Bug or virus/exploit?

Worker Joined: Jul 06, 2005 Posts: 172

I've had a number of users reporting that their AV software detects an ANIfile-exploit on my phpnuke 7.6 site. I haven't been able to determine if it's a false warning or not, it seems to be. But a few users have reported that the site freezes up on them. I posted a thread HERE [ Only registered users can see links on this board! Get registered or login! ] if anyone knows what it might be or could offer help. I'm afraid I may be losing lots of possible members because of this Sad

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

Google search on panda av anifile removal

There are many hits. This one might help [ Only registered users can see links on this board! Get registered or login! ]

Posted: Fri Sep 23, 2005 8:35 pm

thanks raven. indeed ive seen that site before too. I scanned all my files for any off-site .css links and found NONE :O. I then checked all my css files for any offsite links and found none :O

I'm at a complete loss. If there aren't any links going elsewhere, and none of my own css files are infected, what is the problem?

Posted: Fri Sep 23, 2005 9:27 pm

Were they visiting a particular area of your site? Are you doing anything on your front page that is variable? I mean are you pulling rss feeds or other content from elsewhere, like in ads, etc?

Posted: Fri Sep 23, 2005 9:39 pm

As far as I can tell, the problem was reported immediately when visiting the website. I had a number of users report it right when they typed in [ Only registered users can see links on this board! Get registered or login! ] and the site loaded for the first time. We currently aren't syndicating any newsfeeds or running any adds either Confused

Posted: Fri Sep 23, 2005 9:45 pm

I haven't been able to produce it. It could be just a false positive by their software. When this happens, have them do a view source, copy and paste the source in an editor, zip it up, and email it to you for further analysis. If you are unable to see anything, then have them send it to their virus vendor for analysis to determine why they are getting the false positive.

Posted: Fri Sep 23, 2005 9:58 pm

This is what I suspected all along. After giving it some thought, the only thing I can come up with is the theme. Perhaps something about Helius (or whatever copy of Helius I have) sets it off. I could try using a new theme, might throw the users off a bit though hehe.

Just unfortunate when something like this happens and prospective users are lost Sad

Posted: Sat Sep 24, 2005 6:16 am

Check your favicon.ico's most browsers check for it in the root / although the website maybe says to look in /themes/Helius/