[Lilug Planning] [matnew 83875513] DreamHost Security Alert - Site Compromised (fwd)

Tue Dec 31 06:02:09 PST 2013

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 12/26/2013 11:42 AM, odinson wrote:
> Hi Matt
> 
> Thanks!  Let me know if I can help.

Hello all

So I recently checked things out and there were some modified files
(what Dreamhost found) but nothing else that I can see. Looks like
this happened on 8 Dec.  Dreamhost did de-activate the files, and many
of them are either in the dev space, or don't directly affect the
functionality of the current live wiki.

Still, we need to upgrade the wiki to the latest 1.19.x version of
MediaWiki.  We are currently at 1.19.6, and the latest is 1.19.7 (and
includes security fixes).

Patching to .7 is pretty easy.  I'll test it out on the dev site, then
will upgrade the live site.

I plan to do this in the next couple of days and will keep you posted.

Cheers,
Matt S.

> 
> Matt
> 
> On Thu, 26 Dec 2013, Matt Surico wrote:
> 
> On 12/26/2013 01:28 AM, odinson wrote:
>>>> Hi
>>>> 
>>>> This is a stupid question, but who's our webmaster at the
>>>> moment? Looks like lilug.org got popped again.
> 
> Hi Matt - it's me.
> 
> I will follow up on this.
> 
> Thanks and regards, Matt S.
> 
> 
>>>> 
>>>> Matt 
>>>> -------------------------------------------------------------------------------
>>>>
>>>>
>>>>
>>>> 
Matthew Newhall, M.A.Newhall at warcloud.net A.S. in Computer
>>>> Science, SUNY Farmingdale President of LILUG;
>>>> president at lilug.org, http://www.lilug.org My blog "The
>>>> Civilization Gene" http://civgene.matthewnewhall.com Author;
>>>> "Thicker Than Blood" http://www.thickerthanbloodthebook.com
>>>> Giselle's husband, Sebastian and Maxximus's father.
>>>> http://www.warcloud.net/~odinson/us/ "When a well-packaged
>>>> web of lies has been sold gradually to the masses over the
>>>> generations, the truth will seem utterly preposterous...and
>>>> its speaker a raving lunatic." -- Dresden James, author 
>>>> -------------------------------------------------------------------------------
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> 
- ---------- Forwarded message ---------- Date: Wed, 25 Dec 2013
>>>> 13:39:41 -0800 (PST) From: DreamHost Security Bot 
>>>> <secalerts at dreamhost.com> To: odinson at warcloud.net Subject:
>>>> [matnew 83875513] DreamHost Security Alert - Site
>>>> Compromised
>>>> 
>>>> 
>>>> Hello,
>>>> 
>>>> During a recent security scan we have identified that one or
>>>> more of your hosted sites show signs of being compromised as
>>>> they are hosting known, malicious web-based backdoors.
>>>> Specifically, the following file(s) have been accessed by
>>>> intruders and have been associated with unsolicited bulk
>>>> email, denial of service or other abusive activity:
>>>> 
>>>> We have identified the following known backdoors under your 
>>>> account:
>>>> /home/lilug/dev.lilug.org/w-v1.12/config/wp-ecyv.php 
>>>> /home/lilug/dev.lilug.org/w/images/.inc.php 
>>>> /home/lilug/dev.lilug.org/w.20130519.backup/images/.inc.php 
>>>> /home/lilug/www.lilug.org/w-v1.12/images/.inc.php 
>>>> /home/lilug/www.lilug.org/w/images/help.php 
>>>> /home/lilug/www.lilug.org/w/images/wptheme.php 
>>>> /home/lilug/www.lilug.org/w-20130627.backup/images/.inc.php
>>>> 
>>>> 
>>>> We have disabled the page(s) in question (via adjusting
>>>> permissions on the files, e.g. chmod, or backing up the file
>>>> first renaming it to "filename.INFECTED" and cleaning up the
>>>> injected code) until you are able to address this matter.
>>>> 
>>>> The existence of these pages on your website(s) is likely a
>>>> sign you have been compromised. We completely empathize with
>>>> your problem -- having a site hacked can be a frustrating and
>>>> stressful experience but we hope that this notification helps
>>>> prevent this matter from being a serious one. We're here to
>>>> help but we need your assistance first as there are some
>>>> actions we're not able to take on your behalf as they involve
>>>> changes to software versions and files under your account. To
>>>> that end, we highly recommend that you take the following
>>>> steps:
>>>> 
>>>> - Update any 3rd party software under the account, including 
>>>> content management systems, gallery software, weblogging
>>>> tools, etc. Be sure to use current, secure versions and keep
>>>> them up-to-date. - Update any plugins and/or themes on your
>>>> sites (Recent attacks against websites have targeted
>>>> vulnerable software such as timthumb.php which is included in
>>>> some wordpress themes, separate from the core files) - Check
>>>> your website(s) files for any signs of tampering (file
>>>> timestamps show recent editing) or files you did not upload
>>>> yourself and remove them. Looking at the reported files above
>>>> should give you a good starting point. - Check your
>>>> website(s) files for any 777 directories, (e.g. a directory 
>>>> that allows anyone on the server to write or edit the files
>>>> in the directory; these permissions will look like rwxrwxrwx
>>>> via the command line) - Change your FTP password(s). Be sure
>>>> they are at least 8 characters in length and do not contain
>>>> English words. Random numbers and letters work best. -
>>>> Consider enabling the StopTheHacker service in your panel.
>>>> Specficially consider signing up for StopTheHacker's
>>>> Comprehensive Malware Scanning. More info: 
>>>> http://wiki.dreamhost.com/StopTheHacker
>>>> 
>>>> If you have any questions, please feel free to reply to this
>>>> email and we will be more than happy to assist you with
>>>> securing your sites.
>>>> 
>>>> Sincerely, The DreamHost Security team
>>>> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iF4EAREIAAYFAlLCzlkACgkQQOgC01ICatDg0AEA2Z+bc4CMx2AUnli5vEqK1XgN
KNnKip7x+TPKzmyFaXQA/3tMf3ZfC0bJ+hqpc48KC54p/LOyMkWy5pHPW6qhM8U/
=DF+V
-----END PGP SIGNATURE-----