Trojan attack on phpwcms pages

[zuker]

I have a big problem

Few days ago I visited one websites created using phpwcms and my computer was infected by Seres.exe trojan virus downloader that downloaded malware Antivirus Pro 2010, which is a false antivirus software program.

Later on I have realized that one of my web pages that I created and administrate (created with phpwcms) was damaged and became a link page to Trojan server.

I have found that the links to trojan server was inserted in phpwcms files :

index.php
include/inc_lib/default.inc.php
include/inc_lib/default.backend.inc.php

I cleaned trojan from my computer and I removed trojan links from phpwcms files in web server. I thought that I have solved the problem but unfortunately after few hours I have noticed that the problem associated with my website still persist, php files in web server were damaged again.

I ask you for help.

[Heiko H.]

Hi,

which version of phpwcms have you running?
Are you using any Modules, Self-made-Scrips, and stuff?

Heiko...

[zuker]

My web page was installed on august 2008. It can be r257 I don’t remember exactly which version it is.
I don’t use self made scripts, don’t use modules, just few frontend render scripts, written by well known guys :
Gallery, random cp, pepes nav_list
Everything was ok foe a year and a half.
Here is the message I get when I try to load the page

[flip-flop]

Please be careful with such a title. At this time you are the one and only with trojan problems in phpwcms.

In over 90% of the cases it is a stolen password or bad configured server.

Have a look into the log files if it is possible.

- All account and ftp and system passwords changed ?
- register_globals = Off ?
- safe_mode = On ?

[juergen]

just redo the allowness for internal PHP ... and site might come up again


in conf.inc.php :

Code: Select all

$phpwcms['allow_cntPHP_rt']   = 0

hehe, probably you have a backend Hacker ...

[Oliver Georgi]

Think if you use custom PHP or any module that might have problems with SQL injections.

I always see people do not check incoming vars which then might allow SQL injections with custom code.

If you do not use, delete all SPAW editors in include/inc_ext. But it might also be any other third party script that you are using.

[UPDATE]Sorry Breitsch, I was too sloppy with my reply[/UPDATE]

[zuker]

Thank you all.

I will try all suggested variants. But from the first look it seems that with the help of trojan my passwords were stolen.
By the way I’m not the only one that faced this kind of problem. I suspect at least two web sites created using phpwcms that spreads the trojan.

[flip-flop]

..... and I suspect at least 20 web sites created using j-o-o-m-l-a and 50 web sites created using t-y-p-o-3 , and 70 web sites crea ........., that spreads the trojan.

I think that isn´t a superficial phpwcms problem if passwords are stolen.

By the way, please update to a new version and rename the login to your needs.

Knut

[juergen]

There is no need of a password for a webmaster ... with database entry ... tzzzz