Paid Advertising is
ha.ckers sla.cking
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Nucleus CMS Website has been infected with TrojanDownloader.Pegel.BN
Posted by: daniel69
Date: May 31, 2010 07:06AM

Hello , Can anybody help me with my problem ?
I have one week new website hosted on dreamhost , yesterday my website has been hacked by TrojanDownloader.Pegel.BN , I immediately deleted all the website , because the website is new (Nucleus CMS and forum in subfolder punBBB) I'm almost sure that i was the only user using it , at the moment I got via firefox browser and NOD32 antivirus warning that I have a virus( TrojanDownloader.Pegel.BN) I was adding new plugin - email form . This virus started immediately after I submitted first email from my website , so I'm sure that it is with this email form sender plugin related , I deleted all the site , changed all ftp passwords(was very strong before) ,I cleaned and reinstalled comp and uploaded clean files to the server without email plugin and now for assure myself I used Free Acunetix Web Vurnelability scanner and it says:
This script is possibly vulnerable to Cross Site Scripting (XSS) attacks
This vulnerability affects /index.php.
Attack details :
The POST variable memberid has been set to 1>"><ScRiPt%20%0d%0a>alert(41350)%3B</ScRiPt>.
When i opened the index.php in my root there's no javascript , there's nothing similar , scanner also shows me that it is connected with email:

<input type="hidden" name="memberid" value="1>"><ScRiPt
>alert(43545);</ScRiPt>" />
<input type="hidden" name="action" value="sendmessage" />
<input type="hidden" name="url" value=";&quot;&gt;&lt;ScRiPt
&gt;alert(43545);&lt;/ScRiPt&gt;" />

Can you help me please ? where can i find it ? This must the problem from the past which infected mostly all the index files with malicious javascript , pls. help me to find this code , thank you Daniel .

Edited 1 time(s). Last edit at 05/31/2010 07:10AM by daniel69.

Options: ReplyQuote

Sorry, only registered users may post in this forum.