DONT UPGRADE

A place for security related announcements and discussions - please check this forum frequently!
twc
Posts: 233
Joined: Fri Jun 18, 2010 12:25 am
Location: Netherlands

DONT UPGRADE

Post by twc » Fri Oct 19, 2012 4:35 pm


cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: DONT UPGRADE

Post by cmb » Fri Oct 19, 2012 4:46 pm

Hi twc,

thanks for the warning. I've downloaded the 3 packages related to CMSimple_XH 1.5.5 again and scanned them, but nothing was reported by my antivirus software (MS Security Essentials). Could others please check that with other (better?) scanners?

But when I look at your screenshot I see that the malware is reported for a file fiberdordrecht_nl[1].htm. This file is not contained in any of the CMSimple_XH packages. :? Could you please check the CMSimple_XH download again (and only this package)?

Christoph
Christoph M. Becker – Plugins for CMSimple_XH

twc
Posts: 233
Joined: Fri Jun 18, 2010 12:25 am
Location: Netherlands

Re: DONT UPGRADE

Post by twc » Fri Oct 19, 2012 5:17 pm

cmb wrote:Hi twc,

thanks for the warning. I've downloaded the 3 packages related to CMSimple_XH 1.5.5 again and scanned them, but nothing was reported by my antivirus software (MS Security Essentials). Could others please check that with other (better?) scanners?

But when I look at your screenshot I see that the malware is reported for a file fiberdordrecht_nl[1].htm. This file is not contained in any of the CMSimple_XH packages. :? Could you please check the CMSimple_XH download again (and only this package)?

Christoph
Well after the upgrade or new version to FTP, and i go to the websites than hell break loose...
Malware @ templates.htm ,all .htm content files and main dir html files.

:evil: Second time now after 2 times update CMS

Local see nothing after scanning http://www.malwarebytes.org butt after upload to FTP and your wath your website, the Hell break loose.
I think there are hidden script inside the zipp files ?

cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: DONT UPGRADE

Post by cmb » Fri Oct 19, 2012 5:48 pm

Hi twc,

thanks for the details. I've just uploaded the full package (CMSimple_XH_155) to my server and browsed to the site. But it seems nothing unusual happens: no changes to content/content.htm, templates/cmsimplexh/template.htm or index.php.

Did you really find any script injection or is it just reported by Eset? In the latter case: according to http://www.linkedin.com/groups/HTML-Scr ... S.92772104 there was a bug reporting false positives. Do you have the latest version of Eset's database?

I'm checking the issue further, but as several others already have done the update without reporting any trouble, I hesitate to remove the downloads from Sourceforge.

Christoph
Christoph M. Becker – Plugins for CMSimple_XH

maeg
Posts: 525
Joined: Fri Feb 20, 2009 2:27 pm
Location: Agerbæk, Denmark
Contact:

Re: DONT UPGRADE

Post by maeg » Fri Oct 19, 2012 5:48 pm

Hi
cmb wrote:Hi twc,
thanks for the warning. I've downloaded the 3 packages related to CMSimple_XH 1.5.5 again and scanned them, but nothing was reported by my antivirus software (MS Security Essentials). Could others please check that with other (better?) scanners?

But when I look at your screenshot I see that the malware is reported for a file fiberdordrecht_nl[1].htm. This file is not contained in any of the CMSimple_XH packages. :? Could you please check the CMSimple_XH download again (and only this package)?
I have allready 6 websites running with the new CMSimple_xh 1.5.5 - no problem

cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: DONT UPGRADE

Post by cmb » Fri Oct 19, 2012 6:45 pm

Hi maeg, hi twc,
maeg wrote:I have allready 6 websites running with the new CMSimple_xh 1.5.5 - no problem
Thanks for the information. It's not an absolute proof that the ZIPs are clean, though.
http://kb.eset.com/esetkb/index?page=content&id=SOLN2111 wrote:Version 5 of ESET Smart Security and ESET NOD32 Antivirus has been released. We highly recommend that you upgrade to the latest version
and
http://kb.eset.com/esetkb/index?page=content&id=SOLN2476 wrote:Upgrading is free only if you are upgrading to the latest version of the same product
(emphasis by me)

@twc: so please upgrade to the latest version of Eset Smart Security, update the virus definition database and check again. Indeed the warnings might be caused by false positives.

Until further evidence (actually infected files or a report from a recent malware scanner) I'll rest the case, and assume, that the downloads are clean.

Christoph
Christoph M. Becker – Plugins for CMSimple_XH

twc
Posts: 233
Joined: Fri Jun 18, 2010 12:25 am
Location: Netherlands

Re: DONT UPGRADE

Post by twc » Fri Oct 19, 2012 6:55 pm

latest version of Eset's database? i have that.......i am up todate always :lol:

after upgrade or new version CMS i have thise problem....

cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: DONT UPGRADE

Post by cmb » Fri Oct 19, 2012 8:08 pm

twc wrote:Well after the upgrade or new version to FTP, and i go to the websites than hell break loose...
Malware @ templates.htm ,all .htm content files and main dir html files.
  • I wasn't able to reproduce this.
  • Others apparently didn't have the problem either
  • Googling for "html/scrinject.b.gen virus eset" brings several messages, where it's said, that only Eset reports the malware, but no other malware scanners
  • Several times it is assumed, that these are false positives (i.e. the scanner reports something as malware, that isn't)
  • according to http://www.avira.com/de/support-threats ... 6/tlang/de the trojan is known since 7 years, so I would be surprised, if the trojan were not detected by other scanners than Eset
  • according to the same source, the damage potential is low to medium
OTOH googling for "html/scrinject.b.gen virus" shows the following search results: And now I've found http://www.microsoft.com/security/porta ... acoleRef.A. Finally some hopefully helpful information. This site says the trojan is known since August 2011, and that it'll be detected by Microsoft Security Essentials. So I'll do I full scan of my PC now (will take quite a while). In the meantime I had a look for dynamically inserted IFrames on my test site and on http://fiberdordrecht.nl, but there are none.

If my full scan doesn't find any malware, I must assume, that the problem is on your computer: either Eset Smart Security 4 reports a false positive, or your computer is infected, and perhaps any upload with the FTP client will spread the trojan.

If you like, you can send me one of the files that Eset reports as malware by mail (I receive text mail only, so that shouldn't be dangerous). My mail address can be found on my website.
Christoph M. Becker – Plugins for CMSimple_XH

twc
Posts: 233
Joined: Fri Jun 18, 2010 12:25 am
Location: Netherlands

Re: DONT UPGRADE

Post by twc » Fri Oct 19, 2012 8:44 pm

well i make backups :lol: and after delit all htm files on server and replace my backup files to ftp....no popup malware :shock: So verry weird


I had a look for dynamically inserted IFrames on my test site and on http://fiberdordrecht.nl, but there are none.

cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: DONT UPGRADE

Post by cmb » Fri Oct 19, 2012 8:50 pm

twc wrote:fter delit all htm files on server and replace my backup files to ftp....no popup malware
That indicates, that your FTP client is "clean".

But I really don't know where to look. Could you please send me one of the infected files?
Christoph M. Becker – Plugins for CMSimple_XH

Post Reply