<!-- m --><a class="postlink" href="http://korax-heritage.com/">http://korax-heritage.com/</a><!-- m --> <!-- s:( --><img src="{SMILIES_PATH}/icon_sad.gif" alt=":(" title="Sad" /><!-- s:( -->(((((

I'll contact RambOrc and ask him what's wrong.

What 's up ? WebWorm generation 15 rulezZz !?! <!-- s:o --><img src="{SMILIES_PATH}/icon_surprised.gif" alt=":o" title="Surprised" /><!-- s:o -->

Oh I had a feeling I'd find us all congrigated here, our home away from our home from home <!-- s:? --><img src="{SMILIES_PATH}/icon_confused.gif" alt=":?" title="Confused" /><!-- s:? --> . I do seriously hope that the forums database is still fine and intact we had a very active spree last night on the Dev forums.

Just got the error myself.... Hopefully it isn't that bad... <!-- s:cry: --><img src="{SMILIES_PATH}/icon_cry.gif" alt=":cry:" title="Crying or Very sad" /><!-- s:cry: -->

Yeah, sites are getting hacked back and forth this week, it must be that time of year when sites get defaced like mad O_O It seems there's a new exploit in php prior to versions 4.3.10, so that could be it. UPGRADE D:

Both, Vavoom and Korax' Heritage forums are upgraded to version 2.0.11 already some time ago.

Let's hope that Ramborc will have the site up and running soon. <!-- s:) --><img src="{SMILIES_PATH}/icon_smile.gif" alt=":)" title="Smile" /><!-- s:) -->

I hope so, it happened just after we'd started to pick up some good steam on KA aswell, oh well Rambo is god, he'll fix it.

[quote="Janis Legzdinsh":3vqbw0jx]Both, Vavoom and Korax' Heritage forums are upgraded to version 2.0.11 already some time ago. I meant the core php, not the phpbb. <!-- s:P --><img src="{SMILIES_PATH}/icon_razz.gif" alt=":P" title="Razz" /><!-- s:P -->

Any news from Zoltan? Any update on the situation?

Ouch! Vavoom site is running with PHP 4.3.9. No news yet.

It's rather lucky no other sites seem to be hacked yet, running Apache build process with PHP 4.3.10 right now. Hell some of those suckers are fast, 4.3.10 has been released 6 days ago and they already exploited it, before I even knew there was a new PHP release out... cPanel's security warning system is a bad joke, when I log in it says I run all the latest versions. <!-- s:roll: --><img src="{SMILIES_PATH}/icon_rolleyes.gif" alt=":roll:" title="Rolling Eyes" /><!-- s:roll: -->

Oh joy so the bit that tells you that your safe lies to you, oh how I love technology. So is it easy to fix or not?

Well the automatic backup screwed me over nicely, the daily backup run after the exploit happened and it was just this night that the weekly backup ran too, meaning to restore all those PHP and HTML files I need to go back to the Dec 3 monthly backup. OTOH it seems at first glance that this worm did nothing but change the content of all PHP and HTML files in the account to the defaced content, meaning the MySQL DB might be untouched, will check into it as soon as the Apache build is done.

Woo, so our active spree last night may still be there, I can't remember much of it. I'll need to re-read.

Just finished checking, no other account seems to be exploited, only the one with orcishweb.com/korax-heritage.com.

Christmas seems to be a bad time for us doesn't it, I mean wasn't it this time last year that your whole server got hacked and everything when down, some never to return.

That was around December 11 or so last year, and it was a complete server hack. This time it could've been a lot more damage too, it was big luck only one account got screwed. The only other cases this year were an account that was exploited badly and had to be deleted and recreated from scratch, not restoring any of the website files and another account where the PHP-Nuke webmail module was an old version and spammers abused it and the account owner asked me to rather delete the whole account.

Just finished it all, I'm actually quite proud of myself, with a little copying to and fro I managed to restore things without losing anything, not only the MySQL stuff but also uploaded pics from last night and Mago's newspost have been restored. <!-- s:D --><img src="{SMILIES_PATH}/icon_biggrin.gif" alt=":D" title="Very Happy" /><!-- s:D --> <!-- s8) --><img src="{SMILIES_PATH}/icon_cool.gif" alt="8)" title="Cool" /><!-- s8) -->

As I said before, Rambo is god.

[img:1rqzhwl7]http://www.planetgargoyle.com/fbc/files/yay.jpg[/img:1rqzhwl7]

Wohoo! That's why you are our favorite leader Ramborc! We are back on the track! <!-- s:D --><img src="{SMILIES_PATH}/icon_biggrin.gif" alt=":D" title="Very Happy" /><!-- s:D --> <!-- s8) --><img src="{SMILIES_PATH}/icon_cool.gif" alt="8)" title="Cool" /><!-- s8) -->

In the meantime I read that through the exploit someone might have been able to read the DB connection info from config.php in phpBB so I've changed the password for the user and updated the phpBB config file, also made a backup of the latest state of the whole public_html dir and of all MySQL DBs as of now, both offline backups.

