Jump to content

Rev - Patch for php-ofc-library exploit


Recommended Posts

Posted

Then...

1. Only overwrite ofc_upload_image.php?

2. Overwrite our actual phpvms via ftp?

3. Reinstall with this patch?

I have hard customized page.

  • Administrators
Posted

If your site has not been compromised then the only thing you need to do is replace the "ofc_upload_image.php" file with the patched version.

If you have been compromised you need to go through the entire site and remove all the malicious files in addition to replacing the "ofc_upload_image.php" file.'

If you are not sure what files have been altered and added see if your host will help you. If you do not get them all there is a good chance that you will be victimized again.

At last resort, yes, a complete new install is an option.

  • Like 1
Posted

The page was hacked, i deleted all files with data from 09/30/2013, after restore a backup from 09/13/2013, and patch it with nabeel updated file. I think that is all. Thanks guys by support.

Posted

still looking that we have someone sniffing phpvms sites

61.135.189.69 - - [01/Oct/2013:08:10:11 -0400] "GET /index.php/profile/view/5 HTTP/1.1" 200 23812 "-" "Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)"

118.139.163.141 - - [01/Oct/2013:08:13:35 -0400] "GET /index.php/registration//core/lib/php-ofc-library/ofc_upload_image.php HTTP/1.1" 200 23199 "-" "Mozilla/4.0 (compatible; MSIE 7.0; America Online Browser 1.1; Windows NT 5.1; (R1 1.5); .NET CLR 2.0.50727; InfoPath.1)"

118.139.163.141 - - [01/Oct/2013:08:13:35 -0400] "GET //core/lib/php-ofc-library/ofc_upload_image.php HTTP/1.1" 200 11882 "-" "Mozilla/4.0 (compatible; MSIE 7.0; America Online Browser 1.1; Windows NT 5.1; (R1 1.5); .NET CLR 2.0.50727; InfoPath.1)"

118.139.163.141 - - [01/Oct/2013:08:13:35 -0400] "GET /index.php//core/lib/php-ofc-library/ofc_upload_image.php HTTP/1.1" 200 11878 "-" "Mozilla/4.0 (compatible; MSIE 7.0; America Online Browser 1.1; Windows NT 5.1; (R1 1.5); .NET CLR 2.0.50727; InfoPath.1)"

208.115.113.87 - - [01/Oct/2013:08:14:54 -0400] "GET /index.php/pireps/view/161 HTTP/1.1" 200 16811 "-" "Mozilla/5.0 (compatible; Ezooms/1.0; ezooms.bot@gmail.com)"

208.115.113.87 - - [01/Oct/2013:08:14:55 -0400] "GET /index.php/schedules/brief/3434 HTTP/1.1" 200 15334 "-" "Mozilla/5.0 (compatible; Ezooms/1.0; ezooms.bot@gmail.com)"

208.115.113.87 - - [01/Oct/2013:08:14:57 -0400] "GET /index.php/schedules/brief/3537 HTTP/1.1" 200 15328 "-" "Mozilla/5.0 (compatible; Ezooms/1.0; ezooms.bot@gmail.com)"

208.115.113.87 - - [01/Oct/2013:08:14:58 -0400] "GET /index.php/schedules/details/3473 HTTP/1.1" 200 14100 "-" "Mozilla/5.0 (compatible; Ezooms/1.0; ezooms.bot@gmail.com)"

208.115.113.87 - - [01/Oct/2013:08:14:59 -0400] "GET /index.php/schedules/details/3519 HTTP/1.1" 200 14098 "-" "Mozilla/5.0 (compatible; Ezooms/1.0; ezooms.bot@gmail.com)"

  • Like 1
×
×
  • Create New...