Problem with 7.6

Worker Joined: Jul 06, 2005 Posts: 172

I'm running a phpnuke 7.6 (patched, bbtonuke 2.0.17, NSN groups)

The problem is that 2-3 users have reported getting a virus/trojan/exploit warning from their AV software during or after visiting my website. I'm 99% sure there is nothing infected on my site, and have done many scans and code-searches to verify. I think it's just a mistake by their software, possibly having to do with outdated virus definitions. Here's a link one person gave me though:

Only registered users can see links on this board! Get registered or login! -- Exploit-ANIfile

Has anyone had this problem? my site is Only registered users can see links on this board! Get registered or login!. It's getting pretty popular, and I'd really liek to resolve this so that I don't lose potential members. Thanks everyone!

Posted: Fri Sep 09, 2005 6:10 pm

I am using F-Secure anti virus and I too got a warning regarding a clicker exploit so I had to edit out your sites url in case this is a genuine problem and someone without anti virus software visited the site.
I am sure if anyone wants to look you wouldnt mind adding the url to your forum profile so they can access it that way.

Here is a description of the warning I got.

http://www.f-secure.com/v-descs/exploit.shtml

Posted: Fri Sep 09, 2005 6:25 pm

OK, URL to my site is in my Profile.

A user registration note: Could phpnuke be dropping users after 24 hours? I know the activation email claims to be good only for 24 hours, so could this be the issue? Perhaps when ANY user activates their account, it also does a check on all other accounts pending activation, and drops those that have been pending for over 24 hours.

I have made a few test temporary users to test this theory, but surely someone here knows.

Posted: Fri Sep 09, 2005 6:50 pm

I think this topic has been discussed before - I cannot remember if the check is done as part of a user account activation or as part of a new user registration but the vlaue of the length of time can be altered directly by editing the appropriate function code.

I will attempt to look at you site again but at the moment F-Secure is blocking it completely - do you have any add on java s cript code in your site or perhaps affiliate banner type ads with tracking code?

Have you tried disabling all your blocks and as many modules as you can in order to try locate the gremlin by trial and error?

Posted: Fri Sep 09, 2005 7:30 pm

No java or banner ads of any kind. I use Panda AV, not mcafee/norton, and it doesn't come up with any warnings of any kind. So I would have to first install something that warns in order to do trial/error myself. I'm going to take one more look at all the code and see if I can't come up with something. I think, however, that it really isn't infected. The cases of infection I've read about always have an off-site link to an infected .css file (bot.css or something like that) and NO WHERE in my code does it link to anything off-site. So I think the entire issue is just over-zealous antivirus software, hopefully that's the case.

Edit:

I found out that indeed it does check all temp users when a new one activates. I've changed this by upping the time allowed a bit. Here is the default (24 hours) from nuke 7.6 patched/modded.

Code:

function activate($username, $check_num) {


    global $db, $user_prefix, $module_name, $language, $prefix;


    $past = time()-86400;


    $db->sql_query("DELETE FROM ".$user_prefix."_users_temp WHERE time < '$past'");

Posted: Thu Sep 22, 2005 4:08 pm

I'm still receiving reports from a few users about the virus warning. The site has become very popular now (100+ users in just 3 weeks) and I'm hoping to fix this so it doesn't scare anyone away. I searched the script files for references that I thought would look like the exploit, but nothing came up. Can anyone help us?

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

Google search on panda av anifile removal

There are many hits. This one might help http://www.broadbandreports.com/forum/remark,13618601