Security Help For Ppls..

S_BadguyS_Badguy Join Date: 2003-12-03 Member: 23925Members
edited January 2004 in NS General Discussion
<div class="IPBDescription">. subjected to the "hidden image" thread</div> np xshrike.. ntm one badass avatar you got there =p
mmm blood ^_^

Being a network tech squire for os3 lvl hardening with government requirements mainly dealing with banks... I know my ****.

Unless they try again and again.. you should only be infected once.. just be sure to scan again in a day or two.
ALSO be sure to head over to microsoft update if you run windows media player 9 and or windows XP. Get all the critical patches, and perform that vulnerability patch workaround I provided...

in IE.. Tools -> Internet Options... -> [TAB] Advanced -> [Multimedia] Dont display online media content in the media bar

<!--QuoteBegin--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->That will teach me to look at any link posted my someone with only 2 posts. I used AVG and it  found 1 virus is that all there is?<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->


GOOD.. the admins nuked the thread, but I want to make sure that everyone who subjected themself to the "hidden image" thread understand that their system may have been compromised...

<!--QuoteBegin--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->The kind of attack this vulnerability assesses will alow your system to be compromised with some mallicious code. I highly reccomend if you do not have norton antivirus 2003 or 2004, you use this completely free tren micro virus scan engine. Trend micro rivals the potency of norton.
<a href='http://housecall.trendmicro.com/' target='_blank'>http://housecall.trendmicro.com/</a><!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->

so I attached some important quotes from before

Comments

  • DragonMechDragonMech Join Date: 2003-09-19 Member: 21023Members, Constellation, Reinforced - Shadow
    Three cheers fo PH34R!!!

    I'm running housecall as we speak. errr... type.
  • S_BadguyS_Badguy Join Date: 2003-12-03 Member: 23925Members
    ntm I just hit my 100th post <b>now</b> =)
  • MavericMaveric Join Date: 2002-08-07 Member: 1101Members
    <!--QuoteBegin--ph34r+Jan 3 2004, 08:42 PM--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (ph34r @ Jan 3 2004, 08:42 PM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin--> <a href='http://housecall.trendmicro.com/' target='_blank'>http://housecall.trendmicro.com/</a> <!--QuoteEnd--> </td></tr></table><span class='postcolor'> <!--QuoteEEnd-->
    <span style='color:red'>GODSEND!</span>

    whiped that infected file np.

    never click on links you dont trust, nor click on a link submited by someone with 2 posts and is o/t in NS > General Discussion. <<< key rule which'll save your arse more then once.
  • DragonMechDragonMech Join Date: 2003-09-19 Member: 21023Members, Constellation, Reinforced - Shadow
    <!--QuoteBegin--Maveric+Jan 3 2004, 09:47 PM--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (Maveric @ Jan 3 2004, 09:47 PM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->
    never click on links you dont trust, nor click on a link submited by someone with 2 posts and is o/t in NS > General Discussion. <<< key rule which'll save your arse more then once.<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->
    And get FireBird at <a href='http://www.mozilla.org/products/firebird/' target='_blank'>http://www.mozilla.org/products/firebird/</a> - it stops many viruses and popups, and generally rules IE.
  • blanketblanket Join Date: 2003-09-04 Member: 20544Members
    Hey, i clicked that hiddenimeage.jpg. i scanned using norton anti virus, no virus detected. I disable norton and scan using trend marco, also cleaned. but how can there be no virus? after i click the .jpg, a new Ie pop up wif Wmp

    how do i solve it now?
  • AznCoffeeBoiAznCoffeeBoi Join Date: 2003-11-17 Member: 23086Members
    edited January 2004
    If I was completly up to date on my critical updates, would I still be affected after clicking on that link?
  • SDJasonSDJason Join Date: 2003-05-29 Member: 16841Members
    i clicked it, and the new screen came up with the dialog to run the javascript.... and i clicked yes, but it said page error....... am i still infected?? since it diddnt run correctly??

    ~Jason
  • NeoQuakerNeoQuaker Join Date: 2004-01-03 Member: 25018Members
    edited January 2004
    Could someone please state the name of this virus so that I and others can be sure that we've terminated it, and not some other virus that could have already been on the PC. Thanks <!--emo&:)--><img src='http://www.unknownworlds.com/forums/html/emoticons/smile.gif' border='0' style='vertical-align:middle' alt='smile.gif'><!--endemo-->
  • ExtremeExtreme Join Date: 2003-12-10 Member: 24225Members
    Anyone using mozilla shouldn't have anything to worry about, but IE users (or anyone else that thinks they might have a virus) just click the link ph34r provided.
  • Cold_NiTeCold_NiTe Join Date: 2003-09-15 Member: 20875Members
    edited January 2004
    I clicked on it and, the Windows media player bar on the left of the screen in Internet Explorer Showed up. The picture however did not show up, it was a Red X. I closed the WM player bar and right-clicked the dead picture, copied and pasted the link and put it in to get the picture then went back to the original window. In the original window, the picture showed up this time and so did the WM player bar, which i closed again. I was in that window for about 5 seconds I'd say, then I went back.

