Wow - the merge topic function did it's job! I've never tried it before
Moved the last few posts from another thread to keep things orderly.
It's probably unrelated but thought I'd mention it. Around the same time you noticed these attempts started I've also noticed an increase in spam on 3 E-mail addresses and all three addresses are never published anywhere. They always proclaim to be MSN, CNN and MSNBC
One of them is only used for the form on BassmanThemes.
Like I said probably not related but seemed to come happen and a lot around the same time.
Hello !!
Yes aparently it uses a SQL server issue in unpatched servers.
i have w.js script file and i investigate it, and found a iframe injection, thi file call other file located in a compromised server,and show a html page with 4 iframes , and try to donload & execute a virus trojan from four diferent locations in the iframes...
i still continue investigate it , if any one like to aport any data to me please let me know at Lostmon@gmail.com
Thnx
reported here before :)
http://community.impresscms.org/modules/newbb/viewtopic.php?topic_id=2155&forum=13
but thanks for the heads up nonetheless :) (i'd rather have 10 people report it than none at all, although i'd go mad if we ended up with 10 or 20 people all reporting the same thing in seperate topics lol)
I just read this excellent post http://community.impresscms.org/modules/newbb/viewtopic.php?topic_id=2220&forum=13&post_id=21120#forumpost21120 by McDonald regarding SQL Injections and it prompted me to write this follow on.
For those who may not be aware, probably the largest coordinated upgrade effort on the Internet took place earlier on this year regarding a weakness in the DNS system that involves resolvers and for which the details to exploit the weakness has now been made common knowledge. There are known exploits taking advantange of this weakness out there in the wild now.
Information on this can be found here:
http://www.us-cert.gov/cas/techalerts/TA08-190B.html
A tool for checking your own client DNS servers is found here:
http://www.doxpara.com/
A tool for checking the DNS of domain names you may control is here:
http://recursive.iana.org/
So, if you (or your ISP) have not yet upgraded DNS servers under your control yet, you should do so as soon as possible.
-Commerce
Since the start of this month I've noted a lot of SQL injection attempts in the logs of my site.
Doing a quick search with Google learned I'm not the only one.
For some more info see here:
- http://isc.sans.org/diary.html?storyid=4844
- http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html
- http://www.wetwired.org/2008/08/06/technical-post-about-new-sql-injection/
- http://www.lockergnome.com/it/2008/08/13/sql-injection-attacks-in-the-wild-why-theyre-working-and-what-to-do/
I've noted that these injection attempts happen mostly during the weekends, but it can happen at any time of course.
So far none of the attacks was successfull.
Keep an eye on your logs, make backups more frequently, make sure you got latest version of modules installed and that you have Protector installed!
yep.. ur right trabis
No sure this is correct:
Thank you for very much for all the help!!!
#############################
fix $id variable in down.php
#############################
open modules/down.php and arround line 38 found this code line:
RMSOFT XSS Vulnerability
report: http://lostmon.blogspot.com/2008/08/rmsoft-downloads-plus-two-scripts-two.html
###################
FIX $key variable
###################
open modules/rmdp/include/rmdp_functions.php
arround line 314 found function rmdp_make_searchnav()
found this code:
#####################
Quote:
fans.php is also afected too.
exmple :
http://localhost/impresscms/modules/y ... /fans.php?uid=1">[XSS-CODE]
i working in RMSOFT download plus for fix now...
Quote:
My plan: The module remains there here. Code improvements are collected. And there added. @Alfred locks for a better Code too. I think this sounds good. But above all it will please the users.
Yesterday I have had the opportunity to speak with the author. Now Marcello has for the moment no time and also in future no time around the project further. He has furnished to me an administration access on Sourceforge. The data with Sourceforge in the CVS are last and most topical from Marcello.
We can work here quite unabashed and improve the code. Marcello wishes even that somebody continues his work.
My plan: The module remains there here. Code improvements are collected. And there added. @Alfred locks for a better Code too. I think this sounds good. But above all it will please the users.
Quote:
Sounds good to me ... other possibility might be, I add my improvement for easy renaming in the module?
then users can rename it to whatever they want ...
fans.php is also afected too.
exmple :
http://localhost/impresscms/modules/yogurt/fans.php?uid=1">[XSS-CODE]
i working in RMSOFT download plus for fix now...
Quote:
thomas wrote:
cbb4 is still a beta afaik. Xforum i have not installed yet but will try right now and start a new topic.
cbb4 is still a beta afaik. Xforum i have not installed yet but will try right now and start a new topic.
Quote:
stranger wrote:
unfortunately I still have not worked with xforum .. how is it? is it better that newbb ? and what do you think about newbb 4?
Quote:
stranger wrote:
Why removing it? By fixing I meant sorting this out
I'm not the person in charge for this, I think it's better if you talk with sato and Vaughan .... I was just giving a suggestion in my earlier post ... Vaughan is working on that area I think.