Web Hosting Talk






PDA

View Full Version : My index page is infected with a trojan

cscgal
04-12-2004, 09:54 AM
For some reason, I just started noticing that everytime I go to my homepage, McAfee pops up saying a trojan was detected in my temporary internet files. The filename it gives is a random combination of letters and numbers with no file extension. This doesn't happen on any of my pages except for my homepage.

Can someone else please confirm this? I can't seem to figure out what the problem is and I don't even know if it is just me or not.

This happens with the latest version of VirusScan with Windows XP and IE6. This does not happen when I use the Mozilla browser ... only in IE.

Please help me figure out what's wrong here. Thanks guys.
My website URL is www.daniweb.com

I would like confirmation from someone else using McAfee and from someone else using Norton Antivirus, please?
loopforever
04-12-2004, 10:06 AM
I think it may be this bit of code right here:


<script type="text/javascript">
<!--
function log_out()
{
ht = document.getElementsByTagName("html");
ht[0].style.filter = "progid:DXImageTransform.Microsoft.BasicImage(grayscale=1)";
if (confirm('Are you sure you want to log out?'))
{
return true;
}
else
{
ht[0].style.filter = "";
return false;
}
}
//-->
</script>


Specifically:


progid:DXImageTransform.Microsoft.BasicImage(grayscale=1)


Try removing that entire <script></script> tag and seeing what McAfee says.
loopforever
04-12-2004, 10:11 AM
Either that, or it may be the URL that one of your members posted that is showing up on your homepage:

(DON'T CLICK)
http:// %68%6F%6D%65%70%61%67%65%2E%63%6F%6D%00@ %77%7 t7%77%2e%65%2d%66%69%6e%64%65%72%2e%63%63/%68%70/

McAfee might be recognizinghe decoded URL:

(DON't CLICK)
http:// homepage.com@www.e-finder.cc/hp/

It probably sees that URL as spywere or a virus, and that might be your problem.

Hope this helps :).
cscgal
04-12-2004, 10:13 AM
Hey there! Thanks so much for the feedback. I don't think it's the JavaScript because that is vBulletin's default logout script that has been on the site for ages. Since I do run security/trojan forums, it might very well be that http:// code. That would explain why it suddenly started happening without me changing anything. I'm going to go edit the person's post and see if that fixes the problem! Thanks so much :-D
cscgal
04-12-2004, 10:16 AM
You were right ... that URL that a member posted was the problem :) The darn member was saying "look this URL infected my machine" and meanwhile by posting that, they were infecting us! :) I edited the URL and all is clean now. Thanks again.
loopforever
04-12-2004, 10:59 AM
Not a problem :).