| Author |
 Topic  |
|
|
Rune
Starting Member
31 Posts |
 Posted - 04 May 2002 : 02:50:34
|
Okay, before jumping to any unfounded conclusions that I really don't want to jump to ... has anyone ever had their Virus software "go off" with the bells and whistles because of any of the MODS listed in the MOD Exchange section?
(From here on my computers will be referred to PC1, PC2 and PC3)
I'm running Paint Shop Pro on PC1 and was browsing for a picture in the webserver and forum folders on PC3 ... the Antivirus software on PC1 tells me that there's a virus in admin.dll and httpodbc.dll on the C drive of PC3.
Now granted, I'm the idiot for procrastinating getting AV software on my recently built PC2 and PC3, BUT ... I now get it installed on PC2 and PC3 and run scans on all 3 computers. PC1 = clean, PC2 = clean, PC3 = 13 files infected with the iWorm - Nimda virus:
C:\HTTPODBC.DLL
C:\ADMIN.DLL
C:\Inetpub\Scripts\TFTP2160
C:\Inetpub\Scripts\TFTP2148
C:\Inetpub\Scripts\TFTP1444
C:\Inetpub\Scripts\TFTP1176
C:\Inetpub\Scripts\TFTP600
C:\Inetpub\Scripts\TFTP804
C:\Inetpub\Scripts\TFTP1904
C:\Inetpub\Scripts\TFTP2144
C:\Inetpub\Scripts\TFTP332
D:\HTTPODBC.DLL
D:\ADMIN.DLL
... notice the \Inetpub\Scripts\ folder? ... that's Win2kAS's IIS webserver folder. :|
Luckily I don't have email setup on PC3 so no address book, hence no spreading and although my AV said it couldn't remove the files or even quarantine them ... I just took a chance and manually deleted them, restarted and another virus scan came up clean, so hopefully I got it.
The reason I bring this up here is that I have never downloaded any thing to that PC except Windows Update files, hardware drivers from trusted sites, Snitz Forum and a couple of MOD's for the forum (Avatar MOD V2 & Avatar Upload) and I've used PC1's Paint Shop Pro to browse PC3 before without any warning's popping up. Only things I've downloaded since the last time I safely browsed were the two MOD's ... sooooooo ...
Question 1: Are there any scripts for Snitz or the MOD's that an AV may mistakenly detect as a virus?
Question 2: Are the MOD's checked for viruses before they're posted on the Link Exchange?
Question 3: Does anyone know of any security risks in IIS or Snitz that a poster could exploit to upload a virus to my forum? (for the record I couldn't get Avatar Upload MOD to install so I don't think that could be the security hole)
Question 4: Any other ideas?
The virus is supposedly gone now, but if it is an IIS, Snitz, MOD, poster problem ... I'd really like to know for future reference before I get something wiped out.
(P.S. I also have the HTML option on my forum turned off)
|
|
|
Rune
Starting Member
31 Posts |
Posted - 04 May 2002 : 03:10:42
|
Oh, and ...
Question 5: If there was a virus either in my webserver or forum software, could it be spread through the email client of the forum to the email addresses of my forum members? :|
|
 |
|
|
Nathan
Help Moderator
USA
7664 Posts |
Posted - 04 May 2002 : 03:12:18
|
The mod exchange mods are 'as is' and are not moderated! Download at your own risk.
I am quite pleased though, that I have not had to delete any inappropriate or malicious uploads.
 Nathan Bales
Snitz Exchange | Do's and Dont's |
|
|
|
Rune
Starting Member
31 Posts |
Posted - 04 May 2002 : 03:25:09
|
Understandable, just good to know for future reference. Any chance you'd know about the other questions? Especially wether or not a virus could be passed on to my forum members. I'd hate to spread a virus to my entire member database in the first week of my forum's existence.
Oh and just to put some minds slightly to rest and so as not to give the authors of those MOD's I mentioned the impression that I was pointing a finger at them ... I just re-dl'd, unzipped and scanned them directly and both came up clean.
Edited by - Rune on 04 May 2002 03:29:30 |
|
|
|
Nathan
Help Moderator
USA
7664 Posts |
Posted - 04 May 2002 : 03:38:27
|
It is unlikely that a virus could be passed from an infected server through the eimail to your users, but I suppose it *might* be possible.
You would know about it though, usually when a virus that smart is on the loose, its big news.
