GoFuckYourself.com - Adult Webmaster Forum

- Fucking Around & Business Discussion (https://gfy.com/forumdisplay.php?f=26)

- - This is a virus ? webair (https://gfy.com/showthread.php?t=1000498)

This is a virus ? webair

i was uploading some stuff today for site and suddenly the ftp connection was closed and i couldnt login.

Turns out the host ( webair ) has a security feature that scans uploaded files for a virus and if found it closes the connection and changes the ftp password for you. Kind of a neat feature i suppose , but i went to isolate the file it was finding and it was a variation of this

Code:

<?php

$out = "http://yahoo.com";

?>



<html>

<head>

<script>

function xtb(){

top.location.href="<?php echo $out; ?>";

}

</script>

</head>

<body>

hello<br>



<iframe id=xnsi onload="xtb();" src=http://google.com width=1 height=1></iframe>



</body>

</html>

although the code could be used to initiate a virus , it isn't malicious or a virus on its own.

interesting to note although they change your ftp password for you they dont delete the file that was found to be a virus.

try it out if you want , save code and upload to webair , it will log you off and change your pass.

curious , where does webair get its virii defs from

Quote:

Originally Posted by SmokeyTheBear (Post 17749653)

Code:

<?php

$out = "http://yahoo.com";

?>



<html>

<head>

<script>

function xtb(){

top.location.href="<?php echo $out; ?>";

}

</script>

</head>

<body>

hello<br>



<iframe id=xnsi onload="xtb();" src=http://google.com width=1 height=1></iframe>



</body>

</html>

So it's redirecting to Yahoo and loading Google in a somewhat hidden iframe? I take it you just changed the URL's so you could post it?

Anyhow, if a host deleted files suspected to contain malicious code they would quickly be in deep shit when peoples index files and other important pages come up missing, which is where most malicious code is planted.

Quote:

Originally Posted by Jakez (Post 17749709)

So it's redirecting to Yahoo and loading Google in a somewhat hidden iframe? I take it you just changed the URL's so you could post it?.

the real code was simply for converting a video, so the hidden frame loaded the video conversion and when complete it loaded the "conversion complete" page.

Quote:

Originally Posted by Jakez (Post 17749709)

Anyhow, if a host deleted files suspected to contain malicious code they would quickly be in deep shit when peoples index files and other important pages come up missing, which is where most malicious code is planted.

if file exists dont overwrite would do the same function

ie delete file if its a new file , dont overwrite if its an existing file.

nice of them to be pro active. I am sure if cuts down on customer service for the techs and sites being banned from google

Quote:

Originally Posted by BareBacked (Post 17749747)

nice of them to be pro active. I am sure if cuts down on customer service for the techs and sites being banned from google

def a cool feature, but if it creates alot of false positives , maybe not

This is our Automatic FTP Virus Scanning Security Feature.

It is something you can easily enable or disable via our Webair control panel in the ftp manager section. This scan only happens AT THE TIME OF FTP UPLOAD, it doesn't go in and scan existing files.

In the event a virus is detected, the file is automatically cleaned, and the FTP password is reset and an email is sent to you with the details and the new password.

The virus definitions come from multiple sources as well as internal. Smokey I will check to why that was blocked and get back to you regarding that.

This security feature has helped GREATLY in protecting clients. As new threats emerge our signature database will evolve proactively. The FTP Security Feature is is available to all Webair hosting accounts and is FREE of charge. :thumbsup