Jump to content
simpilot

[NOTICE] - Open Flash Chart Exploit

Recommended Posts

simpilot    2128

Sorry, I guess looking quickly I did did not differentiate the two usernames between vcal and vicar.

My comments as far as what could be happening still are the same though. If you are completely deleteing the entire contents of your website and reinstalling a clean version of the application and being hacked minutes later, there is not too many things that can be happening.

1 - You are not using the patched version of the ofc_upload_image.php file. - Which I just tried to call on your site and got a not found error, so it is clear that the file is not there.

so I would say it is;

2 - There is another site on the server that is compromised that has access to your directory, possibly through the links created by a symlink attack. I know you say it is your own paid server but by the looks of it, with the correct ip address, it has appx 800 other sites hosted on it as well. -> http://whois.domaint.../89.146.199.179

or

3 - You have not changed passwords (FTP, cPanel, email) that were exposed in the original compromise.

Share this post


Link to post
Share on other sites
vcal    8

I got the host to try a couple things and then he wiped the webspace. There is nothing in it until I upload. VMS was failing every time I installed and ran it, even with the patched version. The hackers wwere doing more than what has been said on this forum.

They had created a directory that once I got into it, I couldn't get out of. I have had no direct reply to my posts about the problems on this forum, which left me no choice but to have my webspace wiped, which was suggested and I agreed. I don't know exactly what these hackers have done, but it is a lot more than just defacing and adding files and folders.

Share this post


Link to post
Share on other sites
vcal    8

Downloaded it again, unzipped, uploaded and ran the installer.

Fatal error: Class 'DB' not found in /home/vcalorgu/public_html/core/common/SettingsData.class.php on line 28

Share this post


Link to post
Share on other sites
EricNguyen    0

Hello,

Our VA got hacked too, they installed a massmailer and file controller. fortunately I have an older version of the site and did a check using MD5deep (a tool to compute md5 hash) bewteen the 2 versions. hence I could find our which files were added or modified.

to generate signatures from an old copy of phpvms:

md5deep -l -r phpvms > old.txt

To generate a report on the hacked version

md5deep -l -r -x old.txt phpvms_hacked

Quick and it will compare file content .... Now I would like to use the new ofc_upload_image.php is the correct version dated 30-09-2013 ?

I can find it in http://downloads.phpvms.net/phpvms.update.zip

Right ?

Thanks

Eric

Air Inter VA

Share this post


Link to post
Share on other sites
EricNguyen    0

Hello all,

Just to inform, we found our PHPVMS hacked again today, despite removing the chart php script. We are investigating what was changed in our scripts.

Eric

Share this post


Link to post
Share on other sites
simpilot    2128

Any updates on this?

There is no real update to be had, if you replace or patch the one affected file as it is spelled out here -> http://forum.phpvms.net/topic/16598-21936-security-patch/ <- there is not really anything else to be updated. If you were hacked, you will need to clean your site. There is no absolute set if directions to do that, every one is different.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×