Website hacked - TrojanDownloader.Pegel.BN

Discuss the many weaknesses of browser security and ways to mitigate the threat

Website hacked - TrojanDownloader.Pegel.BN

Post by danfolt on Mon May 31, 2010 7:42 am
([msg=39333]see Website hacked - TrojanDownloader.Pegel.BN[/msg])

Hello , Can anybody help me with my problem ?
I have one week new website hosted on dreamhost , yesterday my website has been hacked by TrojanDownloader.Pegel.BN , I immediately deleted all the website from the server , because the website is new (Nucleus CMS and forum in subfolder punBBB) I'm almost sure that i was the only user using it at the moment , I got via firefox browser and NOD32 antivirus warning that I have a virus( TrojanDownloader.Pegel.BN), immediately after adding new Nucleus CMS plugin - email form . This virus started to spread all over all index.php etc files javascript code on the bottom of each file , it started after I submitted first email from my website to my another email account , so I'm sure that it is with this email form sender plugin related , I deleted all the website , changed all my ftp passwords (was very strong before) , I cleaned and reinstalled comp and uploaded clean files to the server without this email plugin and now for assure myself I used Free Acunetix Web Vurnelability scanner and it says:

This script is possibly vulnerable to Cross Site Scripting (XSS) attacks
This vulnerability affects /index.php.

Attack details :
The POST variable memberid has been set to 1>"><ScRiPt%20%0d%0a>alert(41350)%3B</ScRiPt>.
When i opened the index.php in my root there's no javascript , there's nothing similar , scanner also shows me that it is connected with email:

<div class="content">
<div class="contenttitle">
<h2>Send message</h2>
<a id="nucleus_mf"></a>
<form method="post" action="#nucleus_mf">
<div class="mailform">
<input type="hidden" name="memberid" value="1>"><ScRiPt
>alert(43545);</ScRiPt>" />
<input type="hidden" name="action" value="sendmessage" />
<input type="hidden" name="url" value=";&quot;&gt;&lt;ScRiPt
&gt;alert(43545);&lt;/ScRiPt&gt;" />

Can you help me please ? where can I find this code ? This must the problem from the past which infected mostly all the index files with malicious javascript , pls. help me to find this code , as Im a laik I suppose that this code is a starter which will immdeiately after spread the code around the site , please help me I think that this is the best forum to ask ,
thank you Daniel . - my hacked website - reuploaded but there is somewhere this malicicious code -dont know where
New User
New User
Posts: 1
Joined: Mon May 31, 2010 7:26 am
Blog: View Blog (0)

Re: Website hacked - TrojanDownloader.Pegel.BN

Post by IncandescentLight on Fri Jun 18, 2010 4:42 am
([msg=40366]see Re: Website hacked - TrojanDownloader.Pegel.BN[/msg])

OK, first thing's first. What you should know is you got "hacked" by a Trojan- i.e. a hacker didn't actually root your server but you might have picked up that malicious program from surfing the internet. Firstly, download some AV software - remove the trojan. This is what is causing your problems. After that, surf through your website's HTML pages (I do hope you know HTML) and delete and JavaScript sections (unless it's meant to be there to serve some specific functions)

Oh, and yes about the Acunetix web scanner. Hackers can use XSS to upload code, such as cookie stealers, into your server. What you want to do is edit the code to nullify the XSS (Cross-site scripting) vulnerability. Just google for that / get a programmer to help you out. The web scanner detected it as it was a hole- meaning hackers can exploit it but it's not infected.
Speak softly and carry a big stick -Theodore Roosevelt
User avatar
Posts: 216
Joined: Sun Apr 27, 2008 3:16 am
Blog: View Blog (0)

Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests