Topic: PHP Bulk Emailer in my userpic directory (Read 26617 times)

Kursk · « **on:** December 25, 2006, 04:15:27 am »

Got notified today that my account was suspended. After some investigation, it happens that someone had upload a PHP bulk e-mailer into my userpic directory and started sending out ebay phishing scam.

PHP Bulk Emailer
From NukedWeb
http://www.nukedweb.com/
tim@nukedweb.com

How this happened I still can't figure out.
Any thoughts (besides the fact that it is an old cpg 1.3.1)?

Tarique Sani · « **Reply #1 on:** December 25, 2006, 09:53:50 am »

Quote from: Kursk on December 25, 2006, 04:15:27 am

Any thoughts (besides the fact that it is an old cpg 1.3.1)?

None needed what so ever

Kursk · « **Reply #2 on:** December 25, 2006, 07:21:20 pm »

Quote from: Tarique Sani on December 25, 2006, 09:53:50 am

None needed what so ever

Thanks. I take it to mean once it's updated to cpg1.4.10 (which I did last night) I don't need to be worried anymore?

Joachim Müller · « **Reply #3 on:** December 25, 2006, 08:04:17 pm »

Check for existing backdoors. Upgrading doesn't remove existing backdoors, it just protects you from falling victim to new ones.

Kursk · « **Reply #4 on:** December 25, 2006, 08:17:58 pm »

albums/userpics is the only directory I was able to find that contained a php mailer. Any other possible locations?

Joachim Müller · « **Reply #5 on:** December 26, 2006, 02:36:59 am »

If the attacker managed to place any PHP script on your server he might have infected your entire webspace. Therefor, possible locations are: the entire webspace.
Please keep in mind that cpg1.3.x goes unsupported. Your issue comes from failing to upgrade in time (while there still was support).

Kursk · « **Reply #6 on:** December 26, 2006, 03:57:18 am »

I see your point. CPG has been updated to 1.4.10 as soon as I've discovered the hole. The rest of the webspace besides CPG is the latest Joomla! release (no bridge.)

Userpics seems logical at it allows for a user upload. My fault not keeping up-to-date on the CPG and doing something that allowed for the upload of files other than what should have been uploaded. My question was more along the lines of any similarity to userpics apparent vulnerability (in my case of course, as I'm not generalizing here.)

Stramm · « **Reply #7 on:** December 26, 2006, 07:34:40 am »

as already said... if an attacker was able to upload a malicious script, then he's able to place it everywhere in your webspace. He can use this script to load other scripts ... do not only search in the albums dir.

Joachim Müller · « **Reply #8 on:** December 26, 2006, 10:09:10 am »

This is what you need to do: download all files that reside on your webspace to a folder on your hard-drive. Then use a diff viewer like WinMerge to compare all files, making sure that all code files do not differ between the forensic backup folder you just downloaded and the original sources you uploaded in the the first place. Using the diff viewer, make sure that there are no surplus executable scripts on the forensic backup folder.

Kursk · « **Reply #9 on:** December 26, 2006, 09:16:12 pm »

Thank you all.

News:

Author Topic: PHP Bulk Emailer in my userpic directory (Read 26617 times)

Kursk

PHP Bulk Emailer in my userpic directory

Tarique Sani

Re: PHP Bulk Emailer in my userpic directory

Kursk

Re: PHP Bulk Emailer in my userpic directory

Joachim Müller

Re: PHP Bulk Emailer in my userpic directory

Kursk

Re: PHP Bulk Emailer in my userpic directory

Joachim Müller

Re: PHP Bulk Emailer in my userpic directory

Kursk

Re: PHP Bulk Emailer in my userpic directory

Stramm

Re: PHP Bulk Emailer in my userpic directory

Joachim Müller

Re: PHP Bulk Emailer in my userpic directory

Kursk

Re: PHP Bulk Emailer in my userpic directory