e107, nothing else comes close
Home Downloads Forums Misc Bugtracker Documentation/Wiki Plugins Themes Hosting Reviews
Welcome
Username:

Password:


Remember me

[ ]
[ ]
[ ]
e107 Project Tracker
Changelog Changelog | Stats
Bugtracker Bugtracker
     80 open | 5030 total | Stats
Issue tracking (Jira) Issue tracking (Jira)
Feature Requests Feature Requests
     1372 open | 2139 total
SVN Tree SVN Tree
Released Files Released Files
Download Stats Download Stats
How to get SVN version How to get SVN version

e107 on IRC
freenode.net
For real-time help and friendly chat please join #e107 on the Freenode Network

It's a friendly channel so please drop in and say hello regardless of your e107 or IRC experience

If you're new to IRC please click [here] for an explanantion of what to do.

Web Hosting

E107 sites under attack

Over the past couple of days a lot of e107-based sites (including e107.org) have been under attack from two angles:

1. Repeated accesses of contact.php. The objective of these attacks was to compromise sites via a vulnerability which existed in older e107 versions.

This vulnerability is fixed (as far as we know) in 0.7.22 - so if you haven't already upgraded, do it yesterday!

If you already have 0.7.22 installed, the attack simply loads up the server, and becomes a DDOS. It shouldn't be able to gain access to your site; but will slow it down (or seize it up).

If you are running earlier versions of e107, the hackers will most likely have gained access and uploaded various files. These include a Perl script which does all sorts of nasty things. So upgrade your site, and check carefully for strange files - delete any which shouldn't be there. This thread lists the files one user found. File Inspector will also help here.


2. Repeated accesses of the file 'help_us.php' (which they expect to be uploaded as part of the previous attack). Usually this will trigger a 'page not found' error. Typically this is the standard e107 error page, which does some database access, again slowing down the server. Thus this is also a DDOS attack.


In most cases (assuming you are running 0.7.22) your host is the best person to help with these attacks, by putting in server level blocks on the relevant IP addresses. (There are a large number of addresses involved - most likely a botnet of some sort).

There are a number of forum threads on this topic; things you can do to reduce the effect of the attacks (but not stop them) include:

1. If you're not using the contact form, delete contact.php
2. If you are using the contact form, rename it, and update the link.
3. Put in a 'pure HTML' error page for '404' (page not found) errors


While we believe that 0.7.22 blocked these attacks, we are aware of a few 0.7.22 sites that have been compromised. It seems likely that a different attack vector was used in these cases - most likely via a plugin. Or possibly via other means, such as a compromised FTP password. So please check server logs etc to try and identify how access was gained.

posted by steved on Tuesday 08 June 2010 - 00:32:07


Comments

VR6Pete on 08 Jun : 00:59

If you are able to post some details on how users can clean up from this attack, it may be useful....

Pete

C6Dave on 08 Jun : 02:28

First thing to do Pete is run File inspector and enable the "Show Non Core Files" section in 'list' mode

Any files that you know you didn't add, delete.

roofdog on 08 Jun : 02:43

Well done for posting this so quickly guys.... hopefully we can get on top of it before it gets out of hand!!

NCH Gaming on 08 Jun : 03:39

Our site was one of them. I'm going through files now... (as if I'll catch any), but thanks a million to the guys at x10hosting for "suspending" our account immediately, when they discovered our site had been exploited. We're currently working with an older version because our last attempt at an update went horribly bad. Many files have been updated manually, which makes the file inspector act like a brat! "Here you figure it out..."
We were super fortunate that our host renamed the effected files and disabled contact.php for 'us'.
The timing couldn't have been better... I've got a very contriversal article about the "Gulf situation" in an unlinked custom page. (with the intent of search bots finding it) and at fisrt thought the site had been shut down because of it. lol Five minutes later, I had a reply from x10hosting, with an explaination of what had happened, some suggestions, and the info on the comprimised files. (I kept copies of them) I'm keeping posted for other files to examine... or edit.

