Results 1 to 6 of 6
  1. #1
    ABW Ambassador superCool's Avatar
    Join Date
    April 23rd, 2008
    Location
    Texas
    Posts
    1,268
    Trojan Warning Exploit-ms04-028
    superCool just looked at one of his own pages and received a virus warning for Exploit-ms04-028. This is apparently an old (2004) issue where a certain type of jpg file can do something to allow code to run on your machine.

    The page was a product page with 4 datafeed images and 4 or 5 merchant banners plus the normal background and logo images for the site. When superCool returns to the page he does not get the warning again.

    Has anyone seen something like this? Do you think it's a false alarm or is an infected image getting added to the page somehow? superCool looked for javascript on the page (after reloading later) and doesn't see anything odd. It could also be coming from the merchant or network.

    Google WMT doesn't say anything about malware. What do you think? Was superCool somehow hacked, is a bad image coming from the merchant or network, or was it a false alarm?

  2. #2
    Moderator
    Join Date
    April 6th, 2006
    Posts
    2,689
    First things first - change your FTP & cPanel passwords now, to something completely different & secure.

    I'm not suggesting your site has been hacked (will defer to others with more experience), but a couple of years ago, 2 sites under my watch kept getting hacked. Turns out the hacker would come in via ftp, run a script, then leave. Nearly impossible to detect..

    Just wanted to share - if you think something might be amiss, first thing is to change hosting passwords (I could have saved myself months of stress). The sites didn't suffer in the SERPS long-term.

    Hope all is ok!

  3. #3
    ...and a Pirate's heart. Convergence's Avatar
    Join Date
    June 24th, 2005
    Posts
    6,918
    Also,

    Create an .htaccess file with the following contents and add to every single image directory. This prevents malicious programs from being run from within the image directory:

    Code:
    # This is used with Apache WebServers
    #
    # The following blocks direct HTTP requests to all filetypes in this directory recursively, except certain approved exceptions
    # It also prevents the ability of any scripts to run. No type of script, be it PHP, PERL or whatever, can normally be executed if ExecCGI is disabled.
    # Will also prevent people from seeing what is in the dir. and any sub-directories
    #
    # For this to work, you must include either 'All' or at least: 'Limit' and 'Indexes' parameters to the AllowOverride configuration in your apache/conf/httpd.conf file.
    # Additionally, if you want the added protection offered by the OPTIONS directive below, you'll need to add 'Options' to the AllowOverride list, if 'All' is not specified. 
    # Example:
    #<Directory "/usr/local/apache/htdocs">
    #  AllowOverride Limit Options Indexes
    #</Directory>
    ###############################
    
    # deny *everything*
    <FilesMatch ".*">
      Order Allow,Deny
      Deny from all
    </FilesMatch>
    
    # but now allow just *certain* necessary files:
    <FilesMatch ".*\.(jpe?g|JPE?G|gif|GIF|png|PNG|swf|SWF)$" >
      Order Allow,Deny
      Allow from all
    </FilesMatch>
    
    IndexIgnore */*
    
    
    ## NOTE: If you want even greater security to prevent hackers from running scripts in this folder, uncomment the following line (if your hosting company will allow you to use OPTIONS):
    # OPTIONS -Indexes -ExecCGI
    Also, check your image folders for any files that do not belong there...
    Salty kisses, Sandy toes, and a Pirate's heart...

  4. #4
    ABW Ambassador Bob Lawrence's Avatar
    Join Date
    July 2nd, 2007
    Posts
    1,090
    SuperCool,

    From reading MS' report here.
    Microsoft Security Bulletin MS04-028 : Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)

    It sounds like something on your own computer trigger the stack over flow warning.

    At least it is the one I ran into Sunday on a customer's computer.

    I'd check your system with some adware and malware systems.

    Let me know if you would like the names of a couple of good scanners that are free.
    Where's the Great Life of Affiliate Marketing Hiding?

  5. #5
    ABW Ambassador superCool's Avatar
    Join Date
    April 23rd, 2008
    Location
    Texas
    Posts
    1,268
    Thanks for the input everyone. superCool is researching and hasn't found anything out of the ordinary yet. Unfortunately the antivirus program that's catching this (McAfee VirusScan Enterprise and AntiSpyware Enterprise) does not specify which file caused the error, and it does not occur every time.

    Trudging on...

  6. #6
    ABW Ambassador Bob Lawrence's Avatar
    Join Date
    July 2nd, 2007
    Posts
    1,090
    Hey, superCool.

    Try these 2, I highly recommend both and use them a lot.
    They can co-exist with your current anti-virus program and don't counter it.
    #1 is AdAware
    #2 is Malwarebytes
    both are available for free downloads at filehippo.

    Watch the one if offers God's Chrome. #2 I believe.

    Hope these find it for you.
    Where's the Great Life of Affiliate Marketing Hiding?

  7. Newsletter Signup

+ Reply to Thread

Similar Threads

  1. RoundCube Exploit
    By John Powell in forum Midnight Cafe'
    Replies: 0
    Last Post: January 8th, 2009, 10:36 AM
  2. Warning: Trojan in Referrer Spam
    By Amy_S in forum Midnight Cafe'
    Replies: 4
    Last Post: January 14th, 2008, 05:42 PM
  3. Warning: Nasty Windows Exploit
    By Dynamoo in forum Midnight Cafe'
    Replies: 17
    Last Post: January 4th, 2006, 02:38 AM
  4. Warning: new Trojan on the loose
    By Dynamoo in forum Midnight Cafe'
    Replies: 2
    Last Post: October 1st, 2003, 06:55 PM
  5. Deloder Trojan warning
    By Dynamoo in forum Midnight Cafe'
    Replies: 0
    Last Post: March 11th, 2003, 01:42 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •