"Padonak./fa/hta.php/object.cfm"

Anyone else heard of this "object" or been attacked while on a forums website?

This hit a game website I help admin December 22nd. I have tried looking up any information about who or where it came from but to no avail.

One of the moderators found out this was a malicious program that uses a redirect exploit through IFRAME. Tries to open a couple of .htm files from "padonak.info" (IP 211.115.110.230)
it uses IFRAME again to download the "proc.jarjava, archive and run MainApp.class. This in turns loads other classes which contain JavaByteVerify exploit.

It will also allow a Bloodworm exploit.6 installed through "padonak.info/fa/hta.php/object.cfm object". Anytime anyone goes there, this gets installed and appears on the taskbar. If clicked on, it disables the ActivX so the pages will not appear properly. Those with good anti virus programs can get rid of it easily enough. However, it seems to be able to get around routers and even firewalls like Black Ice.

With me, this "object" allowed a suspicious "ANYUMR.DLL" to be installed in my Windows System folder. I ran an online Malware scan and it was a Trojan.Proxy.69 (Dr. Web) or a Trojan.Win32.Pakes ( Kaspersky Anti-Virus) depending on which program named it. The packer is UPX. Some kind of backdoor Trojan. And because it is a trojan, why virus scanners may not pick it up.

I am sure it is "very helpful" installing/allowing other junk in as well if you are not behind a good firewall/anti virus program to catch and quarantine it.

I was able to get rid of it after scanning with HijackThis, renaming it while in SafeMode, deleting all files in my TEMP folder (it installs alot of malware junk there) and so on. Easy enough but annoying as my AVG Free 7 did not see it and some game community members even had problems with theirs. If you are not using Internet Explorer browser, the object will not install on the taskbar.

Now it has changed where it will appear if so many "GETs" are done on the website forums before appearing. Usually after 6 or 10. As admin of that site, this is extremely annoying while running the forums.

I have contacted the company that controls the website as soon as it happened December 22. But being Christmass Holidays, I expect nothing will be done until this coming week after everyone gets back.

 

Update

One of my moderators identified what the hackers used to attack our forums website. It was done by "Xpire/SplitInfinity Exploit" using "Suckit toolkit" Information can be found Vital Security.Org

As for the Padonak.info:


CAUTION!!! Only click the following links if you are NOT using Internet Explorer

Check out http://[I]<remove>[/I]/x.htm and http://[I]<remove>x1.htm[/I]

These are the *.htm files using the IFRAME exploit. The trojan/virus that has infected the website is changing the "GET" requests after clicking anywhere from five to ten links that use PHP. This includes the main page and our editing website
----------------------------

No links to malware please Laurie--Ron

 

My apologies for overstepping, Ron.

 

That's ok Laurie, we just want to keep everyone safe

Cheers

 

Update

A few days ago, our problem was finally solved by our new server hosts techsupport. New and updated forums were installed as well. Still some tweaking needs to be done but at least the "padonak.info" is gone finally.

All those who sent out those sneaky worms, over the holidays, really need to be drawn and quartered.