hxxp://free.hostpinoy.info/f.js
hxxp://xprmn4u.info/f.js
The 2 urls point to a javascript redirect script that automatically redirect visitors to a fake codec download site. These fake codecs are known as DNSChanger. Anyone running phpbb should check out their servers.
At the time of this writing over 400,000 hits are shown in Google when you search for the urls.
If anyone has any information as to how the scripts are being injected or which exploit is being used please contact me at dnelson(shift+2)uploadmalware.com
Antivirus Version Last Update Result
AntiVir 7.8.0.17 2008.05.11 DR/Dldr.DNSChanger.Gen
AVG 7.5.0.516 2008.05.11 DNSChanger.AE
ClamAV 0.92.1 2008.05.11 Trojan.Dropper-6806
F-Secure 6.70.13260.0 2008.05.12
Trojan.Win32.DNSChanger.clm
Ikarus T3.1.1.26.0 2008.05.12
Virus.Trojan.Win32.DNSChanger.chg
Kaspersky 7.0.0.125 2008.05.12
Trojan.Win32.DNSChanger.clm
Norman 5.80.02 2008.05.09 Vundo.gen171.dropper
Prevx1 V2 2008.05.12 Cloaked Malware
Sophos 4.29.0 2008.05.11 Troj/Zlobar-Fam
TheHacker 6.2.92.307 2008.05.11 Trojan/DNSChanger.chg
Webwasher-Gateway 6.6.2 2008.05.11
Trojan.Dropper.Dldr.DNSChanger.Gen
3 comments:
It’s important to note that currently only phpBB2 installations have been affected. The newest version of phpBB (v3.0.1) has not been affected.
If someone has had their phpBB2 board hacked, they should report it to the phpBB.com Incident Tracker
The way they try to distribute the binaries is pretty well made this time ...
I wrote some summary at:
http://d0mber.blogspot.com/2008/05/mass-phpbb-download-infection.html
Thanks for your posting!
Domber
Who knows where to download XRumer 5.0 Palladium?
Help, please. All recommend this program to effectively advertise on the Internet, this is the best program!
Post a Comment