Home > Newsletter, Blog, and Other Topics > Topic

Trojan horse

Posted by Josee 
This forum is now read only. You can not log in or make any changes. Please use the new forum linked above.
As of March 14, 2011, this forum has been replaced and is permanently set to read-only mode. This means you can view any existing post but cannot open new posts or reply to existing ones. The new forum is located athttp://www.larryullman.com/forums/If you need to post a message, you'll need to register there. If you have to post in order to follow up on a thread started here, well, that's going to be a bit of a pain. I would recommend just posting the appropriate information, or copying the original text from here, or linking to your thread here. I apologize for the inconvenience but this purge will make for better forums in the long run. Thanks.
Trojan horse
February 27, 2010 09:31PM
Hello,

I'm sorry to bother you with something that has nothing to do with Larry Ullman's books, but there's a Trojan horse attack on another forum of which I'm a member and administrator, and I would like to know if there is anything we can do to neutralize this attack (apart from contacting phpBB and the web host, which we've already done). According to the "Kaspersky Internet Security" software, this is a Trojan downloader:
HEUR:Trojan-Downloader.Script.Generic	[19lou-com.sweetim.com.avaxhome-ws.allmyguide.ru]

We can see their script in the browser, in the source code window, together with "headers already sent" warnings:

<b>[phpBB Debug] PHP Notice</b>: in file <b>/includes/session.php</b> on line <b>1007</b>: <b>Cannot modify header information - headers already sent by (output started at /includes/hooks/index.php:251)</b><br />
<b>[phpBB Debug] PHP Notice</b>: in file <b>/includes/session.php</b> on line <b>1007</b>: <b>Cannot modify header information - headers already sent by (output started at /includes/hooks/index.php:251)</b><br />
<b>[phpBB Debug] PHP Notice</b>: in file <b>/includes/session.php</b> on line <b>1007</b>: <b>Cannot modify header information - headers already sent by (output started at /includes/hooks/index.php:251)</b><br />
<b>[phpBB Debug] PHP Notice</b>: in file <b>/includes/functions.php</b> on line <b>4183</b>: <b>Cannot modify header information - headers already sent by (output started at /includes/hooks/index.php:251)</b><br />
<b>[phpBB Debug] PHP Notice</b>: in file <b>/includes/functions.php</b> on line <b>4185</b>: <b>Cannot modify header information - headers already sent by (output started at /includes/hooks/index.php:251)</b><br />
<b>[phpBB Debug] PHP Notice</b>: in file <b>/includes/functions.php</b> on line <b>4186</b>: <b>Cannot modify header information - headers already sent by (output started at /includes/hooks/index.php:251)</b><br />
<b>[phpBB Debug] PHP Notice</b>: in file <b>/includes/functions.php</b> on line <b>4187</b>: <b>Cannot modify header information - headers already sent by (output started at /includes/hooks/index.php:251)</b><br />

I can post a copy of their script if needs be, but I don't want to cause a security problem to this forum!

From what I saw on the phpBB forum, ours is not the only forum that was attacked today (at least one other forum had the exact same "headers already sent" warnings), but when I last visited the phpBB forum, there was no warning about this security problem.

Can anyone tell me if there's anything we can do? We've warned other members not to use the forum, and advised them to empty the browser cache together with the list of websites they visited today (sorry, I don't remember the name in English!), but can we / should we try and erase the script in the php or html files, wherever they put it?

With thanks for your help,

Josee
Local server: MAMP version 1.8.4
PHP Version 5.2.11
MySQL version: 5.1.37 Source distribution
phpMyAdmin - 2.11.9.5 & phpMyAdmin 3.2.0.1
Apache 2.0.63
Workstation OS: Apple 10.6.2 on Intel Mac
Re: Trojan horse
March 01, 2010 02:01PM
Well, the heavy-handed but reliable approach would be to replace all the files with new phpBB files. However, my forum once got infected and somehow they managed to add malicious code to a value in the database so that the page's TITLE tag got messed up. So you may want to also dump out the database, open the SQL in a text editor, and search for the same malicious code there. Good luck!

Best Wishes,
Larry

Writer/Web Developer/Instructor
Forum Moderator
Re: Trojan horse
March 01, 2010 02:52PM
Thanks for your answer, Larry.

Josee
Local server: MAMP version 1.8.4
PHP Version 5.2.11
MySQL version: 5.1.37 Source distribution
phpMyAdmin - 2.11.9.5 & phpMyAdmin 3.2.0.1
Apache 2.0.63
Workstation OS: Apple 10.6.2 on Intel Mac