Fanat1k on 08 Jun : 07:56

lol, kids
as i said before ( click to open link in new window ) there is simple way to avoid the file-upload attacks (if you using linux-hosting of course)


1 - run php (in case of using php-cgi) or apache (in case of using php as mode) under user user1
2 - set owner of all executive core files (*.php, *.sc, *.bb and so on) to user user2 and set permissions 644
3 - set 755 to all dirs
4. set owner user2 to all dirs
5. set owner user1 to dirs like /e107_files/public/avatars and so on (to allow php write in this cats)
6. write in apache's config rules to deny execute php-files for cats like /e107_files/public/avatars
in nginx (powerfull http server click to open link in new window ) this rule looks like
rewrite ^\/e107_files\/public\/(.*)\.php /null.php last;
(null.php - empty file)
if you using another another interpreters in you server like perl or so on, write more complicated rule
rewrite ^\/e107_files\/public\/(.*)\.(php|pl|...) /fuck_you_evil_hackers.txt last;


i hope you get an idea - nobody can change yours executive core-files and nobody can upload new execuitve files


about 'ddos' - again, as i said before, e107 uses to many sql-queries ( click to open link in new window ) and does not cache data when it should be done

e107.org - Render time: 0.3293 sec, 0.2766 of that for queries.
fanat1k.ru (after many patches of e107 core) - click to open link in new window - only 0.0006 for queries
so reduce renter time and avoid such 'ddos' (actually in your case its not ddos, lol)

[ edited 08 Jun : 07:59 ]

Wahooney on 08 Jun : 12:11

What are the chances of 0.8 getting automatic update support? For both plugins and core files, preferably. I'm sure that could curb alot of this kind of thing.

mecrox on 08 Jun : 14:13

I've had a lot of trouble with this one. FWIW, the attacks are very interested in the calendar and events plugin though whether to DDOS or because of a vulnerability in an old version I don't know. My webhoster also kindly disconnected contact.php. To reassure them I wiped and reinstalled from a clean backup. It's not good and my logs show the attacks are continuing. I am thinking of a move, perhaps to Drupal.

Binaries on 08 Jun : 14:24

Checkout my cleanup script: http://ohai.name/fix i suggest only using it if you have knowledge of the exploit as well as general php knowledge. My site was infected, it hit the whole box and did a nice bit of damage, nothing a php file couldn't fix. I'm happy to answer questions regarding the script.

Snailman on 08 Jun : 14:33

contact.php was renamed and helped 0.7.22. Thanks.

Mojo Will on 08 Jun : 16:22

God Bless open source

Donny on 08 Jun : 17:31

My site got attacked, I want my money back.

EdizonTN on 08 Jun : 17:47

hmm, attacked also my e107 v08 test site.....

NCH Gaming on 09 Jun : 03:22

I concur on the event calendar, If seen alot of hits there as well. This looks like a "become part of the exploit botnet, or become the target of it."

dolphin713 on 09 Jun : 12:52

e107 should have a way to change the default folders name (e107_plugin, e107_handlers...etc).
This way security would improve. I have donenthis.

AS I´ve informed e107 security team, I have mod security in Apache, and it prevent some of the attacks, which were logged.

Some of the files were
/e107_handlers/secure_img_render.php
/fpw.php
/e107_plugins/content/handlers/content_class.php
/e107_plugins/content/ handlers/content_convert_class.php

Alll from the ip 78.46.72.235

Block this ip !!


dolphin713 on 09 Jun : 12:54

Well...my previous post was blocked I suppose because of a file with php in it, so here it goes again without php on files

e107 should have a way to change the default folders name (e107_plugin, e107_handlers...etc).
This way security would improve. I have donenthis.

AS I´ve informed e107 security team, I have mod security in Apache, and it prevent some of the attacks, which were logged.

Some of the files were
-e107_handlers/secure_img_render_php
-fpw_php
-e107_plugins/content/handlers/content_class_php
-e107_plugins/content/ handlers/content_convert_class_php

Alll from the ip 78.46.72.235

Block this ip !!


dolphin713 on 09 Jun : 12:55

    Well...my previous post was blocked I suppose because of a file with php in it, so here it goes again without php on files e107 should have a way to change the default folders name (e107_plugin, e107_handlers...etc). This way security would improve. I have donenthis. AS I´ve informed e107 security team, I have mod security in Apache, and it prevent some of the attacks, which were logged. Some of the files were -e107_handlers/secure_img_render_php -fpw_php -e107_plugins/content/handlers/content_class_php -e107_plugins/ content/handlers/content_convert_class_php Alll from the ip 78.46.72.235 Block this ip !!


dolphin713 on 09 Jun : 12:56

argh....Cant comment...maybe because I´me giving some of the files they tried to hack ? anyway...i´m lookig for the forums post..

