Web virus hitting MySpace, RottenTomatoes, and many other sites

[flavio]

This thing hit our webservers at work and I've been cleaning it out of the database every couple hours it's spreading pretty fast and looks like it's hit MySpace and other large sites now.

Seems to be related to this...Text

 

[Jeff7]

Could it possibly wipe out all of the hard drives on Myspace's servers? That'd just be too bad. Really, it would. I don't think I'd ever get over it.

 

[Whoozyerdaddy]

From your link...

Threat Assessment Wild
Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy
DamageDamage Level: Low
DistributionDistribution Level: Low

Is it that big a deal? < 49 known infections...

 

[flavio]

Originally posted by: Whoozyerdaddy
From your link...

Threat Assessment Wild
Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy
DamageDamage Level: Low
DistributionDistribution Level: Low

Is it that big a deal? < 49 known infections...

Yeah, you wouldn't think from that link you'd have to start freaking out. On our forums a member posted that he got a Norton warning about that virus and that he got prompted to install a chinese language pack when he went to a particular thread.

Then within an hour or two almost all the posts had this Embed code for a flash file which just displayed a white square then immediately embed code and script tags are all through the database.

I've totally cleaned them out of our db 3 times today and it keeps coming back.

I'm going to write a mysql / php script this weekend to clean our database and have it run every 30 minutes. If anyone wants to help I have the info on what needs cleaned and MySpace and Rottentomatoes could maybe buy it.

That'd be cool.

 

[ViRGE]

I'm still not sure I'm getting this. It's a remote code execution exploit, but what does it have to you with your site? Do infected machines keep trying to create posts with the exploit coded embedded or something? And if that's the case, why are you allowing people to use HTML in their posts?

 

[Mardeth]

I was using rottentomatoes yesterday when it suddenly didnt work at all anymore. I wonder if it had anything to do with this.

 

[flavio]

Originally posted by: ViRGE
I'm still not sure I'm getting this. It's a remote code execution exploit, but what does it have to you with your site?

Only because the site I work for was where I found out about it.

Do infected machines keep trying to create posts with the exploit coded embedded or something?

Maybe. What is it doing with Flash file? It's called nice.swf. I don''t know, It's inserting code into a database in the middle of words even.

And if that's the case, why are you allowing people to use HTML in their posts?

My company has people posting member reviews, blogs, FAQ/Walkthroughs, etc. but submissions only allow very specific html tags. Embed was allowed in the forums to post videos.

 

[Shadowknight]

Originally posted by: Jeff7
Could it possibly wipe out all of the hard drives on Myspace's servers? That'd just be too bad. Really, it would. I don't think I'd ever get over it.

I know, I mean, wouldn't you immediately feel an urge to whine about it by posting on your MySpace pa-

Nevermind.