odd thing happening on my site

[Lynn Dougherty]

Dear All:

I have a site and for some reason when I go to the index page sometimes a
trojan horse tries to download. My virus program blocks it form doing so and
when I scan my computer, all is fine. I can't figure it out. I have scanned
the index file where this happens with my virus program and its clean. I
upload the index file to the site and it works fine. Then, about a week
later, the same thing. It's happened twice so far. I certainly don't want
to scare away visitors from my site, but this will and I don't know what to
do. Has anyone experienced this or is there someplace where I can get help?

See notes below about what tries to load on my computer:

Trojan.ByteVerify is a Trojan Horse that exploits the vulnerability
described in Microsoft Security Bulletin MS03-011 and could provide a hacker
the ability to run arbitrary code on an infected system.

Download.Ject is a Trojan horse that attempts to download and install a file
by exploiting the vulnerabilities in Internet Explorer (BID 10472, BID
10473). The Trojan is triggered by visiting a Web site that contains the
exploit code.

Thanks.

lynnpd

 

[Roy Schestowitz]

Dear All:

I have a site and for some reason when I go to the index page sometimes a
trojan horse tries to download. My virus program blocks it form doing so
and
when I scan my computer, all is fine. I can't figure it out. I have
scanned
the index file where this happens with my virus program and its clean. I
upload the index file to the site and it works fine. Then, about a week
later, the same thing. It's happened twice so far. I certainly don't
want to scare away visitors from my site, but this will and I don't know
what to
do. Has anyone experienced this or is there someplace where I can get
help?

See notes below about what tries to load on my computer:

Trojan.ByteVerify is a Trojan Horse that exploits the vulnerability
described in Microsoft Security Bulletin MS03-011 and could provide a
hacker the ability to run arbitrary code on an infected system.

Download.Ject is a Trojan horse that attempts to download and install a
file by exploiting the vulnerabilities in Internet Explorer (BID 10472,
BID 10473). The Trojan is triggered by visiting a Web site that contains
the exploit code.

Hi,

Well, viruses cannot really be contained in hyper-text files, but hyper-text
files can trigger viruses in existence. What does this imply? That if an
infected computer visits your site, it will suffer.

I will now ask you this: if a person does not maintain his (Window$) machine
properly, should you be really concerned about it?

What is the URL? Or the file? What is the vulnerability?

 

[Lynn Dougherty]

Hi,

Well, viruses cannot really be contained in hyper-text files, but
hyper-text
files can trigger viruses in existence. What does this imply? That if an
infected computer visits your site, it will suffer.

I will now ask you this: if a person does not maintain his (Window$)
machine
properly, should you be really concerned about it?

What is the URL? Or the file? What is the vulnerability?

Dear Roy:

Thanks for responding.

The index and domain is: http://www.classicmoviefavorites.com. It is fine
now because I uploaded my index file again and now it works fine. It
happens to me when I go there. I'm wondering if the server my site is on
might have the problem? Do you think? I have scanned my computer and have
the most recent version of Norton Antivirus, Spybot, etc. and I'm religious
about keeping my computer as clean as I can so I can't see how it could be
me causing this. If so, why does it do it about every ten days or so.
First time it happened was on 12/30 and now again today. Seems odd. Any
ideas?

lynnpd

 

[Roy Schestowitz]

Dear Roy:

Thanks for responding.

The index and domain is: http://www.classicmoviefavorites.com. It is fine
now because I uploaded my index file again and now it works fine. It
happens to me when I go there.

Nice Web site. It reminds me of reeljewels.com which I used to visit quite
frequently 2 years ago.

(*) What happened when you accessed the site before? Did you get a warning?
Why did you suspect a Trojan was present?

I'm wondering if the server my site is on
might have the problem?

It's possible, but if it's a large company -- highly unlikely.

Do you think? I have scanned my computer and
have the most recent version of Norton Antivirus, Spybot, etc. and I'm
religious about keeping my computer as clean as I can so I can't see how
it could be
me causing this.