Nowwhat on 09 Jun : 14:11 Member Of The e107 Support Team

@dolphin713
You posted 4 times now

SecretR on 09 Jun : 15:33

e107 do have a way to rename default folders.

Moc on 09 Jun : 18:19

click to open link in new window

wiki page for changing folder names
[ edited 09 Jun : 18:20 ]

nagnal on 10 Jun : 00:31

think its time to move on from e-107 to much drama
we are stuck on v-7 with 22 updates.Wheres v-8

Brad R on 10 Jun : 23:00

You might want to mention that if you rename contact.php, you'll also need to rename e107_languages/English/contact.php to match. At least, I did.

nlstart on 11 Jun : 12:29

@Brad R: no, that is an incorrect assumption.
@nagnal: security will also be an issue with a newer version. It will take some (more) time to create a newer version that is even more secure than 0.7.x. The latest vulnerabilities prove that even more enhancements can be done on that part. It is better to wait for a well designed and well programmed secure CMS, than to hurry up and crank out a new version that is not as safe.
[ edited 11 Jun : 12:33 ]

Ramses_CIA on 16 Jun : 19:30

OMG, I'm so happy I left e107 to WordPress months ago ...

Mojo Will on 16 Jun : 21:35

@Ramses_CIA - Wordpress had a rootkit problem a couple of months ago that affected many more users than the e107 bug did! No Open Source CMS is 100% safe!

Duce on 17 Jun : 11:14

You cannot compare Wordpress to e107 actually. I use both as both are needed for different functionality.
And like Mojo says they also had their issues... Any OpenSource project does because the code is readily available to anyone to find exploits. It is how the developers handle the situation when an exploit is found that determines how good it is.
The dev team here has been doing a great job so far as to fixing and plugging holes. The only disadvantage to e107 is that you do not receive security notifications. Everything else is quite extraordinary brilliant.

eortega on 20 Jun : 05:39

any chance of being vulnerable to identity theft from this? I was just a victim of id theft and im curious if this might have been the open gate

MacGyver on 21 Jun : 17:44

3 years and still only minor changes. OMG ...

Harriet on 21 Jun : 18:08

I was hit too, but not so badly as some. I think it helped that I renamed most of the root folders. Also the attack seemed to be limited to e107 installations in the root - anything a layer down was ok, however today I noticed the start of an attack on a site 2 layers down (on an add-on domain).

The following is a list of ip's that need banning ASAP - some from my own logs and some collected from other peoples logs who are posting here ...

82.80.230.228
95.108.157.252
213.17.153.11
75.125.205.82
195.199.243.114
204.10.38.244
193.226.30.130
91.199.120.11
212.227.118.21
195.249.40.23
78.138.88.234
79.14.43.2
84.247.49.62
87.229.24.67
206.174.210.10
85.94.197.34
87.210.197. 1
195.42.102.25
212.227.136.205
85.17.211.164
85.25.124.132
89.188.136.25
217.23.14.79

Please add to this list if you can

I have removed contact.php from ALL instances of e107 (from what I can gather even 0.7.22 is not guaranteed safe so just get rid of it completely). Will now be replacing all contact forms with the plugin here ...
http://plugins.e107.org/e107_plugins/psilo/psilo.php?artifact.148

Nowwhat on 21 Jun : 20:08 Member Of The e107 Support Team

@harriet:
I have e107 site installed in domaine/forum/.... it was also attacked (well, I saw 150 - 250 hits at the same time for hours ...).
These bots open /contact.php - but nothing can be done about that - removing is a solution - but not a good one.
BTW : NOTHING is wrong with that file.
The only bug is that most of our host don't like SERVING your pages with a HUGE frequency - so your host is stopping you. This is what is DOSS all about.
BUT : what about that security bug that COULD be found tomorrow in class2.php - do we all remove that file also to "stop the attacks" ?? Don't think so - this will stop your entire site.

I didn't remove my contact.php file. I redirection a request for that page to "somewhere else" just by toying with my .htaccess file.
I used my firewall for redirecting some IP to a null route (some of your IP's are on my list )

After 10 minutes all my e107 sites were 'ok' again.

Spud on 24 Jun : 12:59

@Nowwhat

Like you I observed a great deal of activity directed at contact.php so, I just made a pure HTML page and feed a fancy 404 to look at.

