[UPDATE] Security Alert 1.2.6 CVS

[pierre.meli]

Altough I removed the code_snippets folder immediatley on all my site, my VP server (red hat) was hacked and 7 site are down now for 5 days (hope I get them back today).

In the web root directory, there are 2 files:
scan.php
sh.php

The sh.php has the following comment in it:

<!--
Defacing Tool 2.0 by r3v3ng4ns
revengans@gmail.com
se for modificar o codigo, por favor, mantenha o nome de seus autores originais
e por favor, entre em contato comigo...

ae galera, serio, tem mta gente fdp q simplismente usa, nao seja soh um sucker do script,
n seja um lammer imbecil, n seja o merda dum script kiddie, n seja um babaca, ajude a melhora-lo tambem!!
-->

I don't know all the programme is doing, the result was the following:
Still working: SSH access, apache web server
Not working anymore: FTP, POP, IMAP, SMTP, MySQL

Be careful and remove the indicated code parts immediatley to avoid the problem and potentially loosing data or at least a LOT OF TIME re-installing and restoing everything. Since ftp was not working anymore, I was using WinSCP that allows you downloads of data from the affected sever - very helpful.

[Oliver Georgi]

Sorry I don't think that the problem has to do with phpwcms!
http://www.heise.de/newsticker/meldung/69855
http://www.hardened-php.net/advisory_142005.66.html

Seems there are multiple different possible php projects having that problem. And phpwcms does not use this package.


But still - upgrade your system!!!

Oliver

[pierre.meli]

Oliver, I'll do the update by reinstalling all sites. Concerning the way of introduction into the server, I'm not expert enough to understand how all that works. phpWCMS is the only package I use this server.

[Kosse]

Hi Pierre,

did u solve your problem?
Cheers