Trojan from blivvsen com

**administrator** · 20 September 2010, 22:10

This kind of thing makes me a bit jumpy as OpenX (the banner software we use) has had some exploits. I have checked the source of a few pages and can't see anything but had a random Firefox reboot when looking at the site just now. Let me know if you work out what is trying to download the Trojan at your end.

Meant to say, upgraded OpenX on here last night so should be all patched up. Exploit was announced Friday and I upgraded on the sites I work on last night but was too late for one of them. Looked like Chinese hackers. I hate the interweb sometimes...

**CheeseSlice** · 20 September 2010, 22:13

I just noticed this whilst browsing CUK.
My AV didn't catch it though (microsoft security essentials)

I noticed Java fire up on my main PC, so I checked task manager and saw randomly changing process names (e.g. not actual but something like "erSFG34s.exe", description "tcp/udp ports monitor" or similar).
The HDD was going crazy too, so I first disabled my NIC incase somebody was uploading from my PC, then rebooted since the processes were still running and constantly changing name.
So far it hasn't started up again, but I'm uninstalling Java and going to do a full sweep.

**fullyautomatix** · 20 September 2010, 22:43

While browsing CUK just now, my java kicked in too and all I noticed before the popup disappeared was it was trying to download some file called sex.avi.

I am pretty sure it is an advert that has been infected.

**CheeseSlice** · 20 September 2010, 22:50

Originally posted by CheeseSlice View Post

I just noticed this whilst browsing CUK.
My AV didn't catch it though (microsoft security essentials)

I noticed Java fire up on my main PC, so I checked task manager and saw randomly changing process names (e.g. not actual but something like "erSFG34s.exe", description "tcp/udp ports monitor" or similar).
The HDD was going crazy too, so I first disabled my NIC incase somebody was uploading from my PC, then rebooted since the processes were still running and constantly changing name.
So far it hasn't started up again, but I'm uninstalling Java and going to do a full sweep.

just to give credibility to my link to owlhoots trojan, i found the cached files for java, opened the most recent file (from this evening) in notepad and saw the same URL (http://blivvsen/etc/etc).

**blacjac** · 20 September 2010, 23:40

+ 1 More.

Definately CUK as it's the only thing I'm doing...

My AV detected it (Avast) just as the clearsky advert at the top left began to load, and the advert stopped loading until I had cleared the alert so it looks a likely suspect...

**administrator** · 20 September 2010, 23:40

Been through the DB for the adserver and the forum and can't find anything. Have seen a good few injection attacks over the last few years and none of the usual signs are there. No appended code to the adserver, and as I said I upgraded that last night so there shouldn't be any problems with that. And I know how OpenX exploits look, appended code on the ad code and that all looks as it should so am 99.9% certain that is all OK.

Dug around VBulletin exploits and I missed a VBSEO exploit from a week or so ago:
Security Bulletin - vBSEO 3.5.2 Released - vBulletin SEO Forums

So have patched that and rebooted the server to try and clean out any temp files and the VBulleting data store which is mentioned in one of the links on the above post.

Cannot find any mentions of base64 or other usual oddities in the DB or any odd php files so am at a loss.

As I said, I had a random browser reboot when I came on here and I have seen browsers fall over like this when hit with a trojan before so that has made me suspicious. Have done full Kaspersky scan and nothing odd showing up. Done Malware Bytes scan, nothing there either.

Been really foolish and browsed the site in IE as well

Nothing.

Use the contact form, this thread, or PM if you can think of anything else or if any more of you notice anything odd when browsing the forum.

**administrator** · 20 September 2010, 23:55

Originally posted by blacjac View Post

+ 1 More.

Definately CUK as it's the only thing I'm doing...

My AV detected it (Avast) just as the clearsky advert at the top left began to load, and the advert stopped loading until I had cleared the alert so it looks a likely suspect...

When did this happen? Since the site came back up?

Here is the banner being served:

Code:

<div id="ad_global_header1"><iframe id="a3f206c8" name="a3f206c8" src="http://www.contractoruk.com/adserver/www/delivery/afr.php?n=a3f206c8&amp;zoneid=3&amp;cb=INSERT_RANDOM_NUMBER_HERE" framespacing="0" scrolling="no" frameborder="no" height="60" width="468">&lt;a href='http://www.contractoruk.com/adserver/www/delivery/ck.php?n=a2f27b58&amp;amp;cb=INSERT_RANDOM_NUMBER_HERE' target='_blank'&gt;&lt;img src='http://www.contractoruk.com/adserver/www/delivery/avw.php?zoneid=3&amp;amp;cb=INSERT_RANDOM_NUMBER_HERE&amp;amp;n=a2f27b58' border='0' alt='' /&gt;&lt;/a&gt;</iframe> <script type="text/javascript" src="http://www.contractoruk.com/adserver/www/delivery/ag.php"></script></div>

Nothing there that looks suspect.

Will check the adserver again.

**blacjac** · 21 September 2010, 00:01

Originally posted by administrator View Post

When did this happen? Since the site came back up?

No more than a couple of minutes before I posted. Avast websheild shows the below, I had litterally just booted the laptop, left it to boot while making a cuppa, opened firefox and typed forums.contractoruk.com into the address bar.

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Tuesday, September 21, 2010 12:28:39 AM
*

21/09/2010 00:37:00 http://blivvsen.com/shuffle/index.php?s=IBB@G|>{gzip} [L] JS

ownloader-AEH [Trj] (0)

**blacjac** · 21 September 2010, 00:04

Definately still there

just fired up chrome, typed forums.contractoruk.com into the address bar and lo and behold...

If I can find a free image host I'll upload the screenshot that shows the advert half loaded (or possibly hidden behind something).

Edit:
found one.

Trojan from blivvsen com