I thought about doing a redirect to the FBI web site, but I thought they might get upset at all the additional traffic

pankaj on 24 Jun : 23:38

This is the reply I got for reporting the attack with domain name associated.

Dear sir/madam,

Thanks for your email. Your message was forwarded to the registrar
Directi for his consideration.

We noticed that no website is linked to the domain name you reported.
Perhaps this is a temporary situation, that is the reason why we
forwarded you email to the registrar.

Please be informed that we initiated a verification procedure regarding
the validity of the registration of the domain name sabotaj.eu.
Depending of the outcome of our investigation, we will a decision as to
the status of the said domain name.


Kind regards,

Vanessa Cogorno
Legal Department

EURid
Woluwelaan 150
B-1831 Diegem, Belgium
Phone: +32 (0)2 401 27 50
Fax: +32 (0)2 401 27 51
E-mail: click to send email
Website: click to open link in new window

Duce on 25 Jun : 00:21

Just redirect contact.php and help_us.php elsewhere bypassing SQL calls and you will be okay.
Now is a good time to grab the attention of search engines for instance with so many referrals.

ratattat on 25 Jun : 00:59

can anyone tell me how to redirect or to Put in a 'pure HTML' error page for '404' (page not found) errors...an easy" how to"

C6Dave on 25 Jun : 01:37

@ratattat this is not the place for support. That kind of question need to go into the forums

ratattat on 25 Jun : 11:11

well it was relevent to the attacks prevention but ok i will post in the "forums" lol

Cleo the Muse on 26 Jun : 01:30

I noticed in looking at my access logs that I was getting 404 returns for someone looking for "/e107_plugins/kroozearcade_menu/kroozearcade.php". For anyone still experiencing attacks even after implementing the "fixes" above, is it possible you have this plugin installed and it is being exploited?

Tgtje on 26 Jun : 15:04 Member Of The e107 Support Team

@ Cleo the Muse : most likely it was someone looking how a set up or else was done, or looking for games.

Seen many logs already, but this is the first one which regarding a non core plugin.

So i shouldn't really worry, the 404 is merely the browser quotes if something isn't there or 'closed'for view.
The normal url like above should show the starting page of the croozearcade, IFF present.
No crooze installed, then someone's looking.. (act accordingly > ban ip ? or was it a searchbot ? ) imo hardly anything to do with all the above mentioned.

HoriZon on 28 Jun : 12:08

I haven't been attack yet but i am getting lots of IP's looking for "contact.php" in my error logs (i have removed the page for now) i have HTML 404/403 pages set up. Also a lot of IP's also looking for forum "forum_index.php" (which isn't a core file) in the forum plugin folder.

Should i be worried ?

JonR on 28 Jun : 12:57

It would be good if someone on the team could post an updated synopsis on this issue. Whilst I have upgraded my sites to .22 and removed contact.php etc... my ISP is still very twitchy about possible weaknesses in the script. It would be helpful to have something to reassure them that the problem is understood by the e107 community and that adequate fixes/work arounds have been identified.

I'm concerned that unless they get this reassurance they may refuse to mount e107 sites.

nlstart on 28 Jun : 15:49

removing or renaming the contact.php was only advised to prevent sites being under attack not to collapse under the requests. The 0.7.22 version of contact.php is safe. If there are concerns about it; please read the directions in this forum post: click to open link in new window

pankaj on 28 Jun : 21:36

The web-access for the account has been disabled in TID ****** due to CMS e107 exploit. Please follow up in that ticket so that we shall proceed further.


This is the message I got from my host. Have updated to Ver 0.7.22. Some russian server trying to access contact.php

Notified Host. Lets see the response.
After a long time issues are cropping up.

[ edited 28 Jun : 21:37 ]

scrambler on 28 Jun : 21:47

I am running 7.22 but I have had a lot of bans on that page so I have now renamed the page and installed a different contact script to hopefully cause them a bit more trouble in trying these attacks at least on my main sites. If they go looking to the contact page now with out following the link to the new script they will just get a 404 error.

Not an ideal fix but thats what I have done for the time being, I'm sure that contact php is safe I just wanted to knock out all the requests for that page.

pankaj on 28 Jun : 23:28

Sorted out. They wanted me to upgrade to ver 0.7.22. It was already upgraded. This fact has been informed. As of now website is loading. As added precaution, contact.php is redirected to an error page. That's a good host, except that they should have alerted me by mail
Host is Jaguarpc , been with them for long time.

