 | ||||
| ||||
| | ||||
| ||||
| Welcome to the UltraBB public support forum! Did you know there is an inexpensive totally integrated gallery available for UltraBB? Read more here: Gallery Details |
| Moderated by: Fake Mod | Page: 1 2   |
|
|||||||||||||
| FLASH CHAT WARNING | Rate Topic |
| Author | Post |
|---|
| Posted: Mon Dec 28th, 2009 11:08 am |
|
1st Post |
|
Jim I work here 
|
The virus we have all had to deal with could have originated from flash chat. Flash chat it's self (the folders on your site) are not infected, however a web reference in one of the preload flash routines point at an infected page spreading the virus. IF YOU HAVE FLASH CHAT GET RID OF IT. DELETE THE FOLDER OR RENAME THE FOLDER AND CONTACT ME. IF YOU VISIT ANOTHER SITE WITH FLASH CHAT WARN THEM. This way it can't be spread. As ming ming duck would say... "This is sewious" Jim
|
||||||||||||||
| |||||||||||||||
| Posted: Mon Dec 28th, 2009 12:06 pm |
|
2nd Post |
|
wingnutter Forever Learning 
|
Can we just change the web reference Jim?
|
|||||||||||||
| ||||||||||||||
| Posted: Mon Dec 28th, 2009 12:37 pm |
|
3rd Post |
|
Jim I work here
|
They might have the link saved.That's why changing the folder name is safest.
|
||||||||||||||
| |||||||||||||||
| Posted: Mon Dec 28th, 2009 03:08 pm |
|
4th Post |
|
EricC Worm Can Opener 
|
Jim wrote: This way it can't be spread. As ming ming duck would say... "This is sewious" You can tell who has young children.....  ....So seeing as I do not have Flash Chat is why I did not get infected?
|
|||||||||||||
| ||||||||||||||
| Posted: Mon Dec 28th, 2009 03:12 pm |
|
5th Post |
|
Mag License Holder
|
Seems like that to me Eric, our site was ok as well and we don't use any chat programs. Aha Jim, so the boys watch Wonder Pets LOL
|
||||||||||||||
| |||||||||||||||
| Posted: Mon Dec 28th, 2009 03:15 pm |
|
6th Post |
|
Jim I work here
|
LOL Flash chat might be what was unsuspectingly spreading it big time. A google search on the actual injected virus JS:Illredir-A shows TONS of sites on tons of hosts hit since right before Christmas. It was wide spread but since a lot of ex wow users have flash chat AND the infection isn't in the actual files it would be impossible to detect and quick to spread. Avast only added that particular strain on the 21st of this month. Now variant B is sweeping....
|
|||||||||||||
| ||||||||||||||
| Posted: Mon Dec 28th, 2009 03:43 pm |
|
7th Post |
|
Di Administrator 
|
Mag wrote:
LOL! what do you think? Attached Image (viewed 100 times):
|
||||||||||||||
| |||||||||||||||
| Posted: Mon Dec 28th, 2009 04:25 pm |
|
8th Post |
|
Robert Member 
|
Jim wrote: Avast only added that particular strain on the 21st of this month. Now variant B is sweeping.... It's variant B that's affecting my forum. One of my members is a major retail supplier of kit to the hobby and every time I go to a page where he has posted I get this warning : yourmodelrailway.net/images/avatars/contains sample of JS:Illdirect B (Trj) If I delete his post then there's no problem with the rest of the topic. This member doesn't have an avatar and has never had one. I have contacted him and he says because of the importance to his business his machines are continuously scanned for viruses etc and they are clean.
|
|||||||||||||
| ||||||||||||||
| Posted: Mon Dec 28th, 2009 04:40 pm |
|
9th Post |
|
martin_wynne Licence Holder 
|
EDIT: deleted See next. Last edited on Mon Dec 28th, 2009 04:52 pm by martin_wynne |
||||||||||||||
| |||||||||||||||
| Posted: Mon Dec 28th, 2009 04:50 pm |
|
10th Post |
|
martin_wynne Licence Holder
|
Hi Bob, Forget everything I just said.  The index.php file in your /avatars/ folder (which should be empty) is infected, and my ESET NOD32 AV has now found it. More to the point, the virus is actually called: JS/TrojanDownloader.Agent.NRL which means that at long last I can search for some meaningful information about it. So thanks for that at least. See attached. regards, Martin. Attached Image (viewed 92 times):
|
|||||||||||||
| ||||||||||||||
| Posted: Mon Dec 28th, 2009 05:07 pm |
|
11th Post |
|
Jim I work here
|
There's not supposed to be an index.php in avatar folders......
