e107, it's pimp, init?
Home Downloads Forums Misc Bugtracker Documentation/Wiki Plugins Themes Hosting Reviews
Welcome
Username:

Password:


Remember me

[ ]
[ ]
[ ]
e107 Project Tracker
Changelog Changelog | Stats
Bugtracker Bugtracker
     80 open | 5030 total | Stats
Issue tracking (Jira) Issue tracking (Jira)
Feature Requests Feature Requests
     1372 open | 2139 total
SVN Tree SVN Tree
Released Files Released Files
Download Stats Download Stats
How to get SVN version How to get SVN version

e107 on IRC
freenode.net
For real-time help and friendly chat please join #e107 on the Freenode Network

It's a friendly channel so please drop in and say hello regardless of your e107 or IRC experience

If you're new to IRC please click [here] for an explanantion of what to do.

Web Hosting

e107.org :: Forums :: Miscellaneous :: General Discussion   << Previous thread | Next thread >>
UDP Attack
Moderators: jalist, McFly, bkwon, streaky, C6Dave, SecretR, steved, bugrain, AndyDev, Hansi64, nlstart
Author Post
pete c
Mon Jun 28 2010, 05:52PM
Registered Member #55831
Joined: Mon May 03 2010, 03:58PM
Location:
Posts: 7
 		Hi,

After several weeks hard work, I finally completed my website today ( although it has been published for some time), but this evening I got the following mail from my web hosts, and I'm stuffed, as to be honest, I'm not that hot on the technicalities

I've looked through the various threads in this forum, and to be honest they mean absolutely nothing to me.

Before I ditch my whole site, is there an easy way to explain the problem and how to rectify it ? I'm using the latest version of e107 by the way.

Any help would be greatly appreciated

regards,

Pete

Account suspended for high load caused by an UDP attack to a foreign server. We have investigated that your account has been compromised by an attacker that has placed malware in your account.
This malware has then been used to attack a foreign server. Please make a full audit of all scripts you have installed to find out, which have been compromised and reinstall that one from a clean known source. Please also keep in mind to always keep 3'rd party software up to date to minimize the risk of security issue as good as possible.
Hint: We have recently seen many compromised e107 installations, so if you do have this software installed this should be the first place to look at.

39329 32157 0.0 0.0 27088 292 ? S 12:41 0:00 /usr/local/apache/bin/httpd -DSSL
39329 32194 0.0 0.0 27084 856 ? S 12:41 0:07 /usr/local/apache/bin/httpd -DSSL
Back to top
Brad R
Mon Jun 28 2010, 07:08PM
Registered Member #18939
Joined: Tue Jun 28 2005, 05:48PM
Location: Ontario, Canada
Posts: 197
 		UDP is a kind of request that's sent over the Internet. Basically they're saying that your website is being used to launch something like a denial-of-service attack, by sending large numbers of UDP packets from your account.

This means that someone nasty has managed to install a script (e.g. a PHP file) on your account. That script runs on your web server, the same as e107 does, but instead of generating web pages it is sending UDP packets.

The connection to e107 is that e107 versions prior to 0.7.22 have a security flaw, which will let someone plant a PHP file on your account. And once they can do that, they can run their own scripts to let them add more files to your account, and basically do anything they want with your account.

There are no known security holes in 0.7.22. But there are other ways that baddies can sneak their scripts into your account. What you need to do first is to find and remove the foreign scripts. If your account weren't suspended, you could use e107's file inspector to find corrupted or suspicious files. Since that's probably not an option, I'd suggest using whatever tool your host provides to back up your MySQL database. Then delete all the files from your host account, and reinstall e107 and any custom files. (You do have a backup, right?) Then restore the database.

You might be able to simply reinstall the e107 files without needing to restore the database. But be sure you back up the database first, whatever you do.
Back to top
pete c
Mon Jun 28 2010, 11:07PM
Registered Member #55831
Joined: Mon May 03 2010, 03:58PM
Location:
Posts: 7
 		Brad,

Thx very much mate, that explains things fairly straightforwardly. At least I have some idea where to start .
Back to top
Nowwhat
Tue Jun 29 2010, 01:33AM

Registered Member #38024
Joined: Thu Jul 05 2007, 02:08PM
Location: Lost in the south of France
Posts: 1208
Member Of The e107 Support Team
 		"pete c", as Brad R said, your server has received some code from 'strangers' that can be used to attack other servers (like the DOSS attack many e107 receive the last several days).

