Back to the Vavoom Forum Archives


Forum

OH DEAR

Tue, 21 Dec 2004 02:26:01

CheapAlert

<!-- m --><a class="postlink" href="http://korax-heritage.com/">http://korax-heritage.com/</a><!-- m --> <!-- s:( --><img src="{SMILIES_PATH}/icon_sad.gif" alt=":(" title="Sad" /><!-- s:( -->(((((
Tue, 21 Dec 2004 08:34:27

Janis Legzdinsh

I'll contact RambOrc and ask him what's wrong.
Tue, 21 Dec 2004 09:07:13

DarkRaven

What 's up ? WebWorm generation 15 rulezZz !?! <!-- s:o --><img src="{SMILIES_PATH}/icon_surprised.gif" alt=":o" title="Surprised" /><!-- s:o -->
Tue, 21 Dec 2004 12:12:01

moose

Oh I had a feeling I'd find us all congrigated here, our home away from our home from home <!-- s:? --><img src="{SMILIES_PATH}/icon_confused.gif" alt=":?" title="Confused" /><!-- s:? --> . I do seriously hope that the forums database is still fine and intact we had a very active spree last night on the Dev forums.
Tue, 21 Dec 2004 13:40:41

Mago KH

Just got the error myself.... Hopefully it isn't that bad... <!-- s:cry: --><img src="{SMILIES_PATH}/icon_cry.gif" alt=":cry:" title="Crying or Very sad" /><!-- s:cry: -->
Tue, 21 Dec 2004 14:25:28

CheapAlert

Yeah, sites are getting hacked back and forth this week, it must be that time of year when sites get defaced like mad O_O It seems there's a new exploit in php prior to versions 4.3.10, so that could be it. UPGRADE D:
Tue, 21 Dec 2004 15:53:39

Janis Legzdinsh

Both, Vavoom and Korax' Heritage forums are upgraded to version 2.0.11 already some time ago.
Tue, 21 Dec 2004 15:58:45

Firebrand

Let's hope that Ramborc will have the site up and running soon. <!-- s:) --><img src="{SMILIES_PATH}/icon_smile.gif" alt=":)" title="Smile" /><!-- s:) -->
Tue, 21 Dec 2004 16:03:00

moose

I hope so, it happened just after we'd started to pick up some good steam on KA aswell, oh well Rambo is god, he'll fix it.
Tue, 21 Dec 2004 16:12:55

CheapAlert

[quote="Janis Legzdinsh":3vqbw0jx]Both, Vavoom and Korax' Heritage forums are upgraded to version 2.0.11 already some time ago. I meant the core php, not the phpbb. <!-- s:P --><img src="{SMILIES_PATH}/icon_razz.gif" alt=":P" title="Razz" /><!-- s:P -->
Tue, 21 Dec 2004 16:30:36

Mago KH

Any news from Zoltan? Any update on the situation?
Tue, 21 Dec 2004 16:34:21

Janis Legzdinsh

Ouch! Vavoom site is running with PHP 4.3.9. No news yet.
Tue, 21 Dec 2004 20:01:25

RambOrc

It's rather lucky no other sites seem to be hacked yet, running Apache build process with PHP 4.3.10 right now. Hell some of those suckers are fast, 4.3.10 has been released 6 days ago and they already exploited it, before I even knew there was a new PHP release out... cPanel's security warning system is a bad joke, when I log in it says I run all the latest versions. <!-- s:roll: --><img src="{SMILIES_PATH}/icon_rolleyes.gif" alt=":roll:" title="Rolling Eyes" /><!-- s:roll: -->
Tue, 21 Dec 2004 20:11:08

moose

Oh joy so the bit that tells you that your safe lies to you, oh how I love technology. So is it easy to fix or not?
Tue, 21 Dec 2004 20:14:04

RambOrc

Well the automatic backup screwed me over nicely, the daily backup run after the exploit happened and it was just this night that the weekly backup ran too, meaning to restore all those PHP and HTML files I need to go back to the Dec 3 monthly backup. OTOH it seems at first glance that this worm did nothing but change the content of all PHP and HTML files in the account to the defaced content, meaning the MySQL DB might be untouched, will check into it as soon as the Apache build is done.
Tue, 21 Dec 2004 20:16:42

moose

Woo, so our active spree last night may still be there, I can't remember much of it. I'll need to re-read.
Tue, 21 Dec 2004 20:19:11