Nathan Bales
Snitz Exchange | Do's and Dont's |
|
|
|
Gremlin
General Help Moderator
New Zealand
7528 Posts |
Posted - 04 May 2002 : 06:01:44
|
If your servers infected it will not spread to your Snitz members via email as Nimda has no knowledge of Snitz Databases and how to retrieve email address from them etc, but if your webserver was infected then it will try and spread to other IIS servers on the internet along with any other machine on your network pretty rapidly.
The 5 main ways that PC could have got Nimda would be
1) Infected by another IIS server, check your IIS Logs
2) Another machine on the network has it, and it spread via file shares.
3) You Browsed an infected website (Nimda can spread via HTTP using some JScript)
4) Reading an infected email.
5) Execution of an already infected file .. perhaps a downloaded MOD as youve mentioned.
Nimda has several more ways it can transmit itself which makes it both easy to get and a PITA to get rid off.
www.daoc-halo.com |
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 04 May 2002 : 06:13:20
|
quote:
5) Execution of an already infected file .. perhaps a downloaded MOD as youve mentioned.
I think this one is highly unlikely. |
|
|
|
Gremlin
General Help Moderator
New Zealand
7528 Posts |
Posted - 04 May 2002 : 06:39:13
|
True, I've just checked both the MOD's mentioned and they're clean according to NortonsAV also.
www.daoc-halo.com |
|
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
Posted - 04 May 2002 : 10:30:37
|
I was helping another user in the SQL Server forum, to et his forum up. And when he got it up and I went to his forum, it automatically started dowloading a file in the background. (There was another window opened but I couldn't access it, that was downloading the file.) I thought it was some advertising window and I tried to close it. Then it asked me if I wanted to save this file or not. I figured it had to be a virus, so I saved it to my desktop (which you shouldn't do unless you know what you're doing), and scanned it with my antivirus and it said it was infected with the Nimda virus.
I deleted that infected file. I instantly scanned my computer for traces of it, and it found 3 other traces of it in my Windows Temp folders.
So you could have easily gotten it from browsing to a website that was infected by the virus.
«------------------------------------------------------»
Want to know when the next version comes out,
as soon as possible? Join our Mailing Lists ! |
|
|
|
Rune
Starting Member
31 Posts |
Posted - 04 May 2002 : 13:01:22
|
Hmmm, good to know guys ... thanks. With all the " - Microsoft Internet Explorer" titled popups I get, I s'pose that would've been the most likely entrance.
I really have to find an alternative to IIS. I used Savant Server for a couple of years but it has no support for php, mysql or even asp. I tried to get Apache, PHP and MySQL installed but that was a nightmare and a half with the instructions and tutorials (and I use the terms loosely) that I could find. I'm running out of ideas for a working secure server. 
|
|
|
|
Doug G
Support Moderator
USA
6493 Posts |
Posted - 04 May 2002 : 14:28:11
|
Rune-
You should review your windows update procedure. The vulnerabilities that allow nimda to be transmitted by a web site were cured by MS last year.
You can find removal instructions at www.symantec.com/avcenter for one
======
Doug G
====== |
|
|
|
Rune
Starting Member
31 Posts |
Posted - 05 May 2002 : 15:02:09
|
I've updated many many times since then. In fact, this PC's not even that old and I alway update Windows immediately upon install and usually about once a month after that.
I'm reviewing securities now, for IIS and WIn2k. This Microsoft crap has more holes in it than swiss cheese and I'm corking 'em all.
|
|
|
|
Gremlin
General Help Moderator
New Zealand
7528 Posts |
Posted - 05 May 2002 : 20:21:57
|
quote:
I'm reviewing securities now, for IIS and WIn2k. This Microsoft crap has more holes in it than swiss cheese and I'm corking 'em all.
So do most of the other webservers available, even Apache has bugs that have required urgent patches. Microsoft just gets more of the attention becuase of a) their market share, and b) everyone likes to target them becuase of a) :(
Overall though if you keep up with the patches you should be safe, you might also want to do a seatch on the MS site for the IIS Lockdown tool and the URLSCAN tools, they are useful to have installed also.
www.daoc-halo.com |
|
|
|
Rune
Starting Member
31 Posts |
Posted - 06 May 2002 : 02:09:34
|
heh Yeah, MS does get alot of holes because they get the most attention, but I guess I'm gonna have to start visiting Windows Update more often now. 
Yeah, I'm using the Lockdown tool as we speak ... dayum are there alot of holes.
|
|
|
| |
Topic |
|
Topic Locked