    **EDIT**
    WM Player Vs. 7.01 in the c:/program files/ directory. OS = Win98
    Norton Systemworks V 5.0
    Norton Antivirus V 8.017 - No virus Detected.
    Trend Micro - 1 virus Detected. (Finished Scan; Virus type: "Non Cleanable" - I'll delete it now.)
  • S_BadguyS_Badguy Join Date: 2003-12-03 Member: 23925Members
    edited January 2004
    okokok.. first off, since the other stuff I said isn't in here... that link is a vulnerability which allows people to assess if your computer is vulnerable to a specific type of attack, and most likely logs information saying yes or no.

    If you are vulnerable, malicious code is executed by the attacker on your system.

    This appears to only occur on people who are running windows media player 9 and have it installed to the c:\program files\windows media player\ directory.

    If norton and trend micro do not show you are infected.. then your system has not been compromised.
    There is a small possibility it could be in the near future though.

    Like I said earlier to prevent further use of this vulnerability..
    <!--QuoteBegin--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->in IE.. Tools -> Internet Options... -> [TAB] Advanced -> [Multimedia] Dont display online media content in the media bar<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->
    that is a workaround that prevents the automatic execution of files through the built in media player.

    Some people are immune to this sort of attack because of more complex router configurations, firewalls, proper patching, and or not running windows media player 9...

    windows media player 9.. to my knowledge is the pinnacle of the particular exploit you have seen.
  • S_BadguyS_Badguy Join Date: 2003-12-03 Member: 23925Members
    <!--QuoteBegin--NeoQuaker+Jan 3 2004, 11:08 PM--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (NeoQuaker @ Jan 3 2004, 11:08 PM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin--> Could someone please state the name of this virus so that I and others can be sure that we've terminated it, and not some other virus that could have already been on the PC. Thanks <!--emo&:)--><img src='http://www.unknownworlds.com/forums/html/emoticons/smile.gif' border='0' style='vertical-align:middle' alt='smile.gif'><!--endemo--> <!--QuoteEnd--> </td></tr></table><span class='postcolor'> <!--QuoteEEnd-->
    This like I have now said numerous times assesses your system for vulnerabilities.. it does NOT execute the malicious code itself. The particular vulnerabilities is looks for though can allow the uploading of malware.. eg: virii, trojans... not one specific infection
  • Cold_NiTeCold_NiTe Join Date: 2003-09-15 Member: 20875Members
    edited January 2004
    **EDIT** Done Scanning.

    File Name: "JS PETCH.A" (Confirmed by Agent Orange to be The SPECIFIC virus.)
    Copies of File Found: 1
    Type: Non-Cleanable (Deleting now)

    If you see this PH34R, thanks majorly. I would not have caught it without you, and frankly I was kinda panicky. I owe you man.
    Good luck Agent Orange, I'm gonna scan again tomorrow and maybe if anything shows up; the day after that, I suggest you do too.
  • AgentOrangeAgentOrange Join Date: 2002-11-18 Member: 9244Members
    edited January 2004
    I have that as well. About 19 times <!--emo&:(--><img src='http://www.unknownworlds.com/forums/html/emoticons/sad.gif' border='0' style='vertical-align:middle' alt='sad.gif'><!--endemo-->

    scratch that. 138 times.
  • S_BadguyS_Badguy Join Date: 2003-12-03 Member: 23925Members
    np.. sorry I couldn't help sooner =)
  • Cold_NiTeCold_NiTe Join Date: 2003-09-15 Member: 20875Members
    <!--QuoteBegin--@gentOrange+Jan 3 2004, 11:59 PM--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (@gentOrange @ Jan 3 2004, 11:59 PM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin--> I have that as well. About 19 times <!--emo&:(--><img src='http://www.unknownworlds.com/forums/html/emoticons/sad.gif' border='0' style='vertical-align:middle' alt='sad.gif'><!--endemo-->

    scratch that. <b>138 times.</b> <!--QuoteEnd--> </td></tr></table><span class='postcolor'> <!--QuoteEEnd-->
    Looking at what @gent Orange just put on his reply from his update, he might need any help you can give him...
  • AgentOrangeAgentOrange Join Date: 2002-11-18 Member: 9244Members
    edited January 2004
    It's actually over 200 now <!--emo&:p--><img src='http://www.unknownworlds.com/forums/html/emoticons/tounge.gif' border='0' style='vertical-align:middle' alt='tounge.gif'><!--endemo-->