RambOrc

Just finished checking, no other account seems to be exploited, only the one with orcishweb.com/korax-heritage.com.
Tue, 21 Dec 2004 20:22:15

moose

Christmas seems to be a bad time for us doesn't it, I mean wasn't it this time last year that your whole server got hacked and everything when down, some never to return.
Tue, 21 Dec 2004 20:33:37

RambOrc

That was around December 11 or so last year, and it was a complete server hack. This time it could've been a lot more damage too, it was big luck only one account got screwed. The only other cases this year were an account that was exploited badly and had to be deleted and recreated from scratch, not restoring any of the website files and another account where the PHP-Nuke webmail module was an old version and spammers abused it and the account owner asked me to rather delete the whole account.
Tue, 21 Dec 2004 20:54:00

RambOrc

Just finished it all, I'm actually quite proud of myself, with a little copying to and fro I managed to restore things without losing anything, not only the MySQL stuff but also uploaded pics from last night and Mago's newspost have been restored. <!-- s:D --><img src="{SMILIES_PATH}/icon_biggrin.gif" alt=":D" title="Very Happy" /><!-- s:D --> <!-- s8) --><img src="{SMILIES_PATH}/icon_cool.gif" alt="8)" title="Cool" /><!-- s8) -->
Tue, 21 Dec 2004 20:57:01

moose

As I said before, Rambo is god.
Tue, 21 Dec 2004 21:03:13

CheapAlert

[img:1rqzhwl7]http://www.planetgargoyle.com/fbc/files/yay.jpg[/img:1rqzhwl7]
Tue, 21 Dec 2004 21:10:26

Firebrand

Wohoo! That's why you are our favorite leader Ramborc! We are back on the track! <!-- s:D --><img src="{SMILIES_PATH}/icon_biggrin.gif" alt=":D" title="Very Happy" /><!-- s:D --> <!-- s8) --><img src="{SMILIES_PATH}/icon_cool.gif" alt="8)" title="Cool" /><!-- s8) -->
Tue, 21 Dec 2004 21:17:26

RambOrc

In the meantime I read that through the exploit someone might have been able to read the DB connection info from config.php in phpBB so I've changed the password for the user and updated the phpBB config file, also made a backup of the latest state of the whole public_html dir and of all MySQL DBs as of now, both offline backups.
Tue, 21 Dec 2004 21:21:42

Firebrand

Well, that's a good way to make sure that this won't happen again at least until the next year, it seems <!-- s:lol: --><img src="{SMILIES_PATH}/icon_lol.gif" alt=":lol:" title="Laughing" /><!-- s:lol: --> .
Tue, 21 Dec 2004 21:30:11

CheapAlert

<!-- m --><a class="postlink" href="http://www.ravenforums.com/viewtopic.php?p=59941#59941">http://www.ravenforums.com/viewtopic.php?p=59941#59941</a><!-- m --> <!-- s:P --><img src="{SMILIES_PATH}/icon_razz.gif" alt=":P" title="Razz" /><!-- s:P -->
Tue, 21 Dec 2004 21:30:22

Mago KH

Wow, incredible work RambOrc, it's a great thing you are such a cautious and clever guy! I've already looked briefly and everything seems pretty much untouched, as you mentioned. Thanks a lot for the effort, we were almost caught off guard on this one. <!-- s:) --><img src="{SMILIES_PATH}/icon_smile.gif" alt=":)" title="Smile" /><!-- s:) -->
Wed, 22 Dec 2004 00:00:34

CheapAlert

<!-- m --><a class="postlink" href="http://it.slashdot.org/it/04/12/21/2135235.shtml?tid=220&tid=217&tid=169">http://it.slashdot.org/it/04/12/21/2135 ... 17&tid=169</a><!-- m -->
Wed, 22 Dec 2004 02:23:55

CheapAlert

OH, not again <!-- s:( --><img src="{SMILIES_PATH}/icon_sad.gif" alt=":(" title="Sad" /><!-- s:( -->
Wed, 22 Dec 2004 08:00:48

