| Author |
Message |
leopoldm
New Member
Joined: Jan 22, 2004
Posts: 11
|
 Posted:
Fri May 28, 2004 6:56 am |
 
|
Hello,
When extracting Sentinel, BitDefender Virus Scan shows following message : C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\NSN_Sentinel_100.tar=>html/abuse/abuse.js is infected with JS.Trojan.Spawn.A
What happens ?
Thanks for comments, advice, ...
Greetz,
Leopold |
|
|
 
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 15213
Location: Kansas
|
| Posted:
Fri May 28, 2004 7:00 am |
|
There's no virus. Don't know what's setting off the alert. |
|
|
 
|
|
leopoldm
New Member
Joined: Jan 22, 2004
Posts: 11
|
| Posted:
Fri May 28, 2004 7:21 am |
|
This is the full report : | Quote: | C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\NSN_Sentinel_100.tar OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\NSN_Sentinel_100.tar=>LICENSE.txt OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\NSN_Sentinel_100.tar=>README.txt OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\NSN_Sentinel_100.tar=>html/abuse/.htaccess OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\NSN_Sentinel_100.tar=>html/abuse/abuse.js Infected JS.Trojan.Spawn.A
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\NSN_Sentinel_100.tar=>html/abuse/abuse.php OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\NSN_Sentinel_100.tar=>html/abuse/abuse.swf OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\NSN_Sentinel_100.tar=>html/abuse/GanjaUKevil.swf OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\NSN_Sentinel_100.tar=>html/admin/case/case.sentinel.php OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\NSN_Sentinel_100.tar=>html/admin/links/links.sentinel.php OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\NSN_Sentinel_100.tar=>html/admin/modules/sentinel.php OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\NSN_Sentinel_100.tar=>html/admin/modules/sentinel.php=>(JAVASCRIPT 1) OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\NSN_Sentinel_100.tar=>html/admin/modules/sentinel.php=>(JAVASCRIPT 2) OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\NSN_Sentinel_100.tar=>html/admin/modules/sentinel.php=>(JAVASCRIPT 3) OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\NSN_Sentinel_100.tar=>html/blocks/block-Sentinel.php OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\NSN_Sentinel_100.tar=>html/images/admin/sentinel.png OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\NSN_Sentinel_100.tar=>html/images/sentinel/Sentinel_Large.png OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\NSN_Sentinel_100.tar=>html/images/sentinel/Sentinel_Medium.png OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\NSN_Sentinel_100.tar=>html/images/sentinel/Sentinel_Small.png OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\NSN_Sentinel_100.tar=>html/includes/sentinel.php OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\NSN_Sentinel_100.tar=>html/language/sentinel/lang-english.php OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\NSN_Sentinel_100.tar=>html/nsnst.php OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\LICENSE.txt OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\README.txt OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\html\abuse\.htaccess OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\html\abuse\abuse.js Infected JS.Trojan.Spawn.A
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\html\abuse\abuse.php OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\html\abuse\abuse.swf OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\html\abuse\GanjaUKevil.swf OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\html\abuse\index.html OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\html\admin\case\case.sentinel.php OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\html\admin\links\links.sentinel.php OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\html\admin\modules\sentinel.php OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\html\admin\modules\sentinel.php=>(JAVASCRIPT 1) OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\html\admin\modules\sentinel.php=>(JAVASCRIPT 2) OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\html\admin\modules\sentinel.php=>(JAVASCRIPT 3) OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\html\blocks\block-Sentinel.php OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\html\images\admin\sentinel.png OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\html\images\sentinel\index.html OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\html\images\sentinel\Sentinel_Large.png OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\html\images\sentinel\Sentinel_Medium.png OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\html\images\sentinel\Sentinel_Small.png OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\html\includes\sentinel.php OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\html\language\sentinel\lang-english.php OK
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\html\nsnst.php OK
Summary:
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\NSN_Sentinel_100.tar=>html/abuse/abuse.js Infected JS.Trojan.Spawn.A
C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar\html\abuse\abuse.js Infected JS.Trojan.Spawn.A
Statistics
Scan path : C:\Documents and Settings\Leopold\Desktop\CPG_Nuke\NSN_Sentinel_100.tar
Folders : 14
Files : 49
Archives : 1
Packed files : 2
Identified viruses : 1
Infected files : 2
Warnings : 0
Suspect files : 0
Disinfected files : 0
Deleted files : 0
Copied files : 0
Moved files : 0
Renamed files : 0
I/O errors : 0
Scan time : 00:00:01
Scan speed (files/sec) : 49
Virus definitions : 78001
Scan plugins : 12
Archive plugins : 34
