|
| ||||||||||||||||||||||||
| WoW Raid Manager :: Forums :: Announcements | |||
|
|||
 Website Down/Slow/Issues: 6/6/2010 - 6/7/2010 |
| Author | Post |
| Illydth |
| ||
SysOp  Joined: Mon Sep 24 2007, 02:51PM Posts: 1886 | If you are an e107 administrator or run your own version of e107 for ANY reason, READ THIS POST END TO END! There is some VERY important information in here regarding e107. It is unclear to me if this website was offline for the last two days or not, if not note that another website on this same host was. Information below. So as of about 9:00 am Sunday Morning (6th) a rash of attacks on e107 websites seems to have started. As far as I can tell, these attacks are still ongoing, or were as of around 2:00 pm this afternoon. The root of the attack is the contacts.php file in e107. An external perl script running at a remote location can access this contacts.php file due to a "bad variable" (bad variable, no biscuit!) and use it to generate a shell session that calls itself "rocknrollaaaa". The shell session's job is to make a connection to an IRC channel and wait. Assumeably this is basically a botnet attack that sets the webserver up as a bot accessible through the botnet, generally used for e-mail spamming, denial of service attacks and other fun things. As of yesterday, the webhost (whether randomly or through some kind of system monitor) recognized the existance of this rocknrollaaaa process on the system and automatically shutdown at least one of the websites on this host to prevent both botnet usage and additional security breaches. There are a few bits of information out there regarding this, you can search for "rocknrollaaaa e107" if you're interested, but the reports and suggestions started rolling in on this e107 board thread: http://e107.org/e107_plugins/forum/forum_viewtopic.php?198144.0 If anyone sees any connections (in any of the "who's online" lists) to contact.php from IP addresses or odd sites, please report them to me IMMEDIATELY. It is unclear how affected we were. The script/bot does not seem to be going for any database information so I do not believe any accounts/files/etc. are affected on the website. That said, changing passwords after something like this is always advisable...sort of up to you, I'd call the risk of account compromisation "very low" however. Unfortunately, when I looked at the account I could find absolutely NOTHING wrong with it. There were no affected files, no changes made, nothing out of the ordinary. Because of this, I cannot guarantee that we are truely "fixed" so to speak. If the site manages to go down again in the next week or two it's likely that the problem occurred a second time...hopefully that won't be the case however. In the process of fixing this exploit (and attempting to prevent other e107 exploits running around) I have updated our code base to the most recent 0.7.22. NOTE: the issue that shut at least one of the websites hosted here down is NOT fixed by the most recent version of the e107 code!!!! The only known way to handle this exploit is to remove / rename the contact.php file in the e107 root directory. Otherwise, the site SHOULD be up and running without too many difficulties. As always please let me know if there are problems or issues and I will look into them. - Douglas Wagner - Site Admin | ||
| Back to top |
| Moderators: Illydth |
Date / Time Search WoW Raid Manager Chatbox
Neme
andrew11
Illydth
Illydth
Illydth
Illydth
Illydth
Jonneh
Jonneh
ppbash