RambOrc

This is actually very strange, since the phpBB security hole this exploit is using has been theoretically patched on the Korax forums weeks ago. Either there is another security hole in phpBB that causes this problem now, or this particular phpBB install is screwed up (or the patch process did). Either way, since the exploit is coming in through Google, moving the board to a new, non-indexed URL should solve the prob at least for the moment. At the same time, I'm going to single it out from the current multi-domain account so that if the leak is still somewhere else, at least only the board is going to be affected. Thanks to yesterday's offline backup of the whole public_html dir, this time all I need to do is upload that .tar.gz and extract it over the current files and everything'll be up and running (upload currently in process). Once that's done, I'll move the forum files to another account, I'll post the new link once I'm done. Also no need to worry, just as yesterday this time the DB wasn't effected either, i.e. once again no posts have been lost.
Wed, 22 Dec 2004 09:03:59

RambOrc

OK I'm all done, new URL is kforumsDOTorcishwebDOTcom, please don't post the URL in the real form anywhere, if it's really a Google prob that should take care of it.
Wed, 22 Dec 2004 09:05:30

RambOrc

Shit, I just saw Googlebot crawling the new location. <!-- s:roll: --><img src="{SMILIES_PATH}/icon_rolleyes.gif" alt=":roll:" title="Rolling Eyes" /><!-- s:roll: --> Well gotta go right now, we'll see what happens next.
Wed, 22 Dec 2004 15:24:25

CheapAlert

Isn't there a way to block them, i.e. robots.txt or ip deny?
Wed, 22 Dec 2004 15:26:57

RambOrc

Yep, that's all possible, I also have some more ideas myself for the case the infection happens again, for the moment I'll rather just wait and see, after all there is no other risk than a couple of hours of forum downtime involved now.
Wed, 22 Dec 2004 16:02:37

Janis Legzdinsh

<!-- s:!: --><img src="{SMILIES_PATH}/icon_exclaim.gif" alt=":!:" title="Exclamation" /><!-- s:!: --> <!-- s:!: --><img src="{SMILIES_PATH}/icon_exclaim.gif" alt=":!:" title="Exclamation" /><!-- s:!: --> <!-- s:!: --><img src="{SMILIES_PATH}/icon_exclaim.gif" alt=":!:" title="Exclamation" /><!-- s:!: --> <!-- s:!: --><img src="{SMILIES_PATH}/icon_exclaim.gif" alt=":!:" title="Exclamation" /><!-- s:!: --> After you updated PHP the Wiki is not working anymore.
Wed, 22 Dec 2004 16:12:54

CheapAlert

<!-- m --><a class="postlink" href="http://it.slashdot.org/it/04/12/21/2135235.shtml?tid=220&tid=217&tid=169">http://it.slashdot.org/it/04/12/21/2135 ... 17&tid=169</a><!-- m --> An update, Google's working on squashing the worm as well
Wed, 22 Dec 2004 16:13:38

RambOrc

If you installed it from Fantastico, check there whether a new or a fixed version is available, PHP updates somtimes break this or that script.
Wed, 22 Dec 2004 16:31:48

Janis Legzdinsh

No, it's MediaWiki from wikipedia.sourceforge.net, I even updated to version 1.3.9, but the result is the same. I'll try to track down the problem.
Wed, 22 Dec 2004 17:12:25

Janis Legzdinsh

I found out that it's a bug in foreach statement (they backported some patch for version 5). In PHP bugs reports someone else already reported this bug. Luckily phpBB itself doesn't use this statement, only attachment mod uses it in one of the functions.
Thu, 23 Dec 2004 08:56:00

Janis Legzdinsh

Here's what they say:
The foreach bug is ONLY caused due to an old Zend Optimizer. Upgrading to a newer version fixes the problem, this is NOT a PHP bug.
Can you check this out.
Thu, 23 Dec 2004 12:41:52

RambOrc

Could well be, I installed Zend some months back and never thought about checking for updates. That's one bad thing on a cPanel server with custom-installed Apache/PHP modules, they are not upgraded next time I install an Apache build.
Fri, 24 Dec 2004 12:18:42

RambOrc

Just installed Zend Optimizer 2.5.7 (old version was 2.5.3), they themselves write on their site that older versions aren't compatible with PHP 4.3.10. Your WiKi seems to be fine now.
Fri, 24 Dec 2004 19:15:53

CheapAlert

That's odd, the vavoom forums now have a high number of guests?
Tue, 28 Dec 2004 07:12:20

CheapAlert

Well, it's safe to say the webworm pretty much died out now <!-- s:D --><img src="{SMILIES_PATH}/icon_biggrin.gif" alt=":D" title="Very Happy" /><!-- s:D -->

Back to the Vavoom Forum Archives