C6Dave on 28 Jun : 23:30

Nothing much you can do about file 'fishing' but if the file is safe or not on site, there wasting there time

Follow the links in the forum posts on the issue and block the script via the .htaccess file is the answer

Nowwhat on 29 Jun : 01:48 Member Of The e107 Support Team

Like this:
.htaccess =
    ## according to http:// e107.org/comment.php? comment.news.868 RewriteCond %{REQUEST_URI} help_us.php RewriteRule ^(.*) http://www dot google dot com ## Another temporary rule ... RewriteCond %{REQUEST_URI} contact.php RewriteRule ^(.*) http://www dot google dot com


Of course, Google gets smacked here

[ edited 29 Jun : 01:50 ]

Yakumo on 29 Jun : 06:51

looks like e107 is popular enough for these bots to waste their time poking e107 sites lol

Cory Booth on 29 Jun : 07:20

Well....
I lost everything....
They couldn't do much on my site since I have all "non-US" IPs blocked via htaccess....

So it appears they said F-it and delated the entire root directory (including all my client websites and my vbulletin instance)...

So...

Safe to say, I'm outta the e107 relm...
Was nice, but I don't need the pain...

Yakumo on 29 Jun : 09:54

^ you did not upgrade to the latest version?

Nowwhat on 29 Jun : 10:11 Member Of The e107 Support Team

And lol again: the only thing that can be blown out of the water is your host’s server, because recent issues are nothing more than a huge DOSS attack.
The code will execute, your server can't follow, and your shared host will pull out the plug. That's more a commercial bug, not a technical one.

Needless to say : before pointing your finger to a CMS or any part of the code on your site, better produce logs so we all can see what really happened on your site.

Btw: IP’s: we all are scanned by zombie PC’s, and believe me, zombies do live also in the States.
Blacklisting a couple (thousands) IP's won't help much.

Duce on 29 Jun : 12:53

Nowwaht I would never do that to Big Brother... I went for Yahoo.
Just now Big Brother decides to block my domains and that would be a tragedy.

Gary S on 29 Jun : 17:50

e107 coders now reporting failure to connect to database.

meSavage on 29 Jun : 18:32

Chalk one up to experience, happened to me yesterday on the one site.

They accessed one of my folders and setup a phishing scam site for iTDCanada, lol.

Anyway, removed all the e107 files, gonna replace it with joomla for now, my other large site still has e107 but i don't use the contact.php so that was deleted ages ago

gefy2 on 30 Jun : 01:27

I`ve had attacks from all over the world, from Japan to Russia And Us and so on . This time i noticed it and locked the site.
The only thing they looked for was *.contact.php

VTWebSites on 30 Jun : 05:34

We have quite a few hosting clients who have been hit with this attack over the last few days.

Here is a list of attack ip's we've compiled for those that need them.

    109.169.46.7 122.252.1.33 173.192.14.195 174.121.91.236 178.150.132.242 178.218.218.31 180.151.249.166 184.107. 41.155 187.45.193.218 188.40.70.247 193.200.173.7 193.6.244.125 194.109.22.112 194.109.22.66 194.126.234.29 194. 50.101.248 195.5.163.206 195.56.111.226 200.234.200.15 200.73.80.59 203.82.214.245 204.10.38.244 207.210.80.242 208.85.6.42 208.87.242.130 209.151.164.22 212.213.216.218 213.163.84.4 213.189.27.130 213.232.94.135 213.239.212. 231 216.229.46.44 217.112.84.13 217.73.227.30 62.141.52.11 62.149.233.199 66.165.35.16 66.34.240.177 66.7.192.23 5 67.159.44.97 67.18.221.58 67.205.102.122 67.215.230.121 67.230.163.10 69.13.221.10 70.38.12.110 70.38.38.87 70.86.117.42 70.86.235.162 72.1.240.89 72.52.117.2 72.55.156.70 72.9.245.82 76.163.252.93 77.221.130.42 78.129.180.149 81.176.226.100 81.176.226.194 82.188.100.195 83.169.7.85 83.81.53.246 84.45.45.135 85.214.124.153 85.214.143.124 85.214.77.132 85.92.68.2 86.58.133.100 87.229.45.142 87.238.162.146 88.198.19.38 88.198.48.10 88.84.155.122 89.212.6.4 91.198.130.4 91.199.120.82 91.213.117.235 92.50.238.233 92.51.134.76 93.187.141.50 93.187.141.58 94.142.240.30 94.23.24.13 94.24.74.2 99.21.54.97


