Topic: Urgent Security Patch for album.pl

[Andrew]

Well I just got hit....Lords prayer on my sites, index page.  That'll teach me to not pay attention!  

Should have been checking back here more often.  I don't really know whether they got in via album.pl or my yabb though.

Looks like they infected the server with linux.Osf.8759 (named on server : b.1, kik, y2) a signatured telnet server, a file called inul.htm, password.txt, a log of somesort, a file called ucing txt. which lists some album pl permissions, a un-tgz'd telnet server named 'book' and a replacement of my index page.

Hope I managed to get everything.  I have made the change to the script, as described above.  

Maybe I better take you up on your offer Mike.  Which I apologize for not responding to.  Had a death in the family recently and have been sort of diverted.

thankfully the little turds didn't screw anything up to bad...at least not that I can see.

211.9.194.185 is where the original attack came from I believe...thouhg it appears that several other IP's accessed the girsang.pl (telnet server) on my host.

Andrew

[Mike Bobbitt]

Man, I'm sorry to hear about both the hack and the loss. Thanks for the info, that'll help a lot when both tracking these guys down, and cleaning up for those unfortunate enough to be hit.

Looks like these guys hit a *lot* of album sites, but for the most part, were just an annoyance, not a real threat per se...

Let me know if you want a hand bringing your album up to 6.2, instead of applying the patch... I just got back from a trip, and will be out again in a couple of days, but should have some time next week...

[immaturity]

Obviously, I should have been coming here to get updates so it's my own fault my old version of album.pl was hacked. I just wanted to add more information on this problem. On two of my sites album.pl was used to install psyBNC, which caused outages on the server I am on. One of my sites was suspended and I lost all of my files, the other left me with a warning that I would be denied service from that company completely if they found it again. They replaced my index file once with information on how to download the bouncer. Usually, though, I found it hidden in my tmp directory or in its own directory under various names. Once it was "Daniel" and I forget the other times. It would have a gibberish directory inside of it as well as pupet.tar.gz - I'll be updating to the newest version of album.pl right away.

[Mike Bobbitt]

Damn. Sorry to hear that man... Thanks for the extra info though, I hope you didn't lose too much...

[mmedley]

Go ahead and chock up another victim.

Fortunately my site is being hosted by a provider and they've been able to catch the malicious file before any real damage had been done.

Great tool nonetheless, just gotta keep those haXor's at bay.

[Mike Bobbitt]

Yeah, they got the drop on me once, but I'm going to be much more cautious now... (Unfortunately that slows me down and takes more time to get releases out, but what can you do... )

Sorry to hear you got hit...

[ljweb]

Bugger, thought my album.pl was hacked!  I run the album at cmcaustralia.com (one of those listed on your home page) and discovered that bnc had found its way into my cgi-bin. The IP address that did it was 202.95.133.50 .  

I had to pull it down as it was the quickest thing i could do. There had already been over 200 requests for test.pl and book.pl and i caught it a couple of hours after it was done.

I'll install the latest version asap!.


Thanks!.

[Mike Bobbitt]

Sorry to hear that... I know SecurityFocus has now posted exploit code with the listing, so any script kiddie can start hacking around...

[ljweb]

So far, blacklisted IPs are:

24.175.21.132
80.84.237.140
200.14.64.143
202.77.97.33
202.159.10.155
202.169.227.63
211.9.194.185
212.78.70.221

Please feel free to add to this list.

here's another one to add: 65.214.36.57  . They've tried a couple of times to get test.pl and book.pl.