FTR possibly has a problem?

Hi Moderators,

I haven't been around here in a long time and I happened to login today and found a problem that I am sure you will want to take care of for your community. Hopefully it is not a big deal to run down and fix.

It looks like you might have a trojan on your site. I'm not an expert on this but I do work in IT and one of the guys I work with deals with this sort of thing all the time.

The way he explained it to me was that one of your advertisement links may have been hijacked and is trying to download a trojan onto the unlucky viewers computer.

Luckily I am protected from this particular one by Trend OfficeScan.

Anyway, I thought you might want to know. I only had this problem when I clicked on a post by Fnord in the LIve Poker forum. So i assume it may be one of the advertisements there that has been compromised.

Here is the link but beware if you don't have reasonably up to date AV signatures.

http://www.flopturnriver.com/phpBB2/...ot-t80731.html

Trend is labeling this as: TROJ_IFRAME.CP

Here is the link to the trojan information on their website:

http://www.trendmicro.com/vinfo/viru...TROJ_IFRAME.CP

unfortunately if this is true the links alternate every time you click on a page so none of those links could be the one. I will tell xianti to look into it now.

Thanks. I am alerting the other Admins now.

No problem, I hope no damaged was caused to anyone.

oh dat fnord!!!!

There's a possibility it may be nothing:
http://www.phpbb.com/community/viewt...p?f=1&t=797915

Also be aware that some AV software will report a link as a trojan.
If the link is to a known source of malware a lot of AV software is set to 'know' those links and report it.
It would not mean that your site is infected, only that someone has posted a link to a place that is.
As an anti-malware fighter (and forum owner) I come accross this sort of thing a lot.

But we're looking into our banner ads now.

Let's replace all advertisements with pictures and banners of how awesome I am. Problem solved. I won't give you diseases...hmmm...on second thought...

Update, we've hired a specialist to look at our site and he said the following:

I've checked your site, but I am not detecting any virus, trojan or anything by my software. I also was unable to find usual code that they use to stay on websites, like on other client sites that were infected.

We're also now having a 2nd specialist look into this for us.

Hmm, this is very strange then.

Since you said nothing was found I went back and checked it again. I got the same alert from Trend that there was a Trojan found. I went to multiple machines, all running Trend, and they all find the same supposed Trojan.

I am not going to bother checking it on a non-protected system at work which is where I am checking it now. When I go home I will try with other systems using other non-Trend AV and see the results.

It could be a false positive but what gets me is it only happens on that one post I linked to. It happens every single time and I cannot find one other post that makes this happen. Since the ads are rotating I am not sure what to say other than false positive or very sneaky Trojan.

If you wanted to see it in action I figure you can probably download a trial of Trend and see it for yourself.

I am running Trend Micro's Office Scan v.8.

Well, I tried with McAfee and it didn't detect anything. That doesn't mean there is nothing there, McAfee sucks, but it could certainly be and probably is a false alarm at this point. There is just something on that thread that Trend absolutely does not like.

If the pro's say your site is clean then I guess it is.

Still, it would be nice if one of you also tried Trend and see if you get the same results so you know I wasn't mouthing off about it for no reason. :P

Originally Posted by jyms

unfortunately if this is true the links alternate every time you click on a page so none of those links could be the one. I will tell xianti to look into it now.

im a newbie here and its going to take me a year t get around the site and understand where everything is

Thanks for bringing this to our attention, booradly07. We appreciate the feedback, we definitely do not think you were just mouthing off!

Xianti, I just sent you a e-mail about this. I get the same message. I have Trend-mirco PC-cillian 14. I think the problem is with a avatar. It's one of those animated avatars.

yes, booradly and tpb. We are taking this very seriously. tpb, thanks for the tip. We'll be looking into the avatar.

It has been confirmed that member pokerfan had an avatar that was infected with a Trojan Horse. We have learned that malicious code can be embedded within animated GIF images.

The image has been removed and pokerfan has been alerted.

no animated gifs policy coming soon?

Originally Posted by Warpe

no animated gifs policy coming soon?

We're considering it. Thoughts?

What does it mean for us? As far as having that image in any thread we opened?

Originally Posted by jyms

What does it mean for us? As far as having that image in any thread we opened?

I'm pretty sure just viewing the picture in the forum would have been fine. To be safe I asked our specialist and will let you know what he says.

I'd be sad

Originally Posted by Xianti

Originally Posted by Warpe

no animated gifs policy coming soon?

We're considering it. Thoughts?

Only allow uploaded pics for avatars, no URLs, and scan the shit out of them when they're uploaded. Still leaves FTR vulnerable to any other infected gifs that get posted elsewhere, I guess. Dunno enough about it to know how you can make FTR completely bulletproof without disallowing pics altogether. What do the experts say?

The trojan horse is within the animation code for the GIF, regardless of whether it's uploaded or linked to an outside source. I've always had remote linking disabled. Here's what the code looks like in pokerfan's former animated avatar:




The specialist suggested we disable avatars completely if we want this to be foolproof (as far as image viruses go). But that's a bit extreme. We're considering the possibility of having all avatar uploads screened before the images are saved. That may be the best option, if it's possible to do without slowing down the server.

Warning for stupid people:

DO NOT go to the URLs in the circled area!

Originally Posted by Xianti

Warning for stupid people:

DO NOT go to the URLs in the circled area!

This made me LoL.

Dunno about anyone else, but FTR w/o avatars would REALLY suck imo. Don't really care about animations, tho.

Lynch iopq

Originally Posted by Robb

Originally Posted by Xianti

Warning for stupid people:

DO NOT go to the URLs in the circled area!

This made me LoL.

I tried to click it after X posted this but nothing happened

Hey, glad to hear you figured it out and glad to have helped find the problem.

just commenting on the possible trojan , is it fixed ?

I wonder to ,myself Is it not illegal to send out trojans?
Dont the police get involved and arrest people that run the site that is circled in red?

Originally Posted by AlKo4g7iC

just commenting on the possible trojan , is it fixed ?

Yes. The problem has been corrected. We have modified the avatar upload module to check for malware before allowing any images to be used as an avatar.

SO NOW I CAN UPLOAD MY ANI,GIF IMGE?

DON'T WORRY ABOUT IT STILL TRYING TO GET MY SIGNATURE TO SHOW UP ....lol THIS WILL TAKE A MONTH TO UPLOAD PIC.....
BACK TO MY PROFILE...........RUFF START

I using PC that have AVG
and it detect the trojan from main page too

I got this detected in 3rd June

img514.imageshack.us/my.php?image=70405878.jpg

ps. sorry for double posted and I can't PM because of my post not enough and I can't attach link of picture too

Thanks, we're looking at removing this.

LYNCH POKERFAN

I'm not averse to an avatar free ftr, but I think I'm in the minority.

It's probably a variant of the GDI+ GIF processing vulnerability:
http://www.checkpoint.com/defense/ad...i-02-Sepa.html

I'm new to poker, but do any of the sites use 2 factor authentication? Instead of just username/password.