Be Excellent To Each Other

And, you know, party on. Dude.

All times are UTC [ DST ]




Reply to topic  [ 9 posts ] 
Author Message
 Post subject: Curious Virus Problem
PostPosted: Tue Nov 29, 2011 12:51 
User avatar
Legendary Boogeyman

Joined: 22nd Dec, 2010
Posts: 8175
Last night while looking at a (perfectly legit) wordpress blog hosted on my server, something rather odd happened. The java loading screen popped up momentarily (as if a java applet was loading - but there are NONE on this site) after which my computer started going properly mental.

Symptoms: Desktop, Program Files, Quicklaunch, and all other general personal files set to hidden. Antivirus, firewall, and taskmanager disabled in registry. Regedit disabled, and some fake scanner bullshit warning of disk errors with an option to buy the full version, blahblah. Booted into safe mode, disabled auto-starting virus bullshit in registry, then rebooted into normal windows and scrubbed up. A fucking pain in the arse but my PC is alive again.

Anyway, the major problem is that I have no idea how this infection occured. There are a few plugins installed on the blog in question, but nothing out of the ordinary. Third party 'scan my website for malware' apps also come up with nothing, so currently the owner of the website is shitting themselves something might be wrong with it but we can't pin down from where. Any ideas? ;(

_________________
Mr Kissyfur wrote:
Pretty much everyone agrees with Gnomes, really, it's just some are too right on to admit it. :)


Top
 Profile  
 
 Post subject: Re: Curious Virus Problem
PostPosted: Tue Nov 29, 2011 12:53 
User avatar

Joined: 30th Mar, 2008
Posts: 16641
Perhaps it was just coincidental and the nasty software was already on your machine before you even went to the blog site.


Top
 Profile  
 
 Post subject: Re: Curious Virus Problem
PostPosted: Tue Nov 29, 2011 12:55 
User avatar
Legendary Boogeyman

Joined: 22nd Dec, 2010
Posts: 8175
We got a very strange warning the other day from another blog site that was pinging us back that ours was infected with trojan malware, but I couldn't fathom a reason for that either. Whatever it is must be intermittant which makes it even more annoying.

_________________
Mr Kissyfur wrote:
Pretty much everyone agrees with Gnomes, really, it's just some are too right on to admit it. :)


Top
 Profile  
 
 Post subject: Re: Curious Virus Problem
PostPosted: Tue Nov 29, 2011 12:58 
SupaMod
User avatar
Commander-in-Cheese

Joined: 30th Mar, 2008
Posts: 49244
Is there anything dynamically loaded that changes on each page impression? Ads, perhaps?

Anyway, it won't help with the server-side issue but I will once again recommend Sandboxie as an essential condom for your browser.

_________________
GoddessJasmine wrote:
Drunk, pulled Craster's pork, waiting for brdyime story,reading nuts. Xz


Top
 Profile  
 
 Post subject: Re: Curious Virus Problem
PostPosted: Tue Nov 29, 2011 13:04 
User avatar
Legendary Boogeyman

Joined: 22nd Dec, 2010
Posts: 8175
My leading suspicion is a plugin called Flickrpress, which loads in content dynamically from Flickr on each page load. Might be susceptable to some code insertion perhaps.

But cheers Craster will install the above now, wouldn't like to get caught again :/

_________________
Mr Kissyfur wrote:
Pretty much everyone agrees with Gnomes, really, it's just some are too right on to admit it. :)


Top
 Profile  
 
 Post subject: Re: Curious Virus Problem
PostPosted: Tue Nov 29, 2011 13:07 
SupaMod
User avatar
Est. 1978

Joined: 27th Mar, 2008
Posts: 69725
Location: Your Mum
You can find out what your PC is connecting to by opening a command prompt (as admin, if you're on Vista or 7) and using CD to move to your desktop (C:\Users\YourName\Desktop) and typing
Code:
netstat -abf 5 > connections.txt

Anything your PC connects to will appear in that text file (press CTRL+C to stop it).

_________________
Grim... wrote:
I wish Craster had left some girls for the rest of us.


Top
 Profile  
 
 Post subject: Re: Curious Virus Problem
PostPosted: Tue Nov 29, 2011 13:16 
User avatar
Legendary Boogeyman

Joined: 22nd Dec, 2010
Posts: 8175
Hmm, one scanning website reports that a bit of jquery used by the theme itself (jquery.jcarousel.min.js - probably used for the rotating featured images on the blog) is infected with this particular malware.

How's that then? Presumably jQuery is secure, but the shitty theme developer has either deliberately or accidentally bundled a compromised version?

_________________
Mr Kissyfur wrote:
Pretty much everyone agrees with Gnomes, really, it's just some are too right on to admit it. :)


Top
 Profile  
 
 Post subject: Re: Curious Virus Problem
PostPosted: Tue Nov 29, 2011 13:26 
SupaMod
User avatar
Commander-in-Cheese

Joined: 30th Mar, 2008
Posts: 49244
Or any number of Wordpress holes have allowed someone to inject something into the jQuery in the theme.

_________________
GoddessJasmine wrote:
Drunk, pulled Craster's pork, waiting for brdyime story,reading nuts. Xz


Top
 Profile  
 
 Post subject: Re: Curious Virus Problem
PostPosted: Tue Nov 29, 2011 13:29 
User avatar
Legendary Boogeyman

Joined: 22nd Dec, 2010
Posts: 8175
What a ballache. I've overwritten the carousel jQuery script with a copy of the official one, and now I'm scanning the site to find all instances of where a dodgy non-needed PHP file that loaded the javascript was being included. Grrr.

_________________
Mr Kissyfur wrote:
Pretty much everyone agrees with Gnomes, really, it's just some are too right on to admit it. :)


Top
 Profile  
 
Display posts from previous:  Sort by  
Reply to topic  [ 9 posts ] 

All times are UTC [ DST ]


Who is online

Users browsing this forum: Columbo and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search within this thread:
You are using the 'Ted' forum. Bill doesn't really exist any more. Bogus!
Want to help out with the hosting / advertising costs? That's very nice of you.
Are you on a mobile phone? Try http://beex.co.uk/m/
RIP, Owen. RIP, MrC. RIP, Dimmers.

Powered by a very Grim... version of phpBB © 2000, 2002, 2005, 2007 phpBB Group.