[Lilug Planning] [matnew 83875513] DreamHost Security Alert - Site Compromised (fwd)
Matt Surico
surico at mail.buoy.com
Sat Jan 18 09:59:44 PST 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 12/31/2013 06:20 PM, odinson wrote:
> Hi Matt
>
> Thanks! I know how thankless patching can be!! :)
Hi Matt N/all
Here is an update on the patching for lilug.org.
I found that the most recent version of mediawiki was actually 1.22.x.
I looked at the requirements, and found DreamHost met them all except
for PHP5 (needs to be PHP 5.3). As it turns out, DreamHost gives us
the opportunity to easily migrate from 5.2 to 5.3.
So I did that PHP update for the dev site, then I did the upgrade from
1.19.6 -> 1.22.1. That worked fine. Let that run for several days.
No issues.
I have just upgraded lilug.org ("production") to PHP 5.3 and mediawiki
1.22.1. All seems fine there too.
I think we're good for a while :-)
Cheers,
Matt S.
>
> Matt
>
> On Tue, 31 Dec 2013, Matt Surico wrote:
>
> On 12/26/2013 11:42 AM, odinson wrote:
>>>> Hi Matt
>>>>
>>>> Thanks! Let me know if I can help.
>
> Hello all
>
> So I recently checked things out and there were some modified
> files (what Dreamhost found) but nothing else that I can see. Looks
> like this happened on 8 Dec. Dreamhost did de-activate the files,
> and many of them are either in the dev space, or don't directly
> affect the functionality of the current live wiki.
>
> Still, we need to upgrade the wiki to the latest 1.19.x version of
> MediaWiki. We are currently at 1.19.6, and the latest is 1.19.7
> (and includes security fixes).
>
> Patching to .7 is pretty easy. I'll test it out on the dev site,
> then will upgrade the live site.
>
> I plan to do this in the next couple of days and will keep you
> posted.
>
> Cheers, Matt S.
>
>
>>>>
>>>> Matt
>>>>
>>>> On Thu, 26 Dec 2013, Matt Surico wrote:
>>>>
>>>> On 12/26/2013 01:28 AM, odinson wrote:
>>>>>>> Hi
>>>>>>>
>>>>>>> This is a stupid question, but who's our webmaster at
>>>>>>> the moment? Looks like lilug.org got popped again.
>>>>
>>>> Hi Matt - it's me.
>>>>
>>>> I will follow up on this.
>>>>
>>>> Thanks and regards, Matt S.
>>>>
>>>>
>>>>>>>
>>>>>>> Matt
>>>>>>> -------------------------------------------------------------------------------
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>
>>>>>>>
Matthew Newhall, M.A.Newhall at warcloud.net A.S. in Computer
>>>>>>> Science, SUNY Farmingdale President of LILUG;
>>>>>>> president at lilug.org, http://www.lilug.org My blog "The
>>>>>>> Civilization Gene" http://civgene.matthewnewhall.com
>>>>>>> Author; "Thicker Than Blood"
>>>>>>> http://www.thickerthanbloodthebook.com Giselle's
>>>>>>> husband, Sebastian and Maxximus's father.
>>>>>>> http://www.warcloud.net/~odinson/us/ "When a
>>>>>>> well-packaged web of lies has been sold gradually to
>>>>>>> the masses over the generations, the truth will seem
>>>>>>> utterly preposterous...and its speaker a raving
>>>>>>> lunatic." -- Dresden James, author
>>>>>>> -------------------------------------------------------------------------------
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>
>>>>>>>
- ---------- Forwarded message ---------- Date: Wed, 25 Dec 2013
>>>>>>> 13:39:41 -0800 (PST) From: DreamHost Security Bot
>>>>>>> <secalerts at dreamhost.com> To: odinson at warcloud.net
>>>>>>> Subject: [matnew 83875513] DreamHost Security Alert -
>>>>>>> Site Compromised
>>>>>>>
>>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> During a recent security scan we have identified that
>>>>>>> one or more of your hosted sites show signs of being
>>>>>>> compromised as they are hosting known, malicious
>>>>>>> web-based backdoors. Specifically, the following
>>>>>>> file(s) have been accessed by intruders and have been
>>>>>>> associated with unsolicited bulk email, denial of
>>>>>>> service or other abusive activity:
>>>>>>>
>>>>>>> We have identified the following known backdoors under
>>>>>>> your account:
>>>>>>> /home/lilug/dev.lilug.org/w-v1.12/config/wp-ecyv.php
>>>>>>> /home/lilug/dev.lilug.org/w/images/.inc.php
>>>>>>> /home/lilug/dev.lilug.org/w.20130519.backup/images/.inc.php
>>>>>>>
>>>>>>>
/home/lilug/www.lilug.org/w-v1.12/images/.inc.php
>>>>>>> /home/lilug/www.lilug.org/w/images/help.php
>>>>>>> /home/lilug/www.lilug.org/w/images/wptheme.php
>>>>>>> /home/lilug/www.lilug.org/w-20130627.backup/images/.inc.php
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
We have disabled the page(s) in question (via adjusting
>>>>>>> permissions on the files, e.g. chmod, or backing up the
>>>>>>> file first renaming it to "filename.INFECTED" and
>>>>>>> cleaning up the injected code) until you are able to
>>>>>>> address this matter.
