Forum Moderators: phranque
We are getting a message pop-up from McAfee sometimes when we visit the our websites. The message says the site has a trojan "JS/Exploit-BO.gen", in FF it appears to have no affect but in IE you get a yellow bar across the top of the page that says that the page is trying to run Microsoft Data Access Component. It also appears to attempt to load a QuickTime movie. If we view the source of the page when it appears there is a piece of JS inserted into the page:
<script language='JavaScript' type='text/javascript' src='xfvqd.js'></script>
The name of the JS file changes each time it appears and the JS file doesn't exist on the server anywhere and there is no mention of it being accessed in the httpd access log.
It is not restricted to a single file or files or even a single site, it appears to be affecting all the sites on the server. Also it doesn't occur on every visit to the page, it appears to be random.
We have scanned the server several times for viruses with several different applications but nothing. It is nothing to do with our PC's as visitors to the site have emailed to complain as well.
Does anyone have any idea what this is, where is it and how to get rid?
Is it even on our server or is it somewhere else on my hosting companies network?
Thanks in advances for any help.
They announced that our site distributed a virus (which it did not) and were very unhelpful when we demanded they stopped libeling us.
I'd be very sceptical about anything a McAfee product says.
Matt
[edited by: Matt_Probert at 4:53 pm (utc) on Aug. 3, 2007]
The fact that this isn't happening with Firefox is a tell-all. Either Firefox has some super-advanced security procedure that runs before McAfee gets ahold of the site to protect your computer (unlikely) or McAfee just didn't want to pony up the time and effort to inject their false warnings into FF.
Try getting Opera and Safari, and see if the warnings pop up in them. Also, get a computer without McAfee (preferably a virtual machine), install IE6, Windows XP SP1, unpatched, no security features whatsoever enabled, NO MCAFEE, and then go directly to your site (and I do mean go DIRECTLY to your site--just type in your site's address directly so you can't pick anything up on the way there). Then, browse around for a while and see if you pick up anything nasty.
If you pick something up from browsing around only your site, yes, you should be concerned. Otherwise, you should simply give McAfee the boot and get a real antivirus program.
Edit: As your customers are complaining as well, if your site comes up clean I might suggest going to McAfee and telling them to stop injecting warnings about your site... or else. If you're losing revenue over this and you can prove you're not at fault, a lawsuit isn't out of the question.
[edited by: WesleyC at 7:04 pm (utc) on Aug. 3, 2007]
Thanks.
