Virus attack

[Christopher Brunsdon]

 

Mine didn't but i'm running Linux! oh how i love Linux

 

Same ... but whats a Virus? is it something you get from not using a proper operating system?

 

[Little-Ben]

hey admin, sent you a pm with my avast log, did you get it

[Climate]

I had the same problem a few days ago - the trojan was identified in one of my temporary internet files. So I deleted them all, along with a cleanup of all cookies. But the problem came back when I reloaded the Hub page (that was on Monday). On Tuesday, I cleaned out my temp internet files and cookies again ... voila => no problem!

[barrykm]

I've contacted our web hosts again to look into this. They assured me that the problem had been sorted out and their security improved.

It's proving difficult to get anywhere with this on my side as I can't recreate the problem. I did get the warning messages on Saturday but have had nothing since then.

I'm double checking everything on my side to make sure all is above board and our web hosts are currently doing the same. I am doing some (more) research into this virus and I have requested advice from a number of people.

I will pass on any information or feedback I receive.

 

THank you.

[RaceChick]

Thank goodness I am on MAC, no problems

[peloton]

I can't help but wonder what will happen the day MACs are attacked. On that day there will be virtually no antivirus to speak of, no reputable freeware. Basically, nowhere to turn.

 

 

 

Granted, it might be twenty years away. Or - maybe - next week?

[gummibear]

On Tuesday' date=' I cleaned out my temp internet files and cookies again ... voila => no problem! [/quote']

 

 

How do i do this with  XP?

[controlc]

Waynedude's current avatar contains a virus

 

https://cdn.bikehub.co.za/uploads2/avatars/20090322_133431_avatar_2635.gif

 

Perhaps have a look there?

[Windbreaker]

 

Waynedude's current avatar contains a virus

 

https://cdn.bikehub.co.za/uploads2/avatars/20090322_133431_avatar_2635.gif

 

Perhaps have a look there?

Hate to say "I told you so" but on page 1 I said that there were infected avatars.

 

[controlc]

Hate to say "I told you so" but on page 1 I said that there were infected avatars.

 

vs

 

If you know the exact page (URL) you where on when you received this warning please let me know or send me a screenshot if it happens again - it will be a great help and should speed up the process.

 

Need I say more?

[Matt]

This is the info I received from our web hosts earlier today:

Some more information on this virus:

 

The malware that was linked

in the Iframe took advantage of an ActiveX vulnerability. The malware

installs this activex component (Access snapshot viewer activeX

vulnerability) through Internet Explorer prior to exploiting it.

Because this component is signed by Microsoft the installation is

silent as it does not require any user interaction.

http://www.microsoft.com/TechNet/security/advisory/955179.mspx

This unfortunately is a bug with ActiveX.

 

The malware has been completely removes from your sites, I assure you.

 

If the site is still not loading or loading with warnings then this might still be due to caching with SAIX.

 

We have been in contact with SAIX and they have informed us that some sites can be cached up to 5 days.

 

Currently Security Audits are preformed on all affected systems to ensure this is not to be repeated.

 

I am running a virus scan on the server that your website is on. This will take a few hours to finish.

 

We are also monitoring all servers to check if the EnablePageFooter gets enabled.

 

The only reason that makes sense why some users still get this is because of SAIX's caching.

 

As long as your clients keeps receiving these alert messages, please let us know.

 

This

caching time is unacceptable and we have therefore been contacting SAIX

administrator in attempt for them to clear their cache prematurely.

 

 

And this yesterday:

We had an issue where someone changed the default iisstart.htm file to

include the iframe tag and enable document footers to display.

 

There's an option in each web site in IIS to allow document footers to be displayed whenever someone visits the website.

 

The iframe and url that was included in the iisstart.htm file was malicious.

 

We corrected this and also implemented stricter security policies.

 

Thank you for letting us know.

 

We apologies for any inconvenience caused.

 

Should you have any other queries or need any further assistance please let us know.

 

[Matt]

 

None of the avatars, images or smilies on the site are infected. A malicious Iframe was injected into the footer of every page served by our hosts webserver (including all other websites on the server).

 

They sorted this out fairly quickly, but it appears that due to caching (both on the browser side and SAIX - as explained above) people continued to get virus warnings (even after the server was "cleaned"). This might explain why the problem has been so intermittent.

 

My only explanation as to why everyone's antivirus was picking up images as infected is that the code in the Iframe was somehow infecting images served to the browser (stored in browser cache and SAIX cache).

 

Admin2009-03-25 14:59:52

[Little-Ben]

glad to ee its ben sorted, still getting ocassional warning but not nearly as much

[Yang]

Aaaaiiiiieeeeeeee- I was attacked tonight, after accessing an old thread on the Bike Nomads. I cleaned the disk, dumped the temp files and things seem OK.

[barrykm]

Trojan.Giframe is still about.

[Charvel]

Yup, got it a few times again tonight...3 times on this thread actually!!!