WebmasterSite.net: PHP scripts to enable your creativity
WSN Links PHP Directory Software
PHP Scripts Webmaster Links Support Forums

Register | Forgot Password
WSN Support » WSN Links » Critical Update Email » Critical Update Email

Critical Update Email
not received

Version: 4.1.49
printPrint


Critical Update Email
babrees
Expert
Avatar

Usergroup: Customer
Joined: Aug 19, 2005
Location: England
Total Topics: 312
Total Posts: 1032
Posted 06/25/08 - 01:06 AM:
quote post
#1
When upgrading a site to 4.1.49 it stated "Critical update (see email notice), however I have never received such an email.

Did it have something in that I must see, other than telling me I must do an upgrade?
david
Forum Regular

Usergroup: Customer
Joined: Jun 22, 2005
Total Topics: 88
Total Posts: 304
Posted 06/25/08 - 02:03 AM:
quote post
#2
Hi babrees,

It was related to a security issue in the latest version, where somebody could malicious code via an avatar. I suggest you upgrade. wink

David
babrees
Expert
Avatar

Usergroup: Customer
Joined: Aug 19, 2005
Location: England
Total Topics: 312
Total Posts: 1032
Posted 06/25/08 - 03:26 AM:
quote post
#3
Thanks David - I did upgrade smiling face Just wondered if there was anything else I should know.
Paul
Administrator
Avatar

Usergroup: Administrator
Joined: Dec 21, 2001
Location: Northern California
Total Topics: 57
Total Posts: 6312
Posted 06/25/08 - 03:35 AM:
quote post
#4
I believe it's still going out, there are so many people and so few page views that it takes a long time. Text:

There's a new and already widespread exploit in WSN. It's a bit clever, but
basically it involves uploading an avatar which contains text and then using
the custom templates system to load and execute that avatar's text as PHP to
download a shell with which they can take full control. All they *appear* to
be doing with that full control is editing wrapper templates to insert
javascript just below the body tag.

This javascript infects your visitors who use certain vulnerable web
browsers, of which Internet Explorer 6 is confirmed to be one.

To de-infect, please follow these steps for each WSN installation you have:
1) Remove the above javascript from your wrapper template.
2) Check for a file named threaduser.php (in the base WSN directory) and
delete it. This isn't a WSN file, it's created by the hacker.
3) Upgrade to the latest release.

You may want to run a virus scan on your computer in case you've used a
vulnerable browser.

To prevent this from happening again, custom templates are no longer allowed
to specify directory paths and avatar file names are no longer visible. As a
preemptive precaution, since so many exploits for so many scripts rely on
variations of the tactic, URLs can no longer be embedded within query
strings.


Further update: one infected person has said she doesn't have a threaduser.php, which unfortunately must mean the hacker uses different file names on different sites in order to make it impossible to give generic deinfection instructions. If you find the javascript in the wrapper then they must have a file somewhere on your site from which they control your site, but they've given it some other name, and you'll need to find it -- the easy way being to ask your host to help. They encrypted the file to make it hard to search for text from too, but you could search for base64_decode if you can figure out how to search text across the site... I suppose it'd be a recursive grep in a shell.

Edit: Actually she doesn't seem to have any newish members with avatars, so it's possible they found some completely different vector of attack.

Edited by Paul on 06/25/08 - 03:50 AM
"Do things you love doing, because then it ain't work. Don't do something you don't really enjoy, because you're never going to work hard enough at it." - Bob Young, founder of Red Hat
Paul
Administrator
Avatar

Usergroup: Administrator
Joined: Dec 21, 2001
Location: Northern California
Total Topics: 57
Total Posts: 6312
Posted 06/25/08 - 01:34 PM:
quote post
#5
They've named it settings.php (in the base directory, not /classes/) in at least one case now. They've also moved the javascript to the bottom of the wrapper in order to evade the instructions.

The only way to find it is to search the text of your entire site for "D0X.de ...PHP-Script Encoder".
"Do things you love doing, because then it ain't work. Don't do something you don't really enjoy, because you're never going to work hard enough at it." - Bob Young, founder of Red Hat
Search thread for
Download thread as


You don't have permission to post.

Please login or register.

© 2008

   
 
© 2008 Paul Knierim. All rights reserved.