[Lilug Planning] [matnew 83875513] DreamHost Security Alert - Site Compromised (fwd)
odinson
odinson at warcloud.net
Tue Dec 31 15:20:39 PST 2013
Hi Matt
Thanks! I know how thankless patching can be!! :)
Matt
On Tue, 31 Dec 2013, Matt Surico wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 12/26/2013 11:42 AM, odinson wrote:
>> Hi Matt
>>
>> Thanks! Let me know if I can help.
>
> Hello all
>
> So I recently checked things out and there were some modified files
> (what Dreamhost found) but nothing else that I can see. Looks like
> this happened on 8 Dec. Dreamhost did de-activate the files, and many
> of them are either in the dev space, or don't directly affect the
> functionality of the current live wiki.
>
> Still, we need to upgrade the wiki to the latest 1.19.x version of
> MediaWiki. We are currently at 1.19.6, and the latest is 1.19.7 (and
> includes security fixes).
>
> Patching to .7 is pretty easy. I'll test it out on the dev site, then
> will upgrade the live site.
>
> I plan to do this in the next couple of days and will keep you posted.
>
> Cheers,
> Matt S.
>
>
>>
>> Matt
>>
>> On Thu, 26 Dec 2013, Matt Surico wrote:
>>
>> On 12/26/2013 01:28 AM, odinson wrote:
>>>>> Hi
>>>>>
>>>>> This is a stupid question, but who's our webmaster at the
>>>>> moment? Looks like lilug.org got popped again.
>>
>> Hi Matt - it's me.
>>
>> I will follow up on this.
>>
>> Thanks and regards, Matt S.
>>
>>
>>>>>
>>>>> Matt
>>>>> -------------------------------------------------------------------------------
>>>>>
>>>>>
>>>>>
>>>>>
> Matthew Newhall, M.A.Newhall at warcloud.net A.S. in Computer
>>>>> Science, SUNY Farmingdale President of LILUG;
>>>>> president at lilug.org, http://www.lilug.org My blog "The
>>>>> Civilization Gene" http://civgene.matthewnewhall.com Author;
>>>>> "Thicker Than Blood" http://www.thickerthanbloodthebook.com
>>>>> Giselle's husband, Sebastian and Maxximus's father.
>>>>> http://www.warcloud.net/~odinson/us/ "When a well-packaged
>>>>> web of lies has been sold gradually to the masses over the
>>>>> generations, the truth will seem utterly preposterous...and
>>>>> its speaker a raving lunatic." -- Dresden James, author
>>>>> -------------------------------------------------------------------------------
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
> - ---------- Forwarded message ---------- Date: Wed, 25 Dec 2013
>>>>> 13:39:41 -0800 (PST) From: DreamHost Security Bot
>>>>> <secalerts at dreamhost.com> To: odinson at warcloud.net Subject:
>>>>> [matnew 83875513] DreamHost Security Alert - Site
>>>>> Compromised
>>>>>
>>>>>
>>>>> Hello,
>>>>>
>>>>> During a recent security scan we have identified that one or
>>>>> more of your hosted sites show signs of being compromised as
>>>>> they are hosting known, malicious web-based backdoors.
>>>>> Specifically, the following file(s) have been accessed by
>>>>> intruders and have been associated with unsolicited bulk
>>>>> email, denial of service or other abusive activity:
>>>>>
>>>>> We have identified the following known backdoors under your
>>>>> account:
>>>>> /home/lilug/dev.lilug.org/w-v1.12/config/wp-ecyv.php
>>>>> /home/lilug/dev.lilug.org/w/images/.inc.php
>>>>> /home/lilug/dev.lilug.org/w.20130519.backup/images/.inc.php
>>>>> /home/lilug/www.lilug.org/w-v1.12/images/.inc.php
>>>>> /home/lilug/www.lilug.org/w/images/help.php
>>>>> /home/lilug/www.lilug.org/w/images/wptheme.php
>>>>> /home/lilug/www.lilug.org/w-20130627.backup/images/.inc.php
>>>>>
>>>>>
>>>>> We have disabled the page(s) in question (via adjusting
>>>>> permissions on the files, e.g. chmod, or backing up the file
>>>>> first renaming it to "filename.INFECTED" and cleaning up the
>>>>> injected code) until you are able to address this matter.
>>>>>
>>>>> The existence of these pages on your website(s) is likely a
>>>>> sign you have been compromised. We completely empathize with
>>>>> your problem -- having a site hacked can be a frustrating and
>>>>> stressful experience but we hope that this notification helps
>>>>> prevent this matter from being a serious one. We're here to
>>>>> help but we need your assistance first as there are some
>>>>> actions we're not able to take on your behalf as they involve
>>>>> changes to software versions and files under your account. To
>>>>> that end, we highly recommend that you take the following
>>>>> steps:
>>>>>
>>>>> - Update any 3rd party software under the account, including
>>>>> content management systems, gallery software, weblogging
>>>>> tools, etc. Be sure to use current, secure versions and keep
>>>>> them up-to-date. - Update any plugins and/or themes on your
>>>>> sites (Recent attacks against websites have targeted
>>>>> vulnerable software such as timthumb.php which is included in
>>>>> some wordpress themes, separate from the core files) - Check
>>>>> your website(s) files for any signs of tampering (file
>>>>> timestamps show recent editing) or files you did not upload
>>>>> yourself and remove them. Looking at the reported files above
>>>>> should give you a good starting point. - Check your
>>>>> website(s) files for any 777 directories, (e.g. a directory
>>>>> that allows anyone on the server to write or edit the files
>>>>> in the directory; these permissions will look like rwxrwxrwx
>>>>> via the command line) - Change your FTP password(s). Be sure
>>>>> they are at least 8 characters in length and do not contain
>>>>> English words. Random numbers and letters work best. -
>>>>> Consider enabling the StopTheHacker service in your panel.
>>>>> Specficially consider signing up for StopTheHacker's
>>>>> Comprehensive Malware Scanning. More info:
>>>>> http://wiki.dreamhost.com/StopTheHacker
>>>>>
>>>>> If you have any questions, please feel free to reply to this
>>>>> email and we will be more than happy to assist you with
>>>>> securing your sites.
>>>>>
>>>>> Sincerely, The DreamHost Security team
>>>>>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.14 (GNU/Linux)
>
> iF4EAREIAAYFAlLCzlkACgkQQOgC01ICatDg0AEA2Z+bc4CMx2AUnli5vEqK1XgN
> KNnKip7x+TPKzmyFaXQA/3tMf3ZfC0bJ+hqpc48KC54p/LOyMkWy5pHPW6qhM8U/
> =DF+V
> -----END PGP SIGNATURE-----
> _______________________________________________
> Planning mailing list
> Planning at lists.lilug.org
> http://lists.lilug.org/listinfo.cgi/planning-lilug.org
>
-------------------------------------------------------------------------------
Matthew Newhall, M.A.Newhall at warcloud.net
A.S. in Computer Science, SUNY Farmingdale
President of LILUG; president at lilug.org, http://www.lilug.org
My blog "The Civilization Gene" http://civgene.matthewnewhall.com
Author; "Thicker Than Blood" http://www.thickerthanbloodthebook.com
Giselle's husband, Sebastian and Maxximus's father.
http://www.warcloud.net/~odinson/us/
"If you infantilize people, you can't profess astonishment when you see
infantile behavior."
-- John McCardell, on age 21 drinking laws.
-------------------------------------------------------------------------------
More information about the Planning
mailing list