Administrators Nabeel Posted September 30, 2013 Administrators Report Share Posted September 30, 2013 Changed Files: Patch for php-ofc-library exploit View complete changes Download from here 1 Link to comment Share on other sites More sharing options...
miniarma Posted September 30, 2013 Report Share Posted September 30, 2013 So we overwrite our current phpvms or reinstall fresh with this patch ? 1 Link to comment Share on other sites More sharing options...
ARV187 Posted September 30, 2013 Report Share Posted September 30, 2013 Then, the only file necessary to update is this? core/lib/php-ofc-library/ofc_upload_image.php Link to comment Share on other sites More sharing options...
ARV187 Posted October 1, 2013 Report Share Posted October 1, 2013 Then... 1. Only overwrite ofc_upload_image.php? 2. Overwrite our actual phpvms via ftp? 3. Reinstall with this patch? I have hard customized page. Link to comment Share on other sites More sharing options...
Administrators simpilot Posted October 1, 2013 Administrators Report Share Posted October 1, 2013 If your site has not been compromised then the only thing you need to do is replace the "ofc_upload_image.php" file with the patched version. If you have been compromised you need to go through the entire site and remove all the malicious files in addition to replacing the "ofc_upload_image.php" file.' If you are not sure what files have been altered and added see if your host will help you. If you do not get them all there is a good chance that you will be victimized again. At last resort, yes, a complete new install is an option. 1 Link to comment Share on other sites More sharing options...
ARV187 Posted October 1, 2013 Report Share Posted October 1, 2013 The page was hacked, i deleted all files with data from 09/30/2013, after restore a backup from 09/13/2013, and patch it with nabeel updated file. I think that is all. Thanks guys by support. Link to comment Share on other sites More sharing options...
Txmmy83 Posted October 1, 2013 Report Share Posted October 1, 2013 still looking that we have someone sniffing phpvms sites 61.135.189.69 - - [01/Oct/2013:08:10:11 -0400] "GET /index.php/profile/view/5 HTTP/1.1" 200 23812 "-" "Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)" 118.139.163.141 - - [01/Oct/2013:08:13:35 -0400] "GET /index.php/registration//core/lib/php-ofc-library/ofc_upload_image.php HTTP/1.1" 200 23199 "-" "Mozilla/4.0 (compatible; MSIE 7.0; America Online Browser 1.1; Windows NT 5.1; (R1 1.5); .NET CLR 2.0.50727; InfoPath.1)" 118.139.163.141 - - [01/Oct/2013:08:13:35 -0400] "GET //core/lib/php-ofc-library/ofc_upload_image.php HTTP/1.1" 200 11882 "-" "Mozilla/4.0 (compatible; MSIE 7.0; America Online Browser 1.1; Windows NT 5.1; (R1 1.5); .NET CLR 2.0.50727; InfoPath.1)" 118.139.163.141 - - [01/Oct/2013:08:13:35 -0400] "GET /index.php//core/lib/php-ofc-library/ofc_upload_image.php HTTP/1.1" 200 11878 "-" "Mozilla/4.0 (compatible; MSIE 7.0; America Online Browser 1.1; Windows NT 5.1; (R1 1.5); .NET CLR 2.0.50727; InfoPath.1)" 208.115.113.87 - - [01/Oct/2013:08:14:54 -0400] "GET /index.php/pireps/view/161 HTTP/1.1" 200 16811 "-" "Mozilla/5.0 (compatible; Ezooms/1.0; ezooms.bot@gmail.com)" 208.115.113.87 - - [01/Oct/2013:08:14:55 -0400] "GET /index.php/schedules/brief/3434 HTTP/1.1" 200 15334 "-" "Mozilla/5.0 (compatible; Ezooms/1.0; ezooms.bot@gmail.com)" 208.115.113.87 - - [01/Oct/2013:08:14:57 -0400] "GET /index.php/schedules/brief/3537 HTTP/1.1" 200 15328 "-" "Mozilla/5.0 (compatible; Ezooms/1.0; ezooms.bot@gmail.com)" 208.115.113.87 - - [01/Oct/2013:08:14:58 -0400] "GET /index.php/schedules/details/3473 HTTP/1.1" 200 14100 "-" "Mozilla/5.0 (compatible; Ezooms/1.0; ezooms.bot@gmail.com)" 208.115.113.87 - - [01/Oct/2013:08:14:59 -0400] "GET /index.php/schedules/details/3519 HTTP/1.1" 200 14098 "-" "Mozilla/5.0 (compatible; Ezooms/1.0; ezooms.bot@gmail.com)" 1 Link to comment Share on other sites More sharing options...
Recommended Posts