Getting back your site as Brad R said is one thing, finding and learning to read your server logs (web access and error logs) is another.

They will show you when someone tries to upload a file (php or other script) that will be used to control your server: it will become a Zombie with this code.

As a webadmin you should harden your code so that you really control who can put what file on your server.
Just assuming that a BMP file is a BMP image file because the extension is BMP isn't enough. (Same goes for ZP, JPG, PNG PDF, etc).
Never ever let people upload PHP or other script files to your site.
NEVER.

You'll find many examples on the net about how to control this.

The processes that your host showed you were active attacks to other sites.



Knowing where you are helps if you want to know where to go.
Back to top
Website
str82u
Tue Jun 29 2010, 02:44AM

Registered Member #55555
Joined: Fri Apr 09 2010, 08:47PM
Location:
Posts: 116
 		My 0.7.19 got hit up with "mama casper" and don't know much more than someone out there is still trying to hit my contact.php file that doesn't exist anymore. The tech at Hostgator saw it happen and said "Neat". It happened (ok, being honest) 4 times before step 2.

Step 2. I "updated" the backup files and left out contact of course.
Step 3. Deleted the entire account from WHM, then added it back as a new account.
Step 4. Uploaded files, did the dBase and everything from a little stale backup; a hassle.

That site doesn't even use the file!

So all my other e107s ditched it now. That's all I have to say about that.

I hate doing it but banning IPs is a little excessive to me, is it?
Stop me if you've heard this one...please.
Back to top
Website
nlstart
Tue Jun 29 2010, 03:20AM
nlstart

Registered Member #29855
Joined: Fri Aug 18 2006, 03:12AM
Location:
Posts: 4239
 		The e107 developers do their utmost best to keep the e107 core programs as safe as possible. However, third party plugins might be not as safe; hence it is possible to open 'the back door' by installing third party plugins.
Unfortunately here at e107 we do not have a mechanism to indicate if a plugin is safe or not; that requires a manual code review of somebody with knowledge about that. Bottom line: only use third party plugins you trust.
nlstart plugins: YourFirstPlugin | EasyShop | Locator | ShowMyIP | Poker | FlickrFeed | EasyBackup | EasyDBtool | e107_Quiz | News scroller | Slideshow | BanHelper | EasyGallery | EasyHours
Back to top
Website
Nowwhat
Tue Jun 29 2010, 03:26AM

Registered Member #38024
Joined: Thu Jul 05 2007, 02:08PM
Location: Lost in the south of France
Posts: 1208
Member Of The e107 Support Team
 		Euh,
Who is WHM ?
What is a "mama casper" ?

I presume, when you talk about "uploaded files" that you updated to 0.7.22.

Your site doesn't use what file ?

IP banning isn't excessive - sometimes it's that or your host will put your site to a halt because it consumes to much CPY cycles.

Don't use the 'e107' function 'ban IP' to do so - you should deal with IP else where, like in the .htacces file, or, if you have access to it : the apache settings, or, better yet : the firewall.


edit: Humm, readings nlstarts's message gives me some indications

[ Edited Tue Jun 29 2010, 03:29AM ]
Knowing where you are helps if you want to know where to go.
Back to top
Website
str82u
Tue Jun 29 2010, 01:24PM

Registered Member #55555
Joined: Fri Apr 09 2010, 08:47PM
Location:
Posts: 116
Nowwhat wrote ...

Who is WHM ?

WHM is Web Host Manager that comes with reseller hosting. It creates the accounts with cPanels. I manage allot of domains and each has an ip address and cPanel account of it's own. So to make sure no files were left behind I deleted the entire hosting account and readded it (like moving from one host to another) then attached my dedicated ip address for that site.
Nowwhat wrote ...

Your site doesn't use what file ?

That site doesn't use the contact.php file, that is the file that is being attacked by "Mama Casper".
Nowwhat wrote ...

What is a "mama casper" ?

"Casper" is the name of (one of?) the bot/virus/hack that is attacking the vulnerability in older e107 versions. Right now I'm blocking 24 ip addresses since that last post. They show up now as "client denied by server configuration: /home/faldn/public_html/contact.php" but my decision is based on: Anything that is trying to loasd the same file 6 times in a second is bad. If it comes back again it's really bad. All the ips I banned are outside the U.S.
Nowwhat wrote ...

IP banning isn't excessive - sometimes it's that or your host will put your site to a halt because it consumes to much CPY cycles.

