Illredir-A [Trj]
|
|||||||||||||
| ||||||||||||||
| Posted: Tue Dec 22nd, 2009 02:01 am |
|
23rd Post |
|
Jim I work here 
|
Yes that is unusual.(the old threads) I did an internet search using part of the malicious code and got some real recent threads. That's how I determined what the bug was. It isn't that particular one but a variant. Anyhow your site was not affected at all.
|
||||||||||||||
| |||||||||||||||
| Posted: Tue Dec 22nd, 2009 02:33 am |
|
24th Post |
|
Jim I work here
|
ALSO we have just proved that a cleaned site will get re infected if you do not change the password to your FTP.
|
|||||||||||||
| ||||||||||||||
| Posted: Tue Dec 22nd, 2009 02:43 am |
|
25th Post |
|
martin_wynne Licence Holder
|
Jim wrote: ALSO we have just proved that a cleaned site will get re infected if you do not change the password to your FTP. Hi Jim, I'm willing to change them if I must, but the other part of your request was not to save them. I'm very reluctant to do that -- surely the greater risk is keylogger viruses if they have to be entered every time? It's a pain fiddling about with copy and paste and entering bits of password in the wrong order to defeat keyloggers. regards, Martin.
|
||||||||||||||
| |||||||||||||||
| Posted: Tue Dec 22nd, 2009 02:47 am |
|
26th Post |
|
Jim I work here
|
What is this world coming to? You store them and a virus hacks them and sends them to china. You don't store them and a virus logs the entry as you go in. Like I said, if your site was going to be affected it would have and on the 19th sometime after 1:07 PM EST. If not by now it probably never will. You are doing something right Martin 
|
|||||||||||||
| ||||||||||||||
| Posted: Tue Dec 22nd, 2009 07:33 am |
|
27th Post |
|
Robert Member 
|
I was locked out of my pop3 account this morning and then it suddenly opened up and it was flooded with 80+ returned e-mail notifications from all over Spain from people and places I have never heard of. Sounds bad. Not a good start to the computing day. Last edited on Tue Dec 22nd, 2009 08:18 am by Robert |
||||||||||||||
| |||||||||||||||
| Posted: Tue Dec 22nd, 2009 07:39 am |
|
28th Post |
|
Robert Member
|
I now have e-mails pouring with reports of Avast coming up with this trojan from a lot of the avatars on the forum : JS:lllredir-A [TRJ]
|
|||||||||||||
| ||||||||||||||
| Posted: Tue Dec 22nd, 2009 08:55 am |
|
29th Post |
|
Robert Member
|
I have been deleting those posts with the avatar warnings and that seems to have cleared the problem, for now at least.
|
||||||||||||||
| |||||||||||||||
| Posted: Tue Dec 22nd, 2009 10:15 am |
|
30th Post |
|
Jim I work here
|
OK this is strange. From the avatars?
|
|||||||||||||
| ||||||||||||||
| Posted: Tue Dec 22nd, 2009 10:20 am |
|
31st Post |
|
Robert Member
|
Yes Jim but so far only two people have been affected. Avast stopped the download of the avatar in question and I have deleted the posts because even with the avatars removed the same warning kept coming from Avast. The topics where the posts were are now clear.
|
||||||||||||||
| |||||||||||||||
| Posted: Tue Dec 22nd, 2009 10:28 am |
|
32nd Post |
|
Jim I work here
|
OK Bob that is sort of impossible. Since the software does not allow remote avatars this would be difficult. Do you allow signatures? An image drawn from a site that is infected could do this but signature is the only way or a copy and paste from an infected page.
|
|||||||||||||
| ||||||||||||||
| Posted: Tue Dec 22nd, 2009 10:54 am |
|
33rd Post |
|
martin_wynne Licence Holder
|
Robert wrote: because even with the avatars removed the same warning kept coming from Avast Hi Bob, Jim, Sorry to state the obvious, but this of course means that the problem is not with the avatars. regards, Martin.
|
||||||||||||||
| |||||||||||||||
| Posted: Tue Dec 22nd, 2009 11:00 am |
|
34th Post |
|
Robert Member
|
The warning that comes up Jim is the same as the one when the avatar was there, identical wording and stating the same url for the missing avatar. It only stops doing that when the whole post is deleted. I'll wait to see if it happens again and take a snapshot. Is it possible that the whole post was contaminated? Last edited on Tue Dec 22nd, 2009 11:02 am by Robert |
|||||||||||||
| ||||||||||||||
| Posted: Tue Dec 22nd, 2009 11:30 am |
|
35th Post |
|
Jim I work here
|
It's possible that there was no contamination. Avast evidently added at least one of the text strings that triggers the virus to their definitions. I know this because I posted the string as text on a forum and that page shows a false positive. Also a file I was working with to match the string and delete it from files is tagged today by avast as a virus and I know it is not dangerous. So I would still like to investigate if it happens today again but I don't think there is any real threat.
|
||||||||||||||
| |||||||||||||||
| Posted: Tue Dec 22nd, 2009 11:55 am |
|
36th Post |
|
EricC Worm Can Opener 
|
After reading this I am not sure what or if I need to do anything. It doesn't appear my sites are experiencing any problems, but I want to be sure.
|
|||||||||||||
| ||||||||||||||
| Posted: Tue Dec 22nd, 2009 12:24 pm |
|
37th Post |
|
Robert Member
|
Thanks Jim. I'm starting to relax a little now. Nothing has happened during the last couple of hours.
|
||||||||||||||
| |||||||||||||||
| Posted: Tue Dec 22nd, 2009 12:27 pm |
|
38th Post |
|
John Floyd License Holder 
|
My Site has hung in there for a little over 7 hours now, still doing good John
|
|||||||||||||
| ||||||||||||||
| Posted: Tue Dec 22nd, 2009 01:17 pm |
|
39th Post |
|
Robert Member
|
One of my members has just had this come up on entering our Recent Topics page, before clicking on anything :
|
||||||||||||||
| |||||||||||||||
| Posted: Tue Dec 22nd, 2009 02:43 pm |
|
40th Post |
|
Mag License Holder
|
Blimey Robert, give Jim a chance to draw breath, he is running around after so many customers at the moment ROFL
|
|||||||||||||
| ||||||||||||||
| Current time is 10:41 am | Page: 1 2 3 4 5 |
| UltraBB Forums > UltraBB > Troubleshooting > Problems, please read. | Top |
 |