Well, that's a good way to make sure that this won't happen again at least until the next year, it seems <!-- s:lol: --><img src="{SMILIES_PATH}/icon_lol.gif" alt=":lol:" title="Laughing" /><!-- s:lol: --> .

<!-- m --><a class="postlink" href="http://www.ravenforums.com/viewtopic.php?p=59941#59941">http://www.ravenforums.com/viewtopic.php?p=59941#59941</a><!-- m --> <!-- s:P --><img src="{SMILIES_PATH}/icon_razz.gif" alt=":P" title="Razz" /><!-- s:P -->

Wow, incredible work RambOrc, it's a great thing you are such a cautious and clever guy! I've already looked briefly and everything seems pretty much untouched, as you mentioned. Thanks a lot for the effort, we were almost caught off guard on this one. <!-- s:) --><img src="{SMILIES_PATH}/icon_smile.gif" alt=":)" title="Smile" /><!-- s:) -->

<!-- m --><a class="postlink" href="http://it.slashdot.org/it/04/12/21/2135235.shtml?tid=220&tid=217&tid=169">http://it.slashdot.org/it/04/12/21/2135 ... 17&tid=169</a><!-- m -->

OH, not again <!-- s:( --><img src="{SMILIES_PATH}/icon_sad.gif" alt=":(" title="Sad" /><!-- s:( -->

This is actually very strange, since the phpBB security hole this exploit is using has been theoretically patched on the Korax forums weeks ago. Either there is another security hole in phpBB that causes this problem now, or this particular phpBB install is screwed up (or the patch process did). Either way, since the exploit is coming in through Google, moving the board to a new, non-indexed URL should solve the prob at least for the moment. At the same time, I'm going to single it out from the current multi-domain account so that if the leak is still somewhere else, at least only the board is going to be affected. Thanks to yesterday's offline backup of the whole public_html dir, this time all I need to do is upload that .tar.gz and extract it over the current files and everything'll be up and running (upload currently in process). Once that's done, I'll move the forum files to another account, I'll post the new link once I'm done. Also no need to worry, just as yesterday this time the DB wasn't effected either, i.e. once again no posts have been lost.

OK I'm all done, new URL is kforumsDOTorcishwebDOTcom, please don't post the URL in the real form anywhere, if it's really a Google prob that should take care of it.

Shit, I just saw Googlebot crawling the new location. <!-- s:roll: --><img src="{SMILIES_PATH}/icon_rolleyes.gif" alt=":roll:" title="Rolling Eyes" /><!-- s:roll: --> Well gotta go right now, we'll see what happens next.

Isn't there a way to block them, i.e. robots.txt or ip deny?

Yep, that's all possible, I also have some more ideas myself for the case the infection happens again, for the moment I'll rather just wait and see, after all there is no other risk than a couple of hours of forum downtime involved now.

<!-- s:!: --><img src="{SMILIES_PATH}/icon_exclaim.gif" alt=":!:" title="Exclamation" /><!-- s:!: --> <!-- s:!: --><img src="{SMILIES_PATH}/icon_exclaim.gif" alt=":!:" title="Exclamation" /><!-- s:!: --> <!-- s:!: --><img src="{SMILIES_PATH}/icon_exclaim.gif" alt=":!:" title="Exclamation" /><!-- s:!: --> <!-- s:!: --><img src="{SMILIES_PATH}/icon_exclaim.gif" alt=":!:" title="Exclamation" /><!-- s:!: --> After you updated PHP the Wiki is not working anymore.

<!-- m --><a class="postlink" href="http://it.slashdot.org/it/04/12/21/2135235.shtml?tid=220&tid=217&tid=169">http://it.slashdot.org/it/04/12/21/2135 ... 17&tid=169</a><!-- m --> An update, Google's working on squashing the worm as well

If you installed it from Fantastico, check there whether a new or a fixed version is available, PHP updates somtimes break this or that script.

No, it's MediaWiki from wikipedia.sourceforge.net, I even updated to version 1.3.9, but the result is the same. I'll try to track down the problem.

I found out that it's a bug in foreach statement (they backported some patch for version 5). In PHP bugs reports someone else already reported this bug. Luckily phpBB itself doesn't use this statement, only attachment mod uses it in one of the functions.

Here's what they say:

The foreach bug is ONLY caused due to an old Zend Optimizer. Upgrading to a newer version fixes the problem, this is NOT a PHP bug.

Can you check this out.

Could well be, I installed Zend some months back and never thought about checking for updates. That's one bad thing on a cPanel server with custom-installed Apache/PHP modules, they are not upgraded next time I install an Apache build.

Just installed Zend Optimizer 2.5.7 (old version was 2.5.3), they themselves write on their site that older versions aren't compatible with PHP 4.3.10. Your WiKi seems to be fine now.

That's odd, the vavoom forums now have a high number of guests?

Well, it's safe to say the webworm pretty much died out now <!-- s:D --><img src="{SMILIES_PATH}/icon_biggrin.gif" alt=":D" title="Very Happy" /><!-- s:D -->