This may not have anything to do with any weakness in Habari. But it did happen in the domain where I maintain my Habari installation. (And I'm sending this email prematurely, I'm sure.)
My webserver is on an shared server at Dreamhost. I'm running Habari 0.7.1. I have the domain http://david.dlma.com redirect to http://david.dlma.com/habari in a plaintext php file. Then today, I noticed that my simple redirect turned into an eval( (gzinflate(base64_decode( ... ) ) ) string some days ago. It looked like the contents of this file: http://david.dlma.com/index.php_with_weird_eval_statement.txt, except I replaced the eval with an echo statement. Following the clues, I've got a subdirectory filled with a storefront that sells cialis with malign php code all around. $ ls -al total 124 drwxr-xr-x 2 user pg844184 4096 2011-10-09 15:59 . drwxr-xr-x 6 user pg844184 4096 2009-08-08 02:14 .. -rw-r--r-- 1 user pg844184 8609 2011-09-27 21:19 345e2d4c5075dc599ad78c29682042f0 -rw-r--r-- 1 user pg844184 8119 2011-09-27 21:19 3ec3771ca32c4a6a5e040a4741016233 -rw-r--r-- 1 user pg844184 4456 2011-09-27 11:20 4evs8e3ear56e3f6ba4c5721d403e.php ... (some more, without the .php extension) ... -rw-r--r-- 1 user pg844184 104 2009-08-08 02:14 index.php It's probably just me, but you may want to check for eval calls where you didn't expect them. Luckily (or not), the storefront installed on my system was put into a subdirectory that I protected with a .htaccess authentication. So I don't think anybody saw the fake drugstore anyway. Sorry if this actually had nothing to do with Habari. I don't know enough about intrusions like this to be sure. I'm off to delete obviously infected files. -- To post to this group, send email to habari-users@googlegroups.com To unsubscribe from this group, send email to habari-users-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/habari-users
