Search the Community
Showing results for tags 'security'.
Found 3 results
The third party Open Flash Chart script that is used within phpVMS has an exploit that has been used recently and often to deface and/or alter sites using the phpVMS software. I have cleaned 11 of my client's sites in the last 36 hours. Although some sites have been obviously defaced with homepages replaced, some have had advertising scripts uploaded to redirect users to various companies. An example of a defacement today -> http://hack-db.com/787962.html The exploit is explained here -> http://www.exploit-d...exploits/10532/ WHAT TO LOOK FOR; if you have a folder in /core/lib/ that is called "tmp-upload-images" your site has been compromised. Inside that folder can be a number of files but the one that gets everything started is .wp-moon.php I have also found these in that folder 1.php e.php er.php tb.php If this folder is present start looking in the root of your site for files possibly called 0zie.html index.html - if you had one previously check the date of the last change, it may have been overwritten agg.html - an advertising script for ugg boots..... cst.html sto.html unc.html What do I do now? Delete the entire folder "tmp-upload-images" and remove any other suspicious files from the root of your site. Review ANY file that you do not recognize or has a last changed date similar to those in the "tmp-upload-images" file. Delete or rename the folder /core/lib/php-ofc-library The script(s) that are being used in this exploit are within this folder. This will cause all of the flash charts on the site to no longer function but all other functionality should remain as it was. NOTE: There is a school of thought that the only file that is being exploited is the "ofc_upload_image.php" file within the "php-ofc-library" folder. You can try to delete just this file and your charts will still function but there may still be a vulnerability and I would watch your directory tree for a while. In all the sites I have cleaned today I have not found any evidence of any database intrusion or data loss. I would still HIGHLY recommend that if you have found any of these items on your site to change all your passwords associated with the site as soon as possible. This includes the database password that phpVMS uses, emails use, and web panel admin access passwords. Nabeel has been made aware of this and is researching a patch at this time. Update 1 - http://forum.phpvms.net/topic/16288-notice-open-flash-chart-exploit/#entry82657 Upadte 2 - http://forum.phpvms....__20#entry82672