Are Estonians Robbing Your Bank Account?

Mambo section of DocMartin and a related site that also runs Mambo were recently hacked. Main thing seems to be that some code (javascript) was inserted into template used to create each page – and this can apparently lead to people running Windows (unprotected) maybe inadvertently downloading a trojan.
I learned of this after a few users emailed, saying when trying to visit my site they had Norton report an attempt to download a trojan.

This functions as spyware; can send info from infected computer that could include passwords – maybe even for bank accounts accessed online. (Phishing). Via google search, I’ve learned this code has evidently been used by people in Estonia (!) – an Estonian phisher was arrested in April for using just this technique.
Sites now cleaned, I think; and webhost helping watch for any more rogue activity.

Happily; there are counter-measures. Read more for a bit of info on these; also for a little more re the hack on Mambo site(s).

Counter-Measures

One way of guarding against such attacks is to not store passwords on computer; and don’t allow sites to remember login IDs and passwords, which are stored in cookies that others might be able to read. (This advice from my webhost.)
Also, if you may have been infected: Change your passwords.

There’s plenty of software for scanning for and removing trojans – which regular virus software might not find, even tho Norton can warn if there’s an attempt to download a trojan.

Microsoft can help scan for and remove malicious software; has new program for combatting spyware.

Anti-Trojan Software Reviews covers some of the best software, tho maybe a little dated.

a-squared is among the software reviewed; there’s a free version (linked to here).

TrojanScan enables a free online scan. [link maybe stopped working tho]

SpywareBlaster is freeware.

SpySweeper costs around US$30, but claims to be the most comprehensive spyware protection available.

Mambo (and Joomla?) and this Javascript code insertion

In googling for info, I found a forum post on Mambers.com, now Joombers.com, describing just such a hack on a Mambo site.

Guy reporting it had many new php files in his folders. I too had new php files added; two or four per folder, with variety of names (over 20 names in all); all apparently empty. Also, related new .htaccess files, apparently geared towards running the php files when attempt to visit website would generate error code.

Main thing was evidently the javascript added at end of templates’ index.php files; on the other site, couldn’t see this new code with Dreamweaver.
This code needs removing.
Extra files should also be removed; a real pain, taking time.

I also found some Mambo components/mambots were corrupted – seems all were second-party. Included mamboxplorer, and TMEdit. Had to remove and reinstall them.
The reinstalled mamboxplorer then reported a second user with privileges for all my files on server; I reported to webhost, and since removed.

After seeing another forum post from a Mambo user with a site that had been “cracked”, I emailed, and received a couple of very useful replies.
It was only the second reply that prompted me to search beyond the extra php files – which my webhost company suggested might be from Mambo somehow going a bit odd – and eventually finding the javascript.
But his problem seemed to involve his files being sent elsewhere.

This is not a specific Mambo (or Joomla) problem; by googling, I found it has affected several sites running php, including forums. Seems to have started around spring 2005.

Leave a Reply

Your email address will not be published. Required fields are marked *