Well, there doesn't have to be shell/ftp for the person to have access to files ;) As long as they're able to upload their own file manager through an exploit...
Anyway, I can't think of any other possibilities. But, wouldn't it be possible to change the permissions of SMF's files when an update is needed, and then changing the permissions back to read only? Granted, this could be limiting and is certainly annoying, but it's better than having the forums hacked to pieces. On Wed, Jan 27, 2010 at 5:04 PM, Marc Weustink <m...@dommelstein.net> wrote: > Matt Shaffer wrote: > > On Wed, Jan 27, 2010 at 10:37 AM, Marc Weustink > <marc.weust...@cuperus.nl<mailto: >> marc.weust...@cuperus.nl>> wrote: >> >> The "infection" is removed. We're currently investigating where it >> came from. >> The smf forum was uptodate (1.1.11). Unfortunately when restoring >> things, a previous index.php was used, which reports the older >> version. (which is the only diff of the file) >> >> I fear the ease of the update process made it also possible to write >> new contents. >> >> Marc >> >> I don't see how the ease of the update process would give hackers an >> advantage... after all, you still have to have an admin account to perform >> that activity. >> > > It requires the smf dir and file to be writable for the user the forum is > runnng on. Which means that any leak can write to these files. > > > Keep in mind: >> 1. An outdated index.php could be a possible culprit, if it had any >> security vulnerabilities with it (although I highly doubt this) >> > > Is up to date > > > 2. Any mods installed may have vulnerabilities >> > > We don't have many mods > > > 3. If the person updating the forum to 1.1.11 ignored warning messages >> about files not being writable, etc, there may still be an outdated file >> with a vulnerability from 1.1.10 >> > > We were up to date without any warning. > > > 4. SMF doesn't necessarily have to be the culprit. Exploits in other >> software may have given the intruder file/ftp access, allowing him to change >> any files anywhere. >> > > there is no public external access to that machine. No shell, no ftp. only > web. > > > Marc > > -- > _______________________________________________ > Lazarus mailing list > Lazarus@lists.lazarus.freepascal.org > http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus >
-- _______________________________________________ Lazarus mailing list Lazarus@lists.lazarus.freepascal.org http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus
