[UCIMC-Tech] [urbnde 100897400] URGENT: Account Exploit...

Mon Mar 2 08:00:07 EST 2015

I'm on it, but happy to coordinate with someone local.

ucimc.org is ok now and the other items relate mostly to some inactive
sites.

On 03/02/2015 07:26 AM, arthousefarm at gmail.com wrote:
> Hi all,
> 
> Appears we have security issues on our site. Can anyone inspect and see if we can resolve without taking the site down?
> 
> Either way Jay and the membership committee is working on plans for a new site and we should connect about it.
> 
> Danielle 
> 
> 
>> On Mar 1, 2015, at 11:24 PM, DreamHost Customer Support Team <support at dreamhost.com> wrote:
>>
>> ------------------------------------------------------------------------
>> - After reading this response, please consider visiting
>> - the survey below to comment on its quality. Thanks!
>> - http://www.dreamhost.com/survey.cgi?n=100897400&m=5888648
>> -
>> - If the service you received from us was exceptional, please consider
>> - tweeting your love for @dreamhost.  It'll warm our hearts, soothe
>> - our souls, and get you good karma at some point down the road.
>> ------------------------------------------------------------------------
>>
>> Hello,
>>
>> In light of the issues recently reported on the account, we've completed
>> a summary security scan in order to assist you in securing it. Going
>> forward, we need you to take care of some basic site maintenance steps to
>> ensure that your account has been secured.  To get started, please read
>> and act on all of the information in the email below.  Since it involves
>> editing and potentially deleting data under your users we are not able to
>> complete all tasks for you.  If you have questions about the noted items
>> please provide as much information and detail as possible about where you
>> are getting stuck and we will do our best to assist you.
>>
>> Here's another area where we're able to help -- if you would like us to
>> scan your account again for vulnerabilities after you have completed some
>> or all of the steps below, please reply to this email and request a
>> rescan and we can then verify your progress or if there are any lingering
>> issues.
>> Most commonly hacking exploits occur through known vulnerabilities in
>> outdated copies of web software (blogs, galleries, carts, wikis, forums,
>> CMS scripts, etc.) running under your domains.    To secure your sites you
>> should:
>>
>> 1) Update all pre-packaged web software to the most recent versions
>> available from the vendor.  The following site can help you determine if
>> you're running a vulnerable version:
>> http://secunia.com/advisories/search/
>>
>> Joomla (v2.5.14) :
>> /home/ucimc/ucimc.dreamhosters.com/cijwj.old/libraries/cms/version/version.php
>> (OUTDATED!)
>> Drupal (vQueue1.12010-05-04) :
>> /home/imctech/ucimc.org/sites/all/modules/drupal_queue/ (OUTDATED!)
>> Drupal (vQueue1.12010-05-04) :
>> /home/imctech/civicrm.ucimc.org/ucimc.org/sites/all/modules/drupal_queue/
>> (OUTDATED!)
>> Drupal (vQueue1.12010-05-04) :
>> /home/imctech/old.ucimc.org/sites/all/modules/drupal_queue/ (OUTDATED!)
>> WordPress (v3.5.1) : /home/imctech/ucmakerfaire.com/ (OUTDATED!)
>> Joomla (v2.5.7) :
>> /home/cijwj/centraliljwj.org/libraries/cms/version/version.php
>> (OUTDATED!)
>> Joomla (v2.5.7) :
>> /home/cijwj/cijwj.ucimc.org/libraries/cms/version/version.php (OUTDATED!)
>> MediaWiki (v1.19.2) : /home/makerspaceu/wiki.makerspaceurbana.org.old/
>> (OUTDATED!)
>> WordPress (v3.9.2) : /home/makerspaceu/makerspaceurbana.org.old/
>> (OUTDATED!)
>> Drupal (v6.20) : /home/ucimc/grassrootsradioconference.org/ (OUTDATED!)
>> Joomla (v2.5.17) :
>> /home/ucimc/ucimc.dreamhosters.com/cijwj/libraries/cms/version/version.php
>> (OUTDATED!)
>> Drupal (v6.31) : /home/imctech/ucimc.org/ (OUTDATED!)
>> Drupal (v7.20) : /home/imctech/wrfu.net/ (OUTDATED!)
>> Drupal (v6.26) : /home/imctech/civicrm.ucimc.org/ucimc.org/ (OUTDATED!)
>> Drupal (v6.26) : /home/imctech/old.ucimc.org/ (OUTDATED!)
>> Drupal (v7.26) :
>> /home/imctech/drupal7.ucimc.org_DISABLED_FOR_SPAM_tn/dru7/ (OUTDATED!)
>> MediaWiki (v1.19.11) : /home/makerspaceu/wiki.makerspaceurbana.org/
>> (OUTDATED!)
>> TimThumb (v2.8.11) :
>> /home/makerspaceu/makerspaceurbana.org/wp-content/plugins/events-manager/includes/thumbnails/timthumb.php
>> (OUTDATED!)
>> TimThumb (v2.8.11) :
>> /home/makerspaceu/makerspaceurbana.org.old/wp-content/plugins/events-manager/includes/thumbnails/timthumb.php
>> (OUTDATED!)
>>
>>
>> - WordPress installations need to be updated to version 3.8.
>> - Joomla installations need to be updated to version 3.3.6.  Note that
>> 1.5.x and 2.5.x are no longer supported by Joomla! so migrating to a
>> current branch before further issues arise is important.
>> - MediaWiki installations should be updated to version 1.24.1.
>> - Drupal installations should be updated to version 7.32 or higher.
>> - TimThumb has been discontinued by its author, is unsupported, and all
>> versions are known to be insecure. Recommendations on how to remove and
>> replace TimThumb from the author are available here:
>>
>> http://www.binarymoon.co.uk/2014/09/timthumb-end-life/
>>
>> http://www.binarymoon.co.uk/2014/07/dont-use-timthumb-instead/
>>
>> - Any old/outdated/archive installations that you do not intend to
>> maintain need to be deleted from the server.
>>
>> You should check any other domains (if applicable) for vulnerable
>> software as well, as one domain being exploited could result in all
>> domains under that user being exploited due to the shared permissions and
>> home directory.
>>
>> The following softwares are likely fine, but you should still perform the
>> remaining items on them just-in-case:
>>
>> WordPress (v4.1.1) : /home/imctech/midwestzinefest.ucimc.org/
>> (Up-to-date.)
>> WordPress (v4.0.1) : /home/imctech/midwestzinefest.ucimc.org.old/
>> (Up-to-date.)
>> WordPress (v4.1.1) : /home/cijwj/catch.ucimc.org/ (Up-to-date.)
>> WordPress (v4.0.1) : /home/cijwj/catch.ucimc.org.old/ (Up-to-date.)
>> WordPress (v4.0.1) : /home/makerspaceu/makerspaceurbana.org/
>> (Up-to-date.)
>> WordPress (v4.1) : /home/makerspaceu/ucmakerfaire.com/ (Up-to-date.)
>> WordPress (v4.0) : /home/makerspaceu/ucmakerfaire.com.old/ (Up-to-date.)
>>
>>
>> 2) Remove ALL third-party plugins/themes/templates/components after
>> upgrading your software installations, and from those that are already
>> upgraded under an infected user.  After everything is removed, reinstall
>> only the ones you need from fresh/clean downloads via a trusted source. 
>> These files typically persist through a version upgrade and can carry
>> hacked code with them.    Also, many software packages come with loads of
>> extra content you don't actually use and make searching for malicious
>> content even harder.
>>
>> 3) Review other suspicious files under affected users/domains for
>> potential malicious injections or hacker shells.  Eyeballing your
>> directories for strangely named files, and reviewing recently-modified
>> files can help.  The following shell command will search for files
>> modified within the last 3 days, except for files within your Maildir and
>> logs directories.  You can change the number to change the number of
>> days, and add additional grep exception pipes as well to fine-tune your
>> search (for example if you're getting a lot of CMS cache results that are
>> cluttering the output).
>> find . -type f -mtime -3 | grep -v "/Maildir/" | grep -v "/logs/"
>>
>> Likely hacked code / hacker shells that we could not automatically clean
>> were found under imctech here:
>> /home/imctech/bkup/containers/mail0/var/lib/mailman/archives/private/chambana-rooters/2010-July.txt
>> /home/imctech/bkup/containers/mail0/var/lib/mailman/archives/private/chambana-rooters/2010-March.txt
>> /home/imctech/bkup/containers/mail0/var/lib/mailman/archives/private/chambana-rooters/2010-September.txt
>> /home/imctech/bkup/containers/mail0/var/lib/mailman/archives/private/imc-fundraising/2006-June.txt
>> /home/imctech/wrfu.net/modules/simpletest/tests/upgrade/drupal-6.bare.database.php
>> /home/imctech/civicrm.ucimc.org/ucimc.org/sites/all/modules/civicrm/packages/IDS/tmp/phpids_log.txt
>> /home/imctech/old.ucimc.org/sites/all/modules/civicrm/packages/IDS/tmp/phpids_log.txt
>> /home/imctech/drupal7.ucimc.org_DISABLED_FOR_SPAM_tn/dru7/includes/cron.php
>> /home/imctech/drupal7.ucimc.org_DISABLED_FOR_SPAM_tn/dru7/includes/mysqlcore.php
>> /home/imctech/drupal7.ucimc.org_DISABLED_FOR_SPAM_tn/dru7/modules/simpletest/tests/upgrade/drupal-6.bare.database.php
>> /home/imctech/drupal7.ucimc.org_DISABLED_FOR_SPAM_tn/dru7/dump.php
>> /home/imctech/drupal7.ucimc.org_DISABLED_FOR_SPAM_tn/drupal-7.20/modules/simpletest/tests/upgrade/drupal-6.bare.database.php
>>
>> For information specific to WordPress hacks please see:
>> http://wiki.dreamhost.com/My_Wordpress_site_was_hacked
>> More information on this topic is available at the following URL under
>> the "CGI Hack" and "Cleaning Up" sections:
>> http://wiki.dreamhost.com/Troubleshooting_Hacked_Sites
>>
>> Brandon E
>>
>> ---- DreamHost Abuse/Security Team
>> - Terms of Service: http://www.dreamhost.com/legal/terms-of-service/
>> - Acceptable Use Policy:
>> http://www.dreamhost.com/legal/acceptable-use-policy/
>> - Anti-Spam Policy: https://www.dreamhost.com/legal/anti-spam-policy/
>> - Abuse Center: http://abuse.dreamhost.com/
>>
>>
>>