‘Troj/Unif-B’ trojan

anthonyd
(@anthonyd)

16 years, 5 months ago

I have just tried to access my wordpress site, ourshire.net from work, and the Sophos virus software detected and blocked the site because of ‘Troj/Unif-B’.

This seems to be related to a line of javascript which I discovered in a theme/template for bbPress, called bbPress-forum. This code results in the site calling x-victory.ru. I have written about this on the bbPress forum.

These are just a few quick notes – I will fill in more detail tonight after work – just wanted to get the word out. I can’t access the bbPress forum from work.

Anyone using the bbPress – forum theme: trentadams.com/2007/02/07/bbpress-support-forum-theme/ may be spreading this Trojan.

Viewing 10 replies - 1 through 10 (of 10 total)

Trent Adams
(@trent)

16 years, 5 months ago

Don’t know about that file, but I am taking a look at it for you now.

Trent

Trent Adams
(@trent)

16 years, 5 months ago

I have searched through the download file since it was re-uploaded after a server crash and the only thing that was in there was a javascript for the anarchy-media plugin that was left over from my own modifications to the original theme. I have got rid of that line and the download is clean and reloaded to the server. Could someone look it over as well and confirm what I am seeing.

http://onvertigo.com/downloads/bbpress-forum.zip

Thanks,

Trent

Trent Adams
(@trent)

16 years, 5 months ago

The discussion is also over at http://bbpress.org/forums/topic/x-victoryru-exploit?replies=10#post-11991 and it seems there might be an issue with the host and not theme.

Trent

moshu
(@moshu)

16 years, 5 months ago

Trent,
I downloaded that zip file you linked to – and couldn’t find anything in it. (I mean anything harmful)

Thread Starter anthonyd
(@anthonyd)

16 years, 5 months ago

It seems to be a case of MPack:
http://www.symantec.com/enterprise/security_response/weblog/2007/05/mpack_packed_full_of_badness.html

The host of this infested site is 3ix.

Trent Adams
(@trent)

16 years, 5 months ago

Thanks for the update anthonyd and thanks for checking that moshu!

Trent

afdenahy
(@afdenahy)

16 years, 5 months ago

My host has fixed the problem:
We have investigated the root cause of the issue and it is a type of iframe hacking from an Serbian IP which got into one of the customised php scripts of one of the clients and then got FTP access of domains and modified the pages.

We have removed that script and banned the IP and process of removing that hacked script . Your account has been cleaned.

Thanks for the beaut bbPress theme Trent.
Anthony

heriz
(@heriz)

16 years, 2 months ago

I have just been told that my blog holds the same virus, a malicious JavaScript that re-directs browsers to other malicious sites. It is hosted by 3iX, so I have notified them to see whether there has been a repeat.

Thought I’d let people know in case this is spreading.

zoom56ok
(@zoom56ok)

16 years, 2 months ago

Hi
I also had some kind of iframe script that actually turned my blog into a redirect page, and wrote a long piece about it here. And I was also hosted by 3ix, but left them last night. That dollar a month seems like a good deal but…

macsoft3
(@macsoft3)

16 years, 2 months ago

In reference to zoom56ok’s link, I saw that u0069 blah blah thing when I was examining the source of redirection 2 or 3 weeks ago. It could be 123Greetings.com. Anyway, I couldn’t figure out how it was related to involuntary redirection to another website.