A VIRAL Problem!

[Big GEE]

I've seen similar posts like this one here and there... where is this crap coming from? Is there a website somewhere offering a compromised Zen download? Is this a problem on Windows servers only or all across the board?

Just seems a bit off...

No idea xOrt,

My original zipped download came from the official ZC website. The only addition was the template I'm using plus a bug fixed file that was causing problems, but that was a seperate issue. That amended file came from the Dev Team. So no outside sources have been used for the actual ZC files. If there is a compromised copy floating around then I certainly didn't download it.

G

[DrByte]

I'm guessing that maybe some rogue script on the server may be doing it ... esp since the define_page_xxx files are in a folder that's CHMOD 777 .... making them writable by "world". While this is necessary if you wish to edit those file from your Admin interface, it also leaves the files somewhat at risk, depending on the server's configuration.

This sort of thing is why hosts enable the "open_basedir restriction" settings in PHP... to prevent people from outside your account having any access to files inside your account, regardless of the permissions set. But that only works if the infiltrator is making their attempts via PHP.

If the "attack" is entering via something at the filesystem level, you are likely still at risk.

AT THE VERY LEAST, YOU SHOULD NOTIFY YOUR HOST ABOUT THIS... so they can take measures to stop it.... and maybe identify where it came from.

Your server's errorlog may or may not help you see where rogue access attempts came from.

[Vger]

Why is the problem apparent in IE & Opera but not Firefox?

I'm guessing that because it's called Hacktool.IE.Exploit that it seeks out vulnerabilities in IE (and Opera can be configured to work as if it was IE).
It's probably related to running Active Content in IE.

The worse problem is that if it is using Active Content and someone who doesn't have a Firewall comes to your site then their computer could get infected with this trojan.

Vger

[Big GEE]

Thank you DrByte & Vger.

I've just despatched an urgent message to the folks at the server end with a link to this thread for further info. Hopefully they'll be able to trace the source, and if they can't they should be able to contain the problem. I'm waiting for their response - I'll keep you posted.

G

[JollyJim]

G

Check your images folder. I had a similar problem and found a PHP file had been uploaded into the images folder and this was being called by a virus which in turn propgated itself into other computers. I suspect the initial virus arrives by email and when you connect by FTP it uploads itself to the active directory on the server. From there it infects any computer which loads the site into a browser.

Have a look at the DO NOT IGNORE POST I made some weeks ago in the hacks forum warning people about this.

Hope this helps

JJ

[Big GEE]

G

Check your images folder. I had a similar problem and found a PHP file had been uploaded into the images folder and this was being called by a virus which in turn propgated itself into other computers. I suspect the initial virus arrives by email and when you connect by FTP it uploads itself to the active directory on the server. From there it infects any computer which loads the site into a browser.

Have a look at the DO NOT IGNORE POST I made some weeks ago in the hacks forum warning people about this.

Hope this helps

JJ

Thanks Jim,
Just checked and there are no php files in the "images" folder on the server. I doubt if any e-mails would have slipped past my defences anyway. I've been doing a bit of research and the indicators are that there's a vulnerability on the server side. Probably a rogue script there that's inserting the wilful code into lines of coding in programmes located on the server. I only hope that it's only done it once in the one file otherwise I've got a mess on my hands. I'm waiting for the server staff to come back to me with some info.

I could really do without this

G

[Vger]

You won't want to hear this - but you need to shut your site down until it is resolved. If the trojan is on the server (which I think it is) then removing the code will do nothing - it will reinsert itself. Anyone coming to your site is at risk while this goes on.

Vger