Don't use the 'e107' function 'ban IP' to do so - you should deal with IP else where, like in the .htacces file, or, if you have access to it : the apache settings, or, better yet : the firewall.

My ip bans are through cPanel. You're right, I don't want to take any chances.
Nowwhat wrote ...

I presume, when you talk about "uploaded files" that you updated to 0.7.22.


My fix meant not uploading the file being attacked. I also wanted to ensure I got the new files in place before more attempts were made, you could tell it wasn't going to stop right away. This procedure is no different than updating the files on the server, I simply merged the update with the site backup (extracted) and manually uploaded through FTP.

Sorry these were long winded but if someone else puts it off and needs a solution, there might be an answer in here. I was putting it off because of SERPs.
Stop me if you've heard this one...please.
Back to top
Website
C6Dave
Tue Jun 29 2010, 04:58PM
AKA 2dopey

Registered Member #9506
Joined: Sat Jul 31 2004, 02:57AM
Location: North East UK
Posts: 9298
 		Have a read through of this thread click to open link in new window and block the search in .htaccess
"The irony of the Information Age is that it has given new respectability to uninformed opinion" - John Lawton 1995
Back to top
Website
pete c
Wed Jun 30 2010, 08:18AM
Registered Member #55831
Joined: Mon May 03 2010, 03:58PM
Location:
Posts: 7
 		Well, this topic brought a lot of replies , and ther'es loads of other similar threads, which means I'm just as confused as ever.

However, they all seem to point to other people/bots having access to the site, which I suppose is what a CMS is intended for.

I Suppose I could go back to using a grotty html web builder, but I like e107.

So............would continuing to use e107, but not using plugins such as guestbook, not allowing member registrations, deleting contact.php (ie: not allowing anything which requires input) stop the possibility of these attacks ?
Back to top
C6Dave
Thu Jul 01 2010, 06:48AM
AKA 2dopey

Registered Member #9506
Joined: Sat Jul 31 2004, 02:57AM
Location: North East UK
Posts: 9298
 		Most of the problems come from a limited area so update your sites .htaccess file as per the wiki: click to open link in new window

Most sites BTW are still alive and kicking using plugins, with members including new ones, you just need to think about making your site as secure as possible click to open link in new window
"The irony of the Information Age is that it has given new respectability to uninformed opinion" - John Lawton 1995
Back to top
Website
Brad R
Thu Jul 01 2010, 07:08AM
Registered Member #18939
Joined: Tue Jun 28 2005, 05:48PM
Location: Ontario, Canada
Posts: 197
 		No, a CMS is not intended to let crackers or bots have access to your site.

For perspective: I've been using e107 about 5 years. During that time we've been "successfully" attacked three times. Two of those attacks were SQL injection attacks, which meant they could add stuff to the database -- and all they did with that power was to hijack the front page of the site to inject their own content. Cleaning up was as simple as closing the hole (in both cases, an outdated third-party plugin) and deleting their content from the database.

The third attack resulted from the 0.7.20 vulnerability, and we were lucky because the amateur who cracked it left obvious traces (like deleting our main page) and we were able to remove the files he added quickly, then upgrade to 0.7.21 (and then 0.7.22).

So if you want to keep using e107, here's what I'd suggest:
1. You MUST keep your e107 up to date with the latest version. Subscribe to the notification mailing list.
2. Core plugins are safe to use as long as you're up to date.
3. Third-party plugins may not get security fixes as quickly, and may not have notification lists. If you're going to use them, visit regularly to see if an update has been released, and install promptly.
4. In my experience, member registrations are not a problem as long as you place some restriction on them -- either email verification or admin approval.
5. Follow the instructions in the wiki for hardening your site: click to open link in new window
6. Use the file inspector regularly (say, weekly) to check for corrupted core files and for non-core files.

BTW, someone has posted instructions about how to rebuild e107 from scratch while keeping your existing database: click to open link in new window Again I advise, before doing this take a complete backup of your database.
Back to top

Jump:     Back to top
Syndicate this thread: rss 0.92 Syndicate this thread: rss 2.0 Syndicate this thread: RDF
Powered by e107 Forum System


All product names mentioned herein are the trademarks of their respective owners. In addition, images, logos, pictures or other material may be trademarks or registered trademarks of their respective owners. Emote images by seb, released under the GPL licence.
Bug Tracking Software
Render time: 0.2405 sec, 0.1055 of that for queries. Memory Usage: 3,733kB