The user agent is Casper Bot Search in most cases.

krissy on 30 Jun : 10:57

my site was completely destroyed. We are now having to completely rebuild. I was getting hit hundreds of times a minute until the whole thing crashed and nothing was accessible. I'm a computer idiot. Truly. I called host tech support 3 days in a row and the hack wasn't detected until the whole thing blew up.
[ edited 30 Jun : 10:58 ]

nlstart on 30 Jun : 11:05

@krissy; the very first comment of a e107 member is blocked until admin approval.

Hobbz on 01 Jul : 01:53

Add my site to the list of victims. I narrowed it down to a newly registered user. It seems he put a file named "version.php" in my root. Not sure how he managed to pull that off.

I don't have the "contact us" enabled or any of the other items people pointed out.

I read the code and it's only a few lines but one looks rather bizarre. I'll gladly send it to an admin if needed.
[ edited 01 Jul : 01:56 ]

VTWebSites on 01 Jul : 07:06

This will help quite a bit on most sites. If you have access to your .htaccess file add the following..

    #Deny access to contact.php <Files contact.php> order allow,deny deny from all </Files> #Deny access to hlep_us.php <Files help_us.php> order allow,deny deny from all </Files> #Redirect attack bot to nowhere RewriteEngine on RewriteCond %{HTTP_USER_AGENT} ^Casper\ Bot\ Search [OR] RewriteCond %{HTTP_USER_AGENT} ^dex\ Bot\ Search RewriteRule ^(.*)$ <a href="http://go.away/" ><img src='http://e107.org/e107_themes/lamb/images/link.png' style='border:0;' alt='click to open link in new window' /></a>

Duce on 01 Jul : 10:23

@ VTWebSites - You might be redirecting the attacks but at the same time placing extra strain on e107.org calling that image.

This should solve most of it: click to open link in new window

I would however suggest everyone keeps on monitoring their log files and let us know if they are using any new type of script. You can also safely firewall the IP's you receive these type of hits from as it is all servers that has been infected. Servers don't browse the web.

I am also requesting the development team urgently looking at a security notification system for users so we can be informed of these events should they happen in future.

The impact of this event could have been minimized if people knew about it before it hit them.
[ edited 01 Jul : 10:42 ]

Nowwhat on 01 Jul : 10:48 Member Of The e107 Support Team

@Duce : what VTWebSites said was mangled up by the bbcode that e107 uses.
The part stating <a href="....."><img src='http://e107.org/e107 .... wasn't included by VTWebSites but a result of bbcode handling that messed up things.

edited : For the rest, see the Wiki pages that explain how to protect yourself : click to open link in new window

(updated 07/03/10)

[ edited 04 Jul : 20:32 ]

nlstart on 01 Jul : 11:15

Even better to use as last line to revert them to their own localhost:
RewriteRule ^(.*)$ http://127.0.0.1

See also: http://wiki.e107.org/?title=Htaccessexample

[ edited 01 Jul : 11:17 ]

Duce on 01 Jul : 11:21

@ Nowwhat - Makes sense as it happened to me too and that is why I pasted the Wiki link after a few edit attempts at fixing my own version.

Sorry @ VTWebSites

SMITHEREENZ on 01 Jul : 11:43

One of my clients didn't upgrade and got hit last night and with some research I think I narrowed it down

All e107 files were deleted and replaced by rogue files...I have these zipped and it shows the full script used... drop me an email if you want to check them out, maybe they'll help...

Hopefully the database will be intact and it will be a case of uploading and connecting the config file... time will tell.


[ edited 01 Jul : 11:54 ]

Duce on 01 Jul : 12:19

I have one problem with the link you pasted @ SMITHEREENZ
BitDefender reports it to have: Backdoor.PHP.ALI

Father Barry on 01 Jul : 15:51

@ SMITHEREENZ f-secure blocks it for me

crospyder on 01 Jul : 21:07

i saw it, there is a lot of examples of injected code on that page, its not that all of them were used during injection they are just an examples?
[ edited 01 Jul : 21:46 ]

crospyder on 01 Jul : 21:45

mod_security rule trough your server host is very good way to block all of this. My webspace provider did this automaticaly after first flood, and since then i am pretty fine, there was no overloads or so PS: I kept 1 site on older version just to see does it work and seems like it is

VTWebSites on 02 Jul : 04:37

Thanks nlstart for correcting the code, no biggie SMITHEREENZ. I didn't notice the "extra" stuff at the end until today. Had to post and run the other day.

