Posted By
JamesD
on 2010-08-10
17:50:30
|  Trojan Horse Detected
I'm getting a warning of a trojan horse when I access PLUS/4 World.
Someone hack the site?
|
|
Posted By
Thomas
on 2010-08-10
19:58:04
| Re: Trojan Horse Detected
Me, too, using Avast Antivirus.
It says "HTML:IFrame-OM [Trj]". 
|
|
Posted By
Csabo
on 2010-08-10
21:58:07
| Re: Trojan Horse Detected
Huh, you guys are right. The front page (index.php) somehow got 4 KB bigger, a very strange function got added as the first line... I have no idea how. The copy of that file on my machine was clean, I just FTP'd that up and now it's gone.
|
|
Posted By
monoceros
on 2010-08-11
12:02:30
| Re: Trojan Horse Detected
I got something like this, first a trojan sent the FTP pass, when the program has it, installs some java or other lines to the HTML code, if you erase it without changing the pass, it will copy it again. so is recommended to change the password and erase the code after (usually index / home / with php and htm extensions).
|
|
Posted By
Gaia
on 2010-08-11
12:12:44
| Re: Trojan Horse Detected
I think this exploit could have been injected by the weird commenter in the XBOX thread. Is our PHP fully patched?
|
|
Posted By
JamesD
on 2010-08-11
12:52:12
| Re: Trojan Horse Detected
I doubt your PHP is up to date if this happened and I'm sure the site will continue to get hit if it's not up to date.
|
|
Posted By
Csabo
on 2010-08-11
13:47:53
| Re: Trojan Horse Detected
From what I read the initial attack vector is FTP. MikeD is changing the FTP passwords.
Looks like powweb is running 5.2.12. I don't think we have anything open for a MySQL injection, and we don't have anything that accesses the file system (not even sure we're allowed). Though if you guys see something let me know.
The forum submission is especially restrictive, all tags are stripped. By all means - if you have time to help out and test - go at it, and see if you can "break" it.
|
|