Again, I need the answer to (*).

If so, why does it do it about every ten days or so.
First time it happened was on 12/30 and now again today. Seems odd. Any
ideas?

Maybe it is designed to give an error in 10 day intervals so that you are
not overblown by warnings.

 

[Toby Inkster]

I have a site and for some reason when I go to the index page sometimes a
trojan horse tries to download. My virus program blocks it form doing so and
when I scan my computer, all is fine. I can't figure it out. I have scanned
the index file where this happens with my virus program and its clean. I
upload the index file to the site and it works fine. Then, about a week
later, the same thing. It's happened twice so far.

Download.Ject spreads by cracking into websites and uploading itself.

Your website is being cracked into and Download.Ject uploaded onto your
website, targeting your visitors.

The solution is to make your website less vulnerable.

The way to do this in this case is to ask the server admin to install the
latest Windows patches on the server, install the latest MDAC patches on
the server and install the latest IIS patches on the server.

Or better, move to a host that is less incompetant. This vulnerability has
been in the wild for over 6 months -- if your server is vulnerable, it
points to serious negligence from the admin!

 

[hyweljenkins]

Dear All:

I have a site and for some reason when I go to the index page sometimes a
trojan horse tries to download. My virus program blocks it form doing so and
when I scan my computer, all is fine. I can't figure it out. I have scanned
the index file where this happens with my virus program and its clean. I
upload the index file to the site and it works fine. Then, about a week
later, the same thing. It's happened twice so far. I certainly don't want
to scare away visitors from my site, but this will and I don't know what to
do. Has anyone experienced this or is there someplace where I can get help?

See notes below about what tries to load on my computer:

Trojan.ByteVerify is a Trojan Horse that exploits the vulnerability
described in Microsoft Security Bulletin MS03-011 and could provide a hacker
the ability to run arbitrary code on an infected system.

Download.Ject is a Trojan horse that attempts to download and install a file
by exploiting the vulnerabilities in Internet Explorer (BID 10472, BID
10473). The Trojan is triggered by visiting a Web site that contains the
exploit code.

There's no point scanning your local copy of the files - the code is
being modified once it's uploaded. Viewing the source of an infected
file will show this, possibly by way of an <iframe> that isn't yours.

I had this trouble with my host about a year ago. 12 sites infected
with an iframe that attempted to get the user to install a porn
dialler. Once I'd replaced the sites (just the default documents) the
problem went away for a couple of days. Every index.htm, index.php,
and so on was modified, regardless of directory. I knew that the
problem didn't lie with my own security because the sites were hosted
under separate FTP accounts.

The host was useless, hacked several times (by different groups) over a
weekend, so I moved the lot elsewhere. I suggest you do the same.

 

[SpaceGirl]

Dear All:

I have a site and for some reason when I go to the index page sometimes a
trojan horse tries to download. My virus program blocks it form doing so and
when I scan my computer, all is fine. I can't figure it out. I have scanned
the index file where this happens with my virus program and its clean. I
upload the index file to the site and it works fine. Then, about a week
later, the same thing. It's happened twice so far. I certainly don't want
to scare away visitors from my site, but this will and I don't know what to
do. Has anyone experienced this or is there someplace where I can get help?

See notes below about what tries to load on my computer:

Trojan.ByteVerify is a Trojan Horse that exploits the vulnerability
described in Microsoft Security Bulletin MS03-011 and could provide a hacker
the ability to run arbitrary code on an infected system.

Download.Ject is a Trojan horse that attempts to download and install a file
by exploiting the vulnerabilities in Internet Explorer (BID 10472, BID
10473). The Trojan is triggered by visiting a Web site that contains the
exploit code.

Thanks.

lynnpd

Bad news You really need to move hosts. They have been seriously
compromised and there is NO excuse for that.

--


x theSpaceGirl (miranda)

# lead designer @ http://www.dhnewmedia.com #
# remove NO SPAM to email, or use form on website #