Security alert - please read
I am working on a site today that got hacked BAD through comments that were not filtered through the admin approval process. DO NOT ALLOW COMMENTS to be posted until you viewed them. This guy also got hit through Shoutbox Pro. PLEASE apply all the security fixes I posted at http://secure.agaresmedia.com/vbulletin.
Look in your root for a file called inc.php. In that file about the second line below <?PHP you will see a line that starts with WSO. This file is a trojan that outputs all your website information INCLUDING SECURITY PARAMETERS directly to the hacker. Your password, server configs, everything is compromised with this file.
If you have this problem, go to secure.agaresmedia.com/vbulletin and PM me NOW. This is major work to clean up.
This problem is happening to sites with MODIFIED script and those who use forms without sanitized validation. All this was patched in v2.7 so the vulnerability is not in vanilla AP installs. You only have a problem if you do any of the following:
- "Approve" comments that have links in without not knowing what they are (on games and articles)
- Use mods with unsanitized form validation (never, ever, ever, ever, trust user input in forms - validate it with script that removes slashes, tags, XSS, etc). Don't allow a coder to modify your script without insisting form and URL input be sanitized. (ask lfhost :-) he remembers the pre 2.7 problems).
- Forms that allow javascript tags (strip tags don't always take them out, various forms of these tags i.e, "onclick="history.go()". Most vanilla forms of strip tags is not recursive. however srip slashes that is used in the default version of AM_injection removes the slashes. It works most of the time, but code I posted on the new Agares Media forum goes further.
Reply With Quote
