Home > General > JS/Exploit-BO.gen?

JS/Exploit-BO.gen?

You can now find them here. This threat was proactively detected as JS/Exploit-BO.gen with the 4633 DAT files or newer. I've seen this type of attack before. It seems that everything works now. have a peek here

root@server [~]# tcpdump -nAs 2048 src port 80|grep "[a-zA-Z]\{5\}\.js'" tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 2048 bytes Lastly if none of that helps you might want to talk to Steven over at Rack911 he has had some experience with this exploit also and has probably seen it more The program will then begin downloading the latest definition files. Exploit CVE-2006-1359 in Microsoft Internet Explorer 6 and 7 Beta 2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a certain createTextRange call on

Actually, the pages that display the code have not been modified in any way. Apologies for the delay. Next thing to do if that is the case is to recompile apache with phpsuexec enabled and keep stopping and starting apache as I described above and watch the access_log file just in case McAfee "correct" the update again :-) Log in or register to post comments my personal experience Jorge Campo commented January 3, 2008 at 12:24pm I got just yesterday

We shall see Log in or register to post comments It appears to be triggering nschindler commented January 2, 2008 at 8:07pm It appears to be triggering on jquery.js, which is Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc. Finally I decided to uninstall drupal and reinstall again. Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo!

The 4732 DAT files contain enhanced Exploit-BO.gen detection to cover these exploits. Skip to main content Skip to search Main Menu Drupal.org home Download & Extend Community Documentation Support Jobs Marketplace About Return to Content Search form Search Log in Create account Drupal We have phpsuexec enabled, firewalls, etc, however this seems like a major exploit to me. http://img440.imageshack.us/img440/8504/virusscriptkt3.jpg http://img46.imageshack.us/img46/9683/virusscript2fn1.jpg mkatight, Aug 6, 2006 #1 mkatight Thread Starter Joined: Apr 12, 2006 Messages: 20 I hope it is okay to bump this...

Two customers were talking about a JS/Exploit-BO.gen warning, another one about a A0059595.exe virus. It has a code in it that links to http:// 86.39.128.144/download/167212/bin.exe #5 groefie, Apr 3, 2007 Last edited by a moderator: Apr 3, 2007 tAzMaNiAc Well-Known Member Joined: Feb 16, We recompiled apache, php and cpanel as well, the problem is still there. Thanks in advance. #1 groefie, Apr 3, 2007 tAzMaNiAc Well-Known Member Joined: Feb 16, 2003 Messages: 559 Likes Received: 0 Trophy Points: 16 Location: Sachse, TX It is at the

  • Nothing on Firefox.
  • Even plain html pages are displaying the js, which means that they are somehow intercepting the output from apache.
  • PC Advisor Phones Smartphone reviews Best smartphones Smartphone tips Smartphone buying advice Smartphone deals Laptops Laptops reviews Laptops tips Best laptops Laptops buying advice Tablets Tablet reviews Best tablets Tablet tips

To stop that particular issue, incase it's related, make sure you have the following set in /usr/local/lib/php.ini: enable_dl = Off Then restart httpd. Jonathan Michaelson cPanel Server Configuration, Security and Antivirus/AntiSpam Services http://www.configserver.com #3 chirpy, Apr 3, 2007 Last edited: Apr 4, 2007 groefie Active Member Joined: May 30, 2003 Messages: 31 Likes Received: McAfee┬« for Consumer United StatesArgentinaAustraliaBoliviaBrasilCanadaChile中国 (China)ColombiaHrvatskaČeská republikaDanmarkSuomiFranceDeutschlandΕλλάδαMagyarországIndiaישראלItalia日本 (Japan)한국 (Korea)LuxembourgMalaysiaMéxicoNederlandNew ZealandNorgePerúPhilippinesPolskaPortugalРоссияSrbijaSingaporeSlovenskoSouth AfricaEspañaSverigeSchweiz台灣 (Taiwan)TürkiyeالعربيةUnited KingdomVenezuela About McAfee Contact Us Search ProductsCross-Device McAfee Total Protection McAfee LiveSafe McAfee Internet Security McAfee AntiVirus Plus McAfee This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.

Brenden #2 tAzMaNiAc, Apr 3, 2007 chirpy Well-Known Member Joined: Jun 15, 2002 Messages: 13,475 Likes Received: 20 Trophy Points: 38 Location: Go on, have a guess Most likely a NOTE: If you would like to keep your saved passwords, please click No at the prompt. Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4899/mcfscan.cab O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online Unlike viruses, Trojans do not self-replicate.

So its not actually in the pages. Safe Mode From Boot Menu Wont... It can allow an attacker to add a dynamically loadable apache module - meaning a custom hack that inserts code to the visitor, upon output. Check This Out Is this a problem in the code of did the guys from McAfee screw up something ?

Methods of Infection Trojans do not self-replicate. He might lead you to some better understanding of it also. Hope some of you guys have the same problem ...

Newer Than: Search this thread only Search this forum only Display results as threads More...

Get Expert Help McAfeeVirus Removal Service Connect to one of our Security Experts by phone. What to do now To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. All Rights Reserved. Attached Files: strange.jpg File size: 137.9 KB Views: 115 #4 groefie, Apr 3, 2007 Last edited: Apr 3, 2007 groefie Active Member Joined: May 30, 2003 Messages: 31 Likes Received: 0

Proudly Powered by phpBB © phpBB Group © 1998-2015 mozillaZine All Rights Reserved Topics HTML CSS JS PHP Ruby Mobile UX Design Store Forums Subscribe Home Forum What's New? Short URL to this thread: https://techguy.org/490058 Log in with Facebook Log in with Twitter Log in with Google Your name or email address: Do you already have an account? The hack has grown and they have modified it a bit since the original flame.so script. Some suggestions stop cron in case the have a cron file running starting the process.

Style Default Style Contact Us Help Home Top RSS Terms and Rules Copyright © TechGuy, Inc. See the attachment for a screenshot of the inserted code in a page (left top of the page). The folder 'trustm3now' or the file 'getpr0n.php' are not present on the server and never were as far as we know. Jan 3, 2008,05:15 #4 M-M-J View Profile View Forum Posts SitePoint Addict Join Date Dec 2007 Posts 207 Mentioned 0 Post(s) Tagged 0 Thread(s) Lots of info on Google: http://google.com/search?q=js/exploit-bo.gen Jan

The code is not in the source of the page on the server, i've checked that in the file manager, but you can see it (not always) in the source of If both ScriptScan and Buffer Overflow Protection are disabled, the On Access Scannerwill detect identifiable exploit code but not block execution. User Name Remember Me? phono 22:47 15 May 07 If McAfee picked it up then I wouldn't worry too much about it.Do a full virus and spyware/malware scan.

Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc. Everything seems to work fine after updating to this version.