Webmastersite.net
Register Log In

Critical Update Email
not received

Comments on Critical Update Email

babrees
Expert

Usergroup: Customer
Joined: Aug 19, 2005
Location: England

Total Topics: 391
Total Comments: 1303
babrees
Posted Jun 25, 2008 - 4:06 AM:

When upgrading a site to 4.1.49 it stated "Critical update (see email notice), however I have never received such an email.

Did it have something in that I must see, other than telling me I must do an upgrade?
david
Forum Regular

Usergroup: Customer
Joined: Jun 22, 2005

Total Topics: 91
Total Comments: 305
david
Posted Jun 25, 2008 - 5:03 AM:

Hi babrees,

It was related to a security issue in the latest version, where somebody could malicious code via an avatar. I suggest you upgrade. wink

David
babrees
Expert

Usergroup: Customer
Joined: Aug 19, 2005
Location: England

Total Topics: 391
Total Comments: 1303
babrees
Posted Jun 25, 2008 - 6:26 AM:

Thanks David - I did upgrade smiling face Just wondered if there was anything else I should know.
Paul
developer

Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California

Total Topics: 61
Total Comments: 7868
Paul
Posted Jun 25, 2008 - 6:35 AM:

I believe it's still going out, there are so many people and so few page views that it takes a long time. Text:

There's a new and already widespread exploit in WSN. It's a bit clever, but
basically it involves uploading an avatar which contains text and then using
the custom templates system to load and execute that avatar's text as PHP to
download a shell with which they can take full control. All they *appear* to
be doing with that full control is editing wrapper templates to insert
javascript just below the body tag.

This javascript infects your visitors who use certain vulnerable web
browsers, of which Internet Explorer 6 is confirmed to be one.

To de-infect, please follow these steps for each WSN installation you have:
1) Remove the above javascript from your wrapper template.
2) Check for a file named threaduser.php (in the base WSN directory) and
delete it. This isn't a WSN file, it's created by the hacker.
3) Upgrade to the latest release.

You may want to run a virus scan on your computer in case you've used a
vulnerable browser.

To prevent this from happening again, custom templates are no longer allowed
to specify directory paths and avatar file names are no longer visible. As a
preemptive precaution, since so many exploits for so many scripts rely on
variations of the tactic, URLs can no longer be embedded within query
strings.


Further update: one infected person has said she doesn't have a threaduser.php, which unfortunately must mean the hacker uses different file names on different sites in order to make it impossible to give generic deinfection instructions. If you find the javascript in the wrapper then they must have a file somewhere on your site from which they control your site, but they've given it some other name, and you'll need to find it -- the easy way being to ask your host to help. They encrypted the file to make it hard to search for text from too, but you could search for base64_decode if you can figure out how to search text across the site... I suppose it'd be a recursive grep in a shell.

Edit: Actually she doesn't seem to have any newish members with avatars, so it's possible they found some completely different vector of attack.
Paul
developer

Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California

Total Topics: 61
Total Comments: 7868
Paul
Posted Jun 25, 2008 - 4:34 PM:

They've named it settings.php (in the base directory, not /classes/) in at least one case now. They've also moved the javascript to the bottom of the wrapper in order to evade the instructions.

The only way to find it is to search the text of your entire site for "D0X.de ...PHP-Script Encoder".
Search thread for
Download thread as
  • 0/5
  • 1
  • 2
  • 3
  • 4
  • 5



Sorry, you don't have permission to post posts. Log in, or register if you haven't yet.