This forum has a virus again [FIXED]

[eugene]

My computer security noth at work and home keeps informing me that this site has a trojan virus. Is anyone else experiencing this problem?

[zimfan1]

yep got the same problem!!!

[sloandog]

yep got the same problem!!!

Ya me too. I'm just glad that it's not just my laptop
Cheers for letting me know Eguene

[maehara]

Have to admit that I haven't seen the problem myself, although I'm aware that others have.

Only thing we can think of that may be causing the problem is the script that created the Newsbar - phpBB3 is free of any security issues, and that's the only customisation we have from the core system. As a result we've disabled it.

If you're still seeing problems with the forum itself (as opposed to your browser or internet security package giving a warning - it takes a while for them to realise when things have been fixed), can you help us track down the problem by:
a) taking a screenshot of anything unusual that you're seeing, and
b) copying the source for the page (look for the View Source option)
..and send both to me via the email address on ZCN's Contribute page.

[maehara]

UPDATE:

This seems to be a mass attack against several webhosting companies, including the one used by ZCF - details here:
http://blog.sucuri.net/2010/05/new-atta ... press.html
(That refers to Wordpress, but the issue is wider than that)

The infection has now been cleared from ZCF, but in case we have a recurrence (or in case you visit another infected site) if you can block sites using your internet security software or broadband router, block the following sites:
http://indesignstudioinfo.com/
http://zettapetta.com/
...as they're the hosts for the malware that the hack is distributing.

If you've been affected, Dr Situ provides the following helpful cleanup instructions:

In my over enthusiasm to react to Raina-led indian team and to see response to my birthday wish to Crimson, i opened ZCF browser on my new BenQ notebook. Immediately i was hit by the malware- My security engine.

My Security Engine is a rogue anti-spyware program from the same family as Security Guard. This rogue is installed and promoted through the use of Trojans and fake online anti-malware scanners. When the program is installed by the Trojans, it will be configured to start automatically when you login into Windows.

When the program finished scanning my computer it stated that numerous files are infections, but will not allow me to remove them until i first purchase the program. In reality, though, the mentioned files are harmless and can cause no harm to your computer. They are only being created to try and convince you that your computer is infected and that you should purchase My Security Engine to protect it.

While the program was running it displayed numerous security warnings and alerts.Some in between reading mails. It was big nuisance. The alerts stated that my computer is under attack, sending SPAM, or that my personal data is at risk.

It was only after i frantically searched on net that i found solution at:

http://www.bleepingcomputer.com/virus-r ... ity-engine

Now i am back to my previous near perfect state. No doubt i had to download the HOST file again in my system 32. I request you kindly post the above link at ZCF/ZCN/FB so that those who are affected by this bug can restore their settings.

ZCN is unaffected. For the record, the forum software is fully up-to-date and has no known security issues itself - this seems to have been done via the webhost control panel software. That's out of my control, so there's nothing I could have done to prevent this. Many thanks to those who brought the problem to my attention and provided information to help track down the cause.

[jamthala]

this is the reason for my absentism in forum.

[eugene]

I am glad to know I can return to the forum.

[maehara]

Health warning: as the exploit in this case is through the webhost, until they recognise that there's a problem & fix it I can't guarantee that the same exploit won't simply be used again. I've raised it as a support issue, so we'll see where that goes. In the meantime, I'll be keeping a very close eye on the site in case of repetition. Takes me about 5 minutes to reset things if I spot a problem.

There is one way, however, to keep yourself 100% protected against any issues: disable Javascript in your browser.