Possible Exploit? |
PHPCow Community Forum
  |
Possible Exploit? |
 Oct 12 2008, 05:21 PM
Post
#1
|
|
|
Newbie  Group: Members Posts: 6 Joined: 12-September 08 Member No.: 87  |
My server has been under attack lately. A file that the hackers are using is /cowadmin/cowedit/cowedit/class.cowedit.php
Has anyone else had problems with that? |
 |
 
|
|
Oct 12 2008, 06:36 PM
Post
#2
|
|
 Advanced Member Group: Members Posts: 100 Joined: 7-July 08 From: Athens, Greece Member No.: 41 |
Nothing wrong with any of my servers that use that file... can you give us any report from your server?
|
|
|
|
|
Oct 13 2008, 12:01 AM
Post
#3
|
|
|
Newbie Group: Members Posts: 6 Joined: 12-September 08 Member No.: 87 |
There are hundreds of requests to the file with a lot of different IP addresses..
I renamed that file so it couldn't be accessed and the attacks have quit.. I submitted a ticket, but they said there were no problems with the script. I don't know if they even checked it. Here's a line from my error log: [Sun Oct 12 10:03:15 2008] [error] [client 60.49.71.24] script '/home/*USERNAME*/public_html/cowadmin/cowedit/cowedit/class.cowedit.php' not found or unable to stat When they were running attacks, I saw in the current running process they were running the script and adding something like: ?todo=insertfunc to the end of "class.cowedit.php" If the file wasn't encrypted, I could check it myself... All I know is that file was directly accessed by a wide range of IP's around the world that shouldn't have any business visiting this LOCAL news website. And when I renamed the file, the attacks stopped. My dedicated server was crashed multiple times because of the attack. It's located at The Planet. |
|
|
|
|
Oct 13 2008, 09:49 PM
Post
#4
|
|
|
Advanced Member Group: Root Admin Posts: 107 Joined: 29-May 08 From: Planet Earth :-) Member No.: 3 |
Secure your box with mod_sec
Disable few dangerous functions in php.ini In extreme case let a firewall block IP on failed mod_sec errors (406) All these are same old fellas trying to upload php shell scripts (c99 or it's variants) by renaming to id.txt or some other random name -------------------- Cheers
Carl Rawlins |
|
|
|
|
Oct 14 2008, 01:03 AM
Post
#5
|
|
|
Advanced Member Group: Members Posts: 100 Joined: 7-July 08 From: Athens, Greece Member No.: 41 |
phpcow released today an important update...
I think i should thank you personally for spotting and speaking out about it Aaron. |
|
|
|
|
Oct 14 2008, 01:24 AM
Post
#6
|
|
|
Newbie Group: Members Posts: 6 Joined: 12-September 08 Member No.: 87 |
Thanks for the tip Carl, i'll try that.
How do you know there is an update? When I check for updates, I get this error: Warning: fsockopen() [function.fsockopen]: unable to connect to 66.45.232.62:80 (Connection timed out) in /home/*user*/public_html/cowadmin/lib/googlemanager.class.php on line 1352 |
|
|
|
|
Oct 14 2008, 11:12 AM
Post
#7
|
|
|
Advanced Member Group: Members Posts: 100 Joined: 7-July 08 From: Athens, Greece Member No.: 41 |
In some websites that i have it used to bring that up... now it doesn't.
There is an update that changes that. Wait for a day, as i was told, there is going to be a release of a big support updates. Check your mail... |
|
|
|
|
Oct 14 2008, 07:39 PM
Post
#8
|
|
|
Newbie Group: Members Posts: 6 Joined: 12-September 08 Member No.: 87 |
Okay, i'm thinking the email that was used to purchase phpcow may have changed.. I can't remember.. So hopefully they'll fix the "check updates" thing.
Thanks. |
|
|
|
|
Nov 20 2008, 09:06 AM
Post
#9
|
|
|
Advanced Member Group: Administrators Posts: 42 Joined: 4-June 08 Member No.: 4 |
cowedit/class.cowedit.php file is over 2 years old. It should not be there if you're using PHPCow Version2 with patch of at least 2006 August date.
All of you with legal license are safe. |
|
|
|
|
| Lo-Fi Version | Time is now: 9th February 2010 - 07:27 AM |