Now as for mod_security that will work fine as long as there are only 1 or 2 e107 sites under attack on a given server. Any more than that and the server will eventually puke. I know from experience.

Super on 02 Jul : 18:46

I found new attacks with this user agents:

libwww-perl
Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u)
Casper Bot Search
dex Bot Search
sledink Bot Search
rk q kangen
kmccrew Bot Search

mygoggie on 03 Jul : 10:18

There is a COMPLETE thread discussion here click to open link in new window and a .htaccess block of code (wrote the second version with the help from the users in the thread, so that runs on all our servers) here click to open link in new window that you as a matter of course MUST add to your site's root (the public_html or www directory).
[ edited 03 Jul : 10:19 ]

ChicksHateMe on 03 Jul : 20:14

After all this, we're going to have to consolidate the consolidating threads. It should make for a good Wiki section, some great plugins, and some good security.

SO many links I don't want to duplicate, but there are some good links to sites explaining the botnets uses to sites where you can create ip lists to ban by country, so it your site is regional or targeted, and you don't care about SEO, it could be really useful.

Lots more reading to do...

A lot of positives out of a tough situation!

Dobbelsoft on 04 Jul : 01:20

Is the developers blog hacked?

ToddyL on 04 Jul : 02:19

Hi, I am being attacked by the bot you just said and another one the "Casper Search Bot."

The attacker is named Mama Casper.

My site was down for 3 days and my fiend to help me with this was unable to assist, so, i just deleted the fiels in index, and copied over my older version of e-107.

I left the robot.txt fils as it was in the original e-107, and so far they seem to be locked out.

I've been banning the ips through cpanel for the last hour as they continue try to bring the site down again.

Rashan on 04 Jul : 06:07

@Dobbelsoft: Yah, looks like it...

It's probably best not to go to the page with javascript enabled until someone gets a chance to fix it.

Might be a good time for people to install the NoScript addon for Firefox... it's a dangerous web out there these days.

diamond-optic on 04 Jul : 08:14

removing the contact.php seems to have solved the issue for me.. But im still blocking all IPs i find that keep trying to access the file anyway..

I also am seeing these same IPs trying to access comment.php too, so I removed that to be safe as I dont use comments on my site

Tgtje on 04 Jul : 13:06 Member Of The e107 Support Team

As Dobbelsoft mentioned, and post by ToddyL.

m c hack and C search bot are NOT restricted to e107 only. (multiple systems have similar threads and attacks) !

(transl: indo-malyan )

It has to be looked at as general hack.

NaNaSh on 04 Jul : 16:53

e107 blog hacked !
oh no !

see plz :
click to open link in new window

Martinj on 04 Jul : 16:58

@Rashan: Silly me, i clicked it. Had to stop firefox I always use NoScript but e107.org is an allowed website for me and most others i presume!

Doh!

parpar on 04 Jul : 17:09

click to open link in new window

Duce on 04 Jul : 17:34

Only almost a month later this poor guy realised there is an issue: click to open link in new window

We need security notifications of posts such as this.

Dobbelsoft on 04 Jul : 18:20

Has anyone looked for automated URL based IP ban using PHP and htaccess?

click to open link in new window

Nowwhat on 04 Jul : 20:38 Member Of The e107 Support Team

Hey, guys, just a remainder:
For support, please post in the forum.

If you are ready to have those bots eating dust, go visit our Wiki pages : http://wiki.e107.org/?title=Htaccessexample for a clear how-to.

For general info and question: post here: e107.org :: Forums :: e107 Support :: Core Support and have a look at the first sticky thread called Consolidated Flood Attack Information - read it FIRST - all the pages.

If you have a question, the answer is there already.
If not, post, and be clear.

Please, DO NOT ask questions here.
[ edited 04 Jul : 20:44 ]


Comments are locked


All product names mentioned herein are the trademarks of their respective owners. In addition, images, logos, pictures or other material may be trademarks or registered trademarks of their respective owners. Emote images by seb, released under the GPL licence.
Bug Tracking Software
Render time: 0.2004 sec, 0.1021 of that for queries. Memory Usage: 3,060kB