Matt Shaffer wrote:
On Wed, Jan 27, 2010 at 10:37 AM, Marc Weustink
<[email protected] <mailto:[email protected]>> wrote:
The "infection" is removed. We're currently investigating where it
came from.
The smf forum was uptodate (1.1.11). Unfortunately when restoring
things, a previous index.php was used, which reports the older
version. (which is the only diff of the file)
I fear the ease of the update process made it also possible to write
new contents.
Marc
I don't see how the ease of the update process would give hackers an
advantage... after all, you still have to have an admin account to
perform that activity.
It requires the smf dir and file to be writable for the user the forum
is runnng on. Which means that any leak can write to these files.
Keep in mind:
1. An outdated index.php could be a possible culprit, if it had any
security vulnerabilities with it (although I highly doubt this)
Is up to date
2. Any mods installed may have vulnerabilities
We don't have many mods
3. If the person updating the forum to 1.1.11 ignored warning messages
about files not being writable, etc, there may still be an outdated file
with a vulnerability from 1.1.10
We were up to date without any warning.
4. SMF doesn't necessarily have to be the culprit. Exploits in other
software may have given the intruder file/ftp access, allowing him to
change any files anywhere.
there is no public external access to that machine. No shell, no ftp.
only web.
Marc
--
_______________________________________________
Lazarus mailing list
[email protected]
http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus
