[UCIMC-Tech] [urbnde 100897400] URGENT: Account Exploit...

arthousefarm at gmail.com arthousefarm at gmail.com
Mon Mar 2 07:26:45 EST 2015 

Hi all,

Appears we have security issues on our site. Can anyone inspect and see if we can resolve without taking the site down?

Either way Jay and the membership committee is working on plans for a new site and we should connect about it.

Danielle 


> On Mar 1, 2015, at 11:24 PM, DreamHost Customer Support Team <support at dreamhost.com> wrote:
> 
> ------------------------------------------------------------------------
> - After reading this response, please consider visiting
> - the survey below to comment on its quality. Thanks!
> - http://www.dreamhost.com/survey.cgi?n=100897400&m=5888648
> -
> - If the service you received from us was exceptional, please consider
> - tweeting your love for @dreamhost.  It'll warm our hearts, soothe
> - our souls, and get you good karma at some point down the road.
> ------------------------------------------------------------------------
> 
> Hello,
> 
> In light of the issues recently reported on the account, we've completed
> a summary security scan in order to assist you in securing it. Going
> forward, we need you to take care of some basic site maintenance steps to
> ensure that your account has been secured.  To get started, please read
> and act on all of the information in the email below.  Since it involves
> editing and potentially deleting data under your users we are not able to
> complete all tasks for you.  If you have questions about the noted items
> please provide as much information and detail as possible about where you
> are getting stuck and we will do our best to assist you.
> 
> Here's another area where we're able to help -- if you would like us to
> scan your account again for vulnerabilities after you have completed some
> or all of the steps below, please reply to this email and request a
> rescan and we can then verify your progress or if there are any lingering
> issues.
> Most commonly hacking exploits occur through known vulnerabilities in
> outdated copies of web software (blogs, galleries, carts, wikis, forums,
> CMS scripts, etc.) running under your domains.    To secure your sites you
> should:
> 
> 1) Update all pre-packaged web software to the most recent versions
> available from the vendor.  The following site can help you determine if
> you're running a vulnerable version:
> http://secunia.com/advisories/search/
> 
> Joomla (v2.5.14) :
> /home/ucimc/ucimc.dreamhosters.com/cijwj.old/libraries/cms/version/version.php
> (OUTDATED!)
> Drupal (vQueue1.12010-05-04) :
> /home/imctech/ucimc.org/sites/all/modules/drupal_queue/ (OUTDATED!)
> Drupal (vQueue1.12010-05-04) :
> /home/imctech/civicrm.ucimc.org/ucimc.org/sites/all/modules/drupal_queue/
> (OUTDATED!)
> Drupal (vQueue1.12010-05-04) :
> /home/imctech/old.ucimc.org/sites/all/modules/drupal_queue/ (OUTDATED!)
> WordPress (v3.5.1) : /home/imctech/ucmakerfaire.com/ (OUTDATED!)
> Joomla (v2.5.7) :
> /home/cijwj/centraliljwj.org/libraries/cms/version/version.php
> (OUTDATED!)
> Joomla (v2.5.7) :
> /home/cijwj/cijwj.ucimc.org/libraries/cms/version/version.php (OUTDATED!)
> MediaWiki (v1.19.2) : /home/makerspaceu/wiki.makerspaceurbana.org.old/
> (OUTDATED!)
> WordPress (v3.9.2) : /home/makerspaceu/makerspaceurbana.org.old/
> (OUTDATED!)
> Drupal (v6.20) : /home/ucimc/grassrootsradioconference.org/ (OUTDATED!)
> Joomla (v2.5.17) :
> /home/ucimc/ucimc.dreamhosters.com/cijwj/libraries/cms/version/version.php
> (OUTDATED!)
> Drupal (v6.31) : /home/imctech/ucimc.org/ (OUTDATED!)
> Drupal (v7.20) : /home/imctech/wrfu.net/ (OUTDATED!)
> Drupal (v6.26) : /home/imctech/civicrm.ucimc.org/ucimc.org/ (OUTDATED!)
> Drupal (v6.26) : /home/imctech/old.ucimc.org/ (OUTDATED!)
> Drupal (v7.26) :
> /home/imctech/drupal7.ucimc.org_DISABLED_FOR_SPAM_tn/dru7/ (OUTDATED!)
> MediaWiki (v1.19.11) : /home/makerspaceu/wiki.makerspaceurbana.org/
> (OUTDATED!)
> TimThumb (v2.8.11) :
> /home/makerspaceu/makerspaceurbana.org/wp-content/plugins/events-manager/includes/thumbnails/timthumb.php
> (OUTDATED!)
> TimThumb (v2.8.11) :
> /home/makerspaceu/makerspaceurbana.org.old/wp-content/plugins/events-manager/includes/thumbnails/timthumb.php
> (OUTDATED!)
> 
> 
> - WordPress installations need to be updated to version 3.8.
> - Joomla installations need to be updated to version 3.3.6.  Note that
> 1.5.x and 2.5.x are no longer supported by Joomla! so migrating to a
> current branch before further issues arise is important.
> - MediaWiki installations should be updated to version 1.24.1.
> - Drupal installations should be updated to version 7.32 or higher.
> - TimThumb has been discontinued by its author, is unsupported, and all
> versions are known to be insecure. Recommendations on how to remove and
> replace TimThumb from the author are available here:
> 
> http://www.binarymoon.co.uk/2014/09/timthumb-end-life/
> 
> http://www.binarymoon.co.uk/2014/07/dont-use-timthumb-instead/
> 
> - Any old/outdated/archive installations that you do not intend to
> maintain need to be deleted from the server.
> 
> You should check any other domains (if applicable) for vulnerable
> software as well, as one domain being exploited could result in all
> domains under that user being exploited due to the shared permissions and
> home directory.
> 
> The following softwares are likely fine, but you should still perform the
> remaining items on them just-in-case:
> 
> WordPress (v4.1.1) : /home/imctech/midwestzinefest.ucimc.org/
> (Up-to-date.)
> WordPress (v4.0.1) : /home/imctech/midwestzinefest.ucimc.org.old/
> (Up-to-date.)
> WordPress (v4.1.1) : /home/cijwj/catch.ucimc.org/ (Up-to-date.)
> WordPress (v4.0.1) : /home/cijwj/catch.ucimc.org.old/ (Up-to-date.)
> WordPress (v4.0.1) : /home/makerspaceu/makerspaceurbana.org/
> (Up-to-date.)
> WordPress (v4.1) : /home/makerspaceu/ucmakerfaire.com/ (Up-to-date.)
> WordPress (v4.0) : /home/makerspaceu/ucmakerfaire.com.old/ (Up-to-date.)
> 
> 
> 2) Remove ALL third-party plugins/themes/templates/components after
> upgrading your software installations, and from those that are already
> upgraded under an infected user.  After everything is removed, reinstall
> only the ones you need from fresh/clean downloads via a trusted source. 
> These files typically persist through a version upgrade and can carry
> hacked code with them.    Also, many software packages come with loads of
> extra content you don't actually use and make searching for malicious
> content even harder.
> 
> 3) Review other suspicious files under affected users/domains for
> potential malicious injections or hacker shells.  Eyeballing your
> directories for strangely named files, and reviewing recently-modified
> files can help.  The following shell command will search for files
> modified within the last 3 days, except for files within your Maildir and
> logs directories.  You can change the number to change the number of
> days, and add additional grep exception pipes as well to fine-tune your
> search (for example if you're getting a lot of CMS cache results that are
> cluttering the output).
> find . -type f -mtime -3 | grep -v "/Maildir/" | grep -v "/logs/"
> 
> Likely hacked code / hacker shells that we could not automatically clean
> were found under imctech here:
> /home/imctech/bkup/containers/mail0/var/lib/mailman/archives/private/chambana-rooters/2010-July.txt
> /home/imctech/bkup/containers/mail0/var/lib/mailman/archives/private/chambana-rooters/2010-March.txt
> /home/imctech/bkup/containers/mail0/var/lib/mailman/archives/private/chambana-rooters/2010-September.txt
> /home/imctech/bkup/containers/mail0/var/lib/mailman/archives/private/imc-fundraising/2006-June.txt
> /home/imctech/wrfu.net/modules/simpletest/tests/upgrade/drupal-6.bare.database.php
> /home/imctech/civicrm.ucimc.org/ucimc.org/sites/all/modules/civicrm/packages/IDS/tmp/phpids_log.txt
> /home/imctech/old.ucimc.org/sites/all/modules/civicrm/packages/IDS/tmp/phpids_log.txt
> /home/imctech/drupal7.ucimc.org_DISABLED_FOR_SPAM_tn/dru7/includes/cron.php
> /home/imctech/drupal7.ucimc.org_DISABLED_FOR_SPAM_tn/dru7/includes/mysqlcore.php
> /home/imctech/drupal7.ucimc.org_DISABLED_FOR_SPAM_tn/dru7/modules/simpletest/tests/upgrade/drupal-6.bare.database.php
> /home/imctech/drupal7.ucimc.org_DISABLED_FOR_SPAM_tn/dru7/dump.php
> /home/imctech/drupal7.ucimc.org_DISABLED_FOR_SPAM_tn/drupal-7.20/modules/simpletest/tests/upgrade/drupal-6.bare.database.php
> 
> For information specific to WordPress hacks please see:
> http://wiki.dreamhost.com/My_Wordpress_site_was_hacked
> More information on this topic is available at the following URL under
> the "CGI Hack" and "Cleaning Up" sections:
> http://wiki.dreamhost.com/Troubleshooting_Hacked_Sites
> 
> Brandon E
> 
> ---- DreamHost Abuse/Security Team
> - Terms of Service: http://www.dreamhost.com/legal/terms-of-service/
> - Acceptable Use Policy:
> http://www.dreamhost.com/legal/acceptable-use-policy/
> - Anti-Spam Policy: https://www.dreamhost.com/legal/anti-spam-policy/
> - Abuse Center: http://abuse.dreamhost.com/
> 
> 
>

More information about the IMC-Tech mailing list