Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
dean
Worker
Worker


Joined: Apr 14, 2004
Posts: 193

PostPosted: Fri Nov 19, 2004 1:49 am Reply with quote

I don't know how but someone got past my sentinel and patches to install the mhtmlredir.exploit virus and many peeps can't see the site and those that do are exposed to the virus. It's so bad I cant even log into ftp or cpanel. The host is supposedly sanitizing the site but I hope I can figure out how it all happened to begin with.......
 
View user's profile Send private message
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17077

PostPosted: Fri Nov 19, 2004 2:34 am Reply with quote

Do you use Coppermine or any other application that allows uploads?
 
View user's profile Send private message
dean
PostPosted: Fri Nov 19, 2004 3:14 am Reply with quote

Yes, latest version of coppermine, enhanced downloads module and Z advertising.
 
Raven
PostPosted: Fri Nov 19, 2004 7:04 am Reply with quote

My guess is that's your culprit, but you host needs to do an audit to see for sure.
 
jaded
Theme Guru


Joined: Nov 01, 2003
Posts: 1006

PostPosted: Fri Nov 19, 2004 8:02 am Reply with quote

I agree with Raven. I have banned the use of coppermine and or my_Egallery on our server. The holes are enormous. We had a client whos site was turned into an eggdropper because of My_Egallery. I would strongly suggest a different gallery. I am currently very pleased with the one I use on my site. You may view it via my site in my signiture. Please be certain to remove all instances of the coppermine. That includes from your admin files.

_________________
Themes BB Skins Only registered users can see links on this board! Get registered or login!
Graphic Tees Only registered users can see links on this board! Get registered or login!
Paranormal Tees Only registered users can see links on this board! Get registered or login!
Ghost Stories & More Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
dean
PostPosted: Sat Nov 20, 2004 4:48 am Reply with quote

I am stuck - my browser no longer allows me to view any of five sites i have installed at the alaskandog.com domain. All i get is the basic - site cannot be found error and when I click on properties the actual url is:
Only registered users can see links on this board! Get registered or login!

I've run norton antivirus, spybot, adaware and ad-ware programs to try and detect the problem to no avail. Search of google isnt helping... does anyone have some experience here? I am told the virus on my site is called the mhtmlredir.exploit.
 
hitwalker
Sells PC To Pay For Divorce


Joined:
Posts: 5661

PostPosted: Sat Nov 20, 2004 5:03 am Reply with quote

thats strange ?.........
no google results ?
and what about this....http://securityresponse.symantec.com/avcenter/venc/data/mhtmlredir.exploit.html

Says clearly..."This threat allows a malicious Web site to download and execute programs on your computer"..

or this one...


    Question
    just got a message from norton that it found this virus but could not fix as access was denied. MHTMLRedir.Exploit. Should i be concerned by this.

    Answer
    Howdy:

    Because this is an exploit only, there are no removal instructions, since there is nothing to remove. This is a detection for the exploit, preventing the execution of malicious content on your computer. By detecting the exploit, it is prevented from running.




and even with my busy life i give you another one....


    Question
    My computer has got the above and my anti-virus does nothing because it states it is an 'exploit' not a virus. I cannot change my IE homepage becuase it automatically defaults to the default setting, this is a straight forward search engine (http://searchpage.cc), neither can I download anything because it goes straight back to homepage, I am on broadband using windows XP, with windows internet explorer and I'm starting to despair if possible please help.

    Answer
    You have been infected with adware or spyware. Your antivirus won't remove it purely for legal reasons. Here is how those things often infect your computer. When you install some kinds of free software, or download things from some web sites, and click on the user license, in the teeny tiny and confusingly worded fine print, you end up agreeing to these nasty things.

    For instant free help, try Ad-aware, Only registered users can see links on this board! Get registered or login! and Spybot, Only registered users can see links on this board! Get registered or login! You can use one or both together, they are compatible.



So the question now is,who's infected ?
I can see your maintenance page....
 
View user's profile Send private message
jaded
PostPosted: Sat Nov 20, 2004 9:54 am Reply with quote

Dean,
It sounds to me like you may be server banned. I see the page not displayed when my server bans me from time to time. My suggestion is for you to attempt to go to several sites that are also on the same hosting server. If you do not know what they are then I would contact your host for the information. It is best to find this out before you spend a lot of time looking for another answer. This will just let you rule out one thing. Of course if you can change your ip I would suggest that first. Be certain to look at your ip number before you attempt to change it. Then change it and look at it again. Sometimes a reboot wont change your ip. Double check!
 
dean
PostPosted: Sat Nov 20, 2004 11:12 pm Reply with quote

Yea Jaded, it turned out I was server banned, host rectified earlier today. This after running three different virus detectors, adaware, ad-ware.......Once I was able to get in, I figured it was a msql injection, cause when i ran a virus dietector over the database tables, it detected and removed the item. Unfortunatelty, the remaining tables didnt work very well and I didnt want to mess any more with it - so I restored a backup from previous week.

Now the maddening problem is that my users come to this site primarily for the calendar and gallery both of which are vulnerable. If I get rid of either, the site will suffer. Changing to another gallery or calendar module will likely result in mucha keyboarding. Agrgh............................... I'm sure the regular users are getting fed up with the disruptions by now..........
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©