Thread

Somebody put a piece of code on our forums, which connects to a trojan. with IE you get a question to install something, with firefox it’s just installs it. This is the code:

When I check the templates of the forums I don’t see any code that resembles this. So maybe one of you guys have a clue how they did this?!

Hello, Edwin!

Thanks for reporting this. We take security very seriously and will do our best to work with you and your host on figuring out what’s going on and determine if ExpressionEngine has been compromised. To that, we need some additional information from you…

1. EE version and build (found at the bottom of your control panel)
2. Web host contact information
3. Other scripts on your account (phpBB, etc…)
4. Any other relevant info… etc….

Once we have the above information we can investigate what’s going and give a report on what might be happening. 

I’d also recommend notifying your host immediately so that they can begin investigations on their end as those can be very useful.

Hi, Edwin -

While this is investigated, please check your path.php, index.php, and config.php for this code - you can remove it from there if you find (though you may wish to keep a backup of the hacked file in case the host needs it) so that your site is running safely.

Also - is this appearing on all EE pages, or just on your forums?

It’s on all the EE files Lisa, it has installed this trojan on my system -> JS/TrojanDownloader.psyme.cz.gen trojan.

1) EE 1.6.0 Build 20070705, and forum 2.0.0

2) .(JavaScript must be enabled to view this email address) is probably the best way to contact the host.

3) No extra software, next to EE

Don’t know much more, I have made a ticket with the host, asking them to check their systems. As soon as I hear
something from them ill post it here. Told them as well you might contact them.

Ill check those files as well…

Thanks Lisa,

Edwin

P.s. just found out that the code was in the index.php

Ok, it sounds like there was a file access and the code was added to index.php. You can go ahead and remove that, and I would recommend filing a ticket with your host so that they can help advise how this access was gained. If you can keep us updated, that would be fantastic.

Thank you!

Lisa, the host found information, that they have used my ftp login info to get to the file. I asked them if they were able to give me secure ftp, and they can’t. So for a while, no more ftp. And in the end probably need to move to another host.

Thanks for the quick responses,

Greetings,
Edwin

That kind of begs the question as to how they got your FTP info in the first place, really.

Thanks for updating us =)

@EdwinK

I HIGHLY recommend using an UNMEMORIZABLE(?) string of random letters (capitals and lowercases), with numerals.
Don’t use the same password for any other service you use.
I use keepass for my password management, then carry a plain text encrypted copy on my phone memory card 😊

Been using SSH certificates instead of passwords wherever I can for some time now. I keep them on my USB stick and carry around, but logging in at the click of an icon sure has its merits…

Hi Ingmar,

Just out of interest and sorry for butting in on the end of this post but I am wondering what you mean by using SSH certificates to log in to an FTP site and how you go about doing that. I currently use either Interarchy or Transmit to login to my sites with FTP but was just curious as to what you meant and how you do it?

Regards,

Mark

Mark, I generally don’t use plain FTP. With SFTP (and SSH, of course) there is the option to use an automated login procedure. This is a bit elaborate to setup (you need to generate certificates, and store them both on the server and locally), but once that’s done very easy to use. There is a lot of information out there about that, here‘s a good primer.

Hi Ingmar,

Thanks for the link will take a look in a little while.

Best wishes,

Mark