Unpack plugins : 3
Mail plugins : 6
System plugins : 1
Scan options
Detection
[X] Scan boot sectors
[X] Scan archives
[X] Scan packed files
[X] Scan email
File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;
Action
Infected objects
[ ] Ignore
[ ] Disinfect
[ ] Delete
[ ] Copy to quarantine
[ ] Move to quarantine
[ ] Rename
[X] Prompt user
Second action
[X] Ignore
[ ] Delete
[ ] Copy to quarantine
[ ] Move to quarantine
[ ] Rename
[ ] Prompt user
Scan options
[X] Enable warnings
[X] Enable heuristics
[X] Show all files in log
[X] Report file: vscan.log
[ ] Append to existing report |
|
|
|
|
|
|
GanjaUK
Life Cycles Becoming CPU Cycles
Joined: Feb 14, 2004
Posts: 633
Location: England
|
| Posted:
Fri May 28, 2004 7:25 am |
|
The reason for this:
| Quote: |
When a user visits the page, the script will prevent the user from closing the Window via traditional methods, by rapidly moving the Window across the screen, and trapping the ALT, F4, CTRL, and DEL keys. When either of these keys are pressed, a message box is displayed. |
Some AV class this as a trojan for the above reason.
So don't worry, no infections in here. I would class it as an annoyance for the attacker, not a trojan. |
|
|
|
|
|
leopoldm
New Member
Joined: Jan 22, 2004
Posts: 11
|
| Posted:
Fri May 28, 2004 7:30 am |
|
Ok, thanks !
Btw, does someone knows if Sentinel can be used with CPG Nuke 8.2 ?  |
|
|
|
|
|
BobMarion
Site Admin
Joined: Oct 30, 2002
Posts: 1039
Location: RedNeck Land (known as Kentucky)
|
| Posted:
Fri May 28, 2004 8:44 am |
|
Wasn't tested with it but it's possible if the db scheme is the same. |
|
|
|
|
stephen2417
Worker
Joined: Jan 18, 2004
Posts: 244
Location: Bristolville, OH
|
| Posted:
Mon May 31, 2004 4:08 pm |
|
| leopoldm wrote: | Ok, thanks !
Btw, does someone knows if Sentinel can be used with CPG Nuke 8.2 ? |
|
|
|
|
|
|
sgtbookie
Hangin' Around
Joined: May 08, 2004
Posts: 29
Location: Atlanta, GA
|
| Posted:
Wed Jun 23, 2004 7:57 pm |
|
So what do we do if our Virus protection has already quarantined these files? |
|
|
|
|
|
GanjaUK
Life Cycles Becoming CPU Cycles
Joined: Feb 14, 2004
Posts: 633
Location: England
|
| Posted:
Wed Jun 23, 2004 7:59 pm |
|
Download Sentinel 1.2.0 and your AV should not quarantine anything. The code was re done so not to set off false alarms on AV scanners. |
|
|
|
|
|
sgtbookie
Hangin' Around
Joined: May 08, 2004
Posts: 29
Location: Atlanta, GA
|
| Posted:
Wed Jun 23, 2004 8:05 pm |
|
Cool, thanks. FOr a second there I though someone had found a hole in my armor. Thanks for the fast reply! |
|
|
|
|
|
sgtbookie
Hangin' Around
Joined: May 08, 2004
Posts: 29
Location: Atlanta, GA
|
| Posted:
Wed Jun 23, 2004 8:07 pm |
|
Whoops, spoke too soon. It is still false positiving the abuse.php file.
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan.Offiz
File: Z:\Inetpub\TwelveVoltMan\html\abuse\abuse.php
Location: Quarantine
Computer: SPONGEBOB
User: sgtbookie
Action taken: Clean failed : Quarantine succeeded : Access denied
Date found: Wed Jun 23 22:07:05 2004 |
|
|
|
|
|
sgtbookie
Hangin' Around
Joined: May 08, 2004
Posts: 29
Location: Atlanta, GA
|
| Posted:
Wed Jun 23, 2004 8:10 pm |
|
Ok, I added exclusion to SAV for the time being and replaced the files. What does the abuse.php do for Sentinel? Do I need to make any changes to the .htaccess file since it is set for allow all? |
|
|
|
|
|
GanjaUK
Life Cycles Becoming CPU Cycles
Joined: Feb 14, 2004
Posts: 633
Location: England
|
| Posted:
Wed Jun 23, 2004 10:09 pm |
|
abuse.php is where the pop up style windows would be generated from if you choose to turn that feature on in Sentinel administration area.
Make sure you have a line break at the end of your .htaccess so Sentinel has a fresh line to write its 1st ip there without merging with the line above. |
|
|
|
|
|
djmaze
Subject Matter Expert
Joined: May 15, 2004
Posts: 563
Location: http://tinyurl.com/5z8dmv
|
| Posted:
Wed Jun 30, 2004 7:59 am |
|
| GanjaUK wrote: | | Make sure you have a line break at the end of your .htaccess so Sentinel has a fresh line to write its 1st ip there without merging with the line above. |
How is it ever possible a PHP can write to a file which doesn't belong to him
And to prove i'm wright here's a script that well print out your .htaccess
| Code: | <?php
if (file_exists(".htaccess")) {
$file = fopen(".htaccess", "a+");
fwrite($file, 'just a line of text');
fclose($file);
echo '<html><body><pre>'.
implode("", file(".htaccess")).'
</pre></body></html>';
}
?> |
Just upload the php to your root as check.php or something. |
|
|
|
|
|
BobMarion
Site Admin
Joined: Oct 30, 2002
Posts: 1039
Location: RedNeck Land (known as Kentucky)
|
| Posted:
Wed Jun 30, 2004 9:01 am |
|
| Quote: | | How is it ever possible a PHP can write to a file which doesn't belong to him |
Just make sure it's CHMODed to 666 and the script can read and write to the .htaccess file without problems. |
|
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 15213
Location: Kansas
|
| Posted:
Wed Jun 30, 2004 10:38 am |
|
It's the web server which has [or has not] authority, not PHP. Regardless, as Bob says, once you change mod the file, or any files for that matter, you allow/disallow access. And I don't understand how your script proves you're right. Right about what? What are you trying to prove? |
|
|
|
|
|
squiresmk
Regular
Joined: May 31, 2004
Posts: 95
Location: NY
|
| Posted:
Wed Jun 30, 2004 10:30 pm |
|
PHP is considered the 'owner'  |
|
|
  |
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 15213
Location: Kansas
|
| Posted:
Thu Jul 01, 2004 4:42 am |
|
Not if it's running as an Apache module. |
|
|
|
|
|
|
|
|
|
![[Valid RSS]](http://ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
:: 
::
