[UPDATE] Security Alert 1.2.6 CVS
Posted: Mon 1. May 2006, 12:18
Altough I removed the code_snippets folder immediatley on all my site, my VP server (red hat) was hacked and 7 site are down now for 5 days (hope I get them back today).
In the web root directory, there are 2 files:
scan.php
sh.php
The sh.php has the following comment in it:
Still working: SSH access, apache web server
Not working anymore: FTP, POP, IMAP, SMTP, MySQL
Be careful and remove the indicated code parts immediatley to avoid the problem and potentially loosing data or at least a LOT OF TIME re-installing and restoing everything. Since ftp was not working anymore, I was using WinSCP that allows you downloads of data from the affected sever - very helpful.
In the web root directory, there are 2 files:
scan.php
sh.php
The sh.php has the following comment in it:
I don't know all the programme is doing, the result was the following:<!--
Defacing Tool 2.0 by r3v3ng4ns
revengans@gmail.com
se for modificar o codigo, por favor, mantenha o nome de seus autores originais
e por favor, entre em contato comigo...
ae galera, serio, tem mta gente fdp q simplismente usa, nao seja soh um sucker do script,
n seja um lammer imbecil, n seja o merda dum script kiddie, n seja um babaca, ajude a melhora-lo tambem!!
-->
Still working: SSH access, apache web server
Not working anymore: FTP, POP, IMAP, SMTP, MySQL
Be careful and remove the indicated code parts immediatley to avoid the problem and potentially loosing data or at least a LOT OF TIME re-installing and restoing everything. Since ftp was not working anymore, I was using WinSCP that allows you downloads of data from the affected sever - very helpful.