I recently installed version 1.0.2 on my site and I have been the victim of 3 phishing attacks in the last 4 days. I have set all of the permissions as per the installation instructions and removed the install directory.
The install is on an Apache server running suPHP.
The only other script I have running is 4Images Gallery and that has been running for some time with no problems.
Anyone have any ideas why I'm being hit or if there is a patch?
Thanks,
T.
Phishing attack
Phishing attack
Last edited by TonyP on Tue Dec 19, 2006 9:18 pm, edited 1 time in total.
-
iNSiPiD
Re: Phishing attack
TonyP, how can you tell you are being hit? Is this injection of some sort?
I only ask because twice now I've had my site go down due to basic and obvious sytnax errors in /lib files that I didn't make.
The last was the insertion of a ) before a } at the end of a function in mysql_driver.inc.
If this is related I hope somone can help shed some light on it.
I only ask because twice now I've had my site go down due to basic and obvious sytnax errors in /lib files that I didn't make.
The last was the insertion of a ) before a } at the end of a function in mysql_driver.inc.
If this is related I hope somone can help shed some light on it.
Re: Phishing attack
Most of the security problems that I've read on the forum invariably had to do with having some other scripting/program such as joombla or word press in another folder running on the site not from CMSMS...
I got hit from looking at someones site, trying to help with the layout, using IE not Firefox, they used a vulnerability in word press not CMSMS to do it...
Mark, when you said you got a trojan from my site, I was really bothered. It was freaking me out that that might have happened. Well, this morning I was working on my blog (WordPress) and noticed that the browser was trying to load a page located at ****.***
Seeing this sent a chill up my spine. I immediately checked the source code and sure enough, my site had been exploited and malicious code had been inserted into some of my files that were apparently in a world-writeable state. Apparently a malicious php script was used to insert the following code into my files, according to my webhost. The code that was inserted was as follows...
Code:
So it appears that my site was responsible for the badness inflicted upon you. Of course I had no idea this had occurred but as a result of your comment, and my further investigation, I was at least able to discover what had happened and was able to notify my webhost. I also made a post in the WordPress forums to alert others about this issue.
I got hit from looking at someones site, trying to help with the layout, using IE not Firefox, they used a vulnerability in word press not CMSMS to do it...
Mark, when you said you got a trojan from my site, I was really bothered. It was freaking me out that that might have happened. Well, this morning I was working on my blog (WordPress) and noticed that the browser was trying to load a page located at ****.***
Seeing this sent a chill up my spine. I immediately checked the source code and sure enough, my site had been exploited and malicious code had been inserted into some of my files that were apparently in a world-writeable state. Apparently a malicious php script was used to insert the following code into my files, according to my webhost. The code that was inserted was as follows...
Code:
So it appears that my site was responsible for the badness inflicted upon you. Of course I had no idea this had occurred but as a result of your comment, and my further investigation, I was at least able to discover what had happened and was able to notify my webhost. I also made a post in the WordPress forums to alert others about this issue.
Re: Phishing attack
Insipid, it's not a matter of the site going down. Phishing files are being placed on the site in different directory than the CMSMS root. The affected directory has no scripts in it.
Re: Phishing attack
Thanks Mark, the only other script I was running was 4Images Gallery and I have removed it. What about settting the file permissions to 775? Would this work with suPHP?
T.
T.
Re: Phishing attack
with su php you can tighten things more, as suphp runs php scripts with your own user rights (not as apache / www-user or something else) you dont need to give rights to other users to do stuff.
images will still need to be world readable, but I think you can set php scripts to 700 and it will still work. (maybe even 600 depending on how you are set up)
permissions depend always depend on how server is being set up and the best way to find the tightest settings for your installation is to start with *tight* and then loosen it untill it works.
Maybe this should be documented somewhere...
images will still need to be world readable, but I think you can set php scripts to 700 and it will still work. (maybe even 600 depending on how you are set up)
permissions depend always depend on how server is being set up and the best way to find the tightest settings for your installation is to start with *tight* and then loosen it untill it works.
Maybe this should be documented somewhere...
Re: Phishing attack
Thanks tsw, I'll try it. Should that be all php files or only those listed in the installation doc?tsw wrote: with su php you can tighten things more, as suphp runs php scripts with your own user rights (not as apache / www-user or something else) you dont need to give rights to other users to do stuff.
images will still need to be world readable, but I think you can set php scripts to 700 and it will still work. (maybe even 600 depending on how you are set up)
permissions depend always depend on how server is being set up and the best way to find the tightest settings for your installation is to start with *tight* and then loosen it untill it works.
Maybe this should be documented somewhere...
Re: Phishing attack
you can do all, but if you havent touched other files than those mentioned in the installer the other files should be ok (but check those too)
hope this helps
hope this helps
Re: Phishing attack
Thanks again tsw, I'll try it over the next day or two and let you know how it went.
Re: Phishing attack
I ended up having to set the permissions to 755 to get the uploading to work.