    I searched google and found a jeefo.a remover. Running it as we speak.

    and I checked windows update to see if somehow I missed a critical security update but I'm runnin smooth on that <!--emo&:D--><img src='http://www.unknownworlds.com/forums/html/emoticons/biggrin.gif' border='0' style='vertical-align:middle' alt='biggrin.gif'><!--endemo-->
  • aonomusaonomus Dedicated NS Mastermind (no need for school) Join Date: 2003-11-26 Member: 23605Members, Constellation
    God I got infected too.... someone get the guys IP and hand it over to a hackers website please <!--emo&:)--><img src='http://www.unknownworlds.com/forums/html/emoticons/smile.gif' border='0' style='vertical-align:middle' alt='smile.gif'><!--endemo-->
  • MavericMaveric Join Date: 2002-08-07 Member: 1101Members
    bump just incase someone didn't see this that needed it.
  • devicenulldevicenull Join Date: 2003-04-30 Member: 15967Members, NS2 Playtester, Squad Five Blue
    Yay for <a href='http://mozilla.org' target='_blank'>Mozilla</a>
    I hope that guy is banned from the forums
  • MrMojoMrMojo Join Date: 2002-11-25 Member: 9882Members, Constellation
    www.opera.com

    Another good browser, with a few more options than mozilla. Also mostly invulnarable to attacks like these.

    Also, guys, don't click on links people provide on irc, unless it's a link you know is fine, or if the link name matches what you're talking about. Beware of people who join, link that, and leave.
  • devicenulldevicenull Join Date: 2003-04-30 Member: 15967Members, NS2 Playtester, Squad Five Blue
    <!--QuoteBegin--MrMojo+Jan 4 2004, 06:09 PM--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (MrMojo @ Jan 4 2004, 06:09 PM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin--> www.opera.com

    Another good browser, with a few more options than mozilla. Also mostly invulnarable to attacks like these.

    Also, guys, don't click on links people provide on irc, unless it's a link you know is fine, or if the link name matches what you're talking about. Beware of people who join, link that, and leave. <!--QuoteEnd--> </td></tr></table><span class='postcolor'> <!--QuoteEEnd-->
    You neglect to mention built in ads <!--emo&:)--><img src='http://www.unknownworlds.com/forums/html/emoticons/smile.gif' border='0' style='vertical-align:middle' alt='smile.gif'><!--endemo-->

    Yea.. IE is a big security hole, any other browser is better
  • MrMojoMrMojo Join Date: 2002-11-25 Member: 9882Members, Constellation
    <!--QuoteBegin--devicenull+Jan 4 2004, 05:14 PM--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (devicenull @ Jan 4 2004, 05:14 PM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->
    You neglect to mention built in ads <!--emo&:)--><img src='http://www.unknownworlds.com/forums/html/emoticons/smile.gif' border='0' style='vertical-align:middle' alt='smile.gif'><!--endemo-->

    Yea.. IE is a big security hole, any other browser is better <!--QuoteEnd--> </td></tr></table><span class='postcolor'> <!--QuoteEEnd-->
    One ad, and it's right next to your arrow keys so you don't notice it anyway ;D. I registered my Opera, it gives you a lot more options.
  • EpidemicEpidemic Dark Force Gorge Join Date: 2003-06-29 Member: 17781Members
    Like what more options?
  • SiliconSilicon Join Date: 2003-02-18 Member: 13683Members
    I've also coded up a image virus detector here: <a href='http://imgvirus.silicon.wack.us/' target='_blank'>http://imgvirus.silicon.wack.us/</a>

    posted in this thread:
    <a href='http://www.unknownworlds.com/forums/index.php?s=&act=ST&f=10&t=58363' target='_blank'>http://www.unknownworlds.com/forums/in...ST&f=10&t=58363</a>
  • EpidemicEpidemic Dark Force Gorge Join Date: 2003-06-29 Member: 17781Members
    Like what more options?
  • MrMojoMrMojo Join Date: 2002-11-25 Member: 9882Members, Constellation
    Added to favorites, great link. Epidemic, check their website. I'm not sure how the options compare to Firebird.
Sign In or Register to comment.