>>>>>>>
>>>>>>> The existence of these pages on your website(s) is
>>>>>>> likely a sign you have been compromised. We completely
>>>>>>> empathize with your problem -- having a site hacked can
>>>>>>> be a frustrating and stressful experience but we hope
>>>>>>> that this notification helps prevent this matter from
>>>>>>> being a serious one. We're here to help but we need
>>>>>>> your assistance first as there are some actions we're
>>>>>>> not able to take on your behalf as they involve changes
>>>>>>> to software versions and files under your account. To
>>>>>>> that end, we highly recommend that you take the
>>>>>>> following steps:
>>>>>>>
>>>>>>> - Update any 3rd party software under the account,
>>>>>>> including content management systems, gallery software,
>>>>>>> weblogging tools, etc. Be sure to use current, secure
>>>>>>> versions and keep them up-to-date. - Update any plugins
>>>>>>> and/or themes on your sites (Recent attacks against
>>>>>>> websites have targeted vulnerable software such as
>>>>>>> timthumb.php which is included in some wordpress
>>>>>>> themes, separate from the core files) - Check your
>>>>>>> website(s) files for any signs of tampering (file
>>>>>>> timestamps show recent editing) or files you did not
>>>>>>> upload yourself and remove them. Looking at the
>>>>>>> reported files above should give you a good starting
>>>>>>> point. - Check your website(s) files for any 777
>>>>>>> directories, (e.g. a directory that allows anyone on
>>>>>>> the server to write or edit the files in the directory;
>>>>>>> these permissions will look like rwxrwxrwx via the
>>>>>>> command line) - Change your FTP password(s). Be sure
>>>>>>> they are at least 8 characters in length and do not
>>>>>>> contain English words. Random numbers and letters work
>>>>>>> best. - Consider enabling the StopTheHacker service in
>>>>>>> your panel. Specficially consider signing up for
>>>>>>> StopTheHacker's Comprehensive Malware Scanning. More
>>>>>>> info: http://wiki.dreamhost.com/StopTheHacker
>>>>>>>
>>>>>>> If you have any questions, please feel free to reply to
>>>>>>> this email and we will be more than happy to assist you
>>>>>>> with securing your sites.
>>>>>>>
>>>>>>> Sincerely, The DreamHost Security team
>>>>>>>
>
>
>> _______________________________________________ Planning mailing
>> list Planning at lists.lilug.org
>> http://lists.lilug.org/listinfo.cgi/planning-lilug.org
>>
>
>
> -------------------------------------------------------------------------------
>
> Matthew Newhall, M.A.Newhall at warcloud.net A.S. in Computer
> Science, SUNY Farmingdale President of LILUG; president at lilug.org,
> http://www.lilug.org My blog "The Civilization Gene"
> http://civgene.matthewnewhall.com Author; "Thicker Than Blood"
> http://www.thickerthanbloodthebook.com Giselle's husband, Sebastian
> and Maxximus's father. http://www.warcloud.net/~odinson/us/ "If you
> infantilize people, you can't profess astonishment when you see
> infantile behavior." -- John McCardell, on age 21 drinking laws.
> -------------------------------------------------------------------------------
>
> _______________________________________________ Planning mailing
> list Planning at lists.lilug.org
> http://lists.lilug.org/listinfo.cgi/planning-lilug.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
iF4EAREIAAYFAlLawQsACgkQQOgC01ICatDrMQD/Qg5dWKVrCLMIpMFY0J2LCX5E
mp2JVzTY3srx84Cq350A/2/2D2XwvzQVQEhkT4bbWjlC2HtEcIVi/qa2Be2y+dG0
=m91T
-----END PGP SIGNATURE-----
More information about the Planning
mailing list