|
||||||||||||||
| |||||||||||||||
| Posted: Mon Dec 28th, 2009 05:11 pm |
|
12th Post |
|
Jim I work here
|
It's gone now  It was index.html. It's supposed to be blank. The virus has not previously written to blank index files. It looked like someone uploaded an alternate index file then it got hacked. Good catch Martin.
|
|||||||||||||
| ||||||||||||||
| Posted: Mon Dec 28th, 2009 05:14 pm |
|
13th Post |
|
Jim I work here
|
OK I just checked about 6 previously infected sites, all had a zero K file size for index.html in the avatar folder. Seems like a Bob exclusive.
|
||||||||||||||
| |||||||||||||||
| Posted: Mon Dec 28th, 2009 05:16 pm |
|
14th Post |
|
Jim I work here
|
martin_wynne wrote: Hi Bob, Martin: The different virus protection companies name the viruses themselves and they can be different names. I examined the virus string, except for the base 64 encoded URL it was identical. Thanks for finding this Martin, Bob can rest a little better now.
|
|||||||||||||
| ||||||||||||||
| Posted: Mon Dec 28th, 2009 05:38 pm |
|
15th Post |
|
martin_wynne Licence Holder
|
Jim wrote:The different virus protection companies name the viruses themselves and they can be different names. Yes I know, and it makes it next to impossible to search for information about a specific virus, or to be sure that any information found is relevant. ESET NOD32 last updated the virus signature for this one on 25th December, and first detected it on 16th December. Bob can rest a little better now. Maybe, but I think he would rest even better if he knew how it became infected in the first place, and how to prevent it happening again. Previous measures to protect the FTP password seem to have failed?  regards, Martin.
|
||||||||||||||
| |||||||||||||||
| Posted: Mon Dec 28th, 2009 05:48 pm |
|
16th Post |
|
Jim I work here
|
That's why I figured he was infected, all but one other site I changed the password on didn't get re infected. The other (after the reinfection) I changed the password and didn't tell them what it was for a few days, no reinfections after that.
|
|||||||||||||
| ||||||||||||||
| Posted: Mon Dec 28th, 2009 06:01 pm |
|
17th Post |
|
martin_wynne Licence Holder
|
Jim wrote: That's why I figured he was infected, all but one other site I changed the password on didn't get re infected. The other (after the reinfection) I changed the password and didn't tell them what it was for a few days, no reinfections after that. Hi Jim, On the Control Panel for my UK hosting provider (it's not cPanel), I can turn off all FTP access. I have now taken to doing that -- I turn it on only for a few minutes when I need to do an FTP transfer, and then turn it off again. But I can't seem to do that in cPanel, unless I'm missing something? Even more worrying is that the the main account FTP password seems to be the same as the cPanel password -- so if it's stolen, the cPanel could also be hacked? On my UK hosting, the passwords are different, and the Control Panel has a captcha in the login. regards, Martin.
|
||||||||||||||
| |||||||||||||||
| Posted: Mon Dec 28th, 2009 06:18 pm |
|
18th Post |
|
Robert Member
|
An exclusive for me. How flattering but I could have done without it. Must hurry back to the forum now and check for myself.
|
|||||||||||||
| ||||||||||||||
| Posted: Mon Dec 28th, 2009 06:52 pm |
|
19th Post |
|
Robert Member
|
Update on the above. No trace of the virus found so it looks like we are clear once more. Thankfully there doesn't appear to be any damage caused but the nuisance value has been very high indeed. As a matter of interest I downloaded my database this morning and ran Avast, Ad-Aware and Superantispyware over it to no effect, as far as they were concerned it was clean.
|
||||||||||||||
| |||||||||||||||
| Posted: Mon Dec 28th, 2009 09:13 pm |
|
20th Post |
|
Devans License Holder 
|
Hey Jim, As you know, I used to use Flash Chat, on our forum. I have since upgraded to the new chat program, that you have here. I do, however, still have the Flashchat, although I have removed all links to it, in the forum. Should the Flash Chat folder(s) be deleted from cpanel? I have no intentions on using it again, I just was unsure of which files and folders to remove.
|
|||||||||||||
| ||||||||||||||
| Current time is 10:39 am | Page: 1 2 |
| UltraBB Forums > UltraBB > Troubleshooting > FLASH CHAT WARNING | Top |
 |
