Author Topic: Auto User Config. Vulnerable to HACKERS  (Read 3421 times)

Offline firemail

  • Newbie
  • *
  • Posts: 9
Auto User Config. Vulnerable to HACKERS
« on: May 13, 2008, 02:13:02 PM »
WARNING -- IF you use Auto User Config by Tuney

Somehow, hackers were able to gain access to the /config/db.inc.php file to gain access to the MySQL db (passwords are in clear text), where they were able to capture my cpanel id and password...

They then opened cpanel, changed the cpanel password, deleted my site and replaced it with a "hacked by..." page.

Needless to say I am concerned, MY directory is protected by .htaccess so...

I am working to encrypt the cpanel password [(encrypt_pass($cppassword))] and will post the mod.

I was able to detect the intrusion and IP w/ FTP/HTTP logs, and have blocked all access from that IP range (all of AFRICA; i'm in Canada) to my site.

TEMPORARY FIX -  You all need to put an .htaccess file in the /config dir. A good one, with strict rules. Include IP filtering if you can. (249.*.*.* blocks out AFRICA)

DENY ALL is a good one.
 
Alex
« Last Edit: May 13, 2008, 02:17:39 PM by firemail »

Offline Nemesis02

  • Jr. Member
  • **
  • Posts: 30
Auto User Config. Vulnerable to HACKERS
« Reply #1 on: May 13, 2008, 03:16:06 PM »
Quote from: firemail;11993
WARNING -- IF you use Auto User Config by Tuney

Somehow, hackers were able to gain access to the /config/db.inc.php file to gain access to the MySQL db (passwords are in clear text), where they were able to capture my cpanel id and password...

They then opened cpanel, changed the cpanel password, deleted my site and replaced it with a "hacked by..." page.

Needless to say I am concerned, MY directory is protected by .htaccess so...

I am working to encrypt the cpanel password [(encrypt_pass($cppassword))] and will post the mod.

I was able to detect the intrusion and IP w/ FTP/HTTP logs, and have blocked all access from that IP range (all of AFRICA; i'm in Canada) to my site.

TEMPORARY FIX -  You all need to put an .htaccess file in the /config dir. A good one, with strict rules. Include IP filtering if you can. (249.*.*.* blocks out AFRICA)

DENY ALL is a good one.
 
Alex


Please post your access logs and error logs during that time period for all access from that ip, that'll help with identifying the exploit.

Offline firemail

  • Newbie
  • *
  • Posts: 9
Vulnerablility known.
« Reply #2 on: May 13, 2008, 08:46:55 PM »
As stated,  the /config dir; as presented by Tuney, does not have an .htaccess file.
You should put one.

As for the hack used to get around .htaccess, it is well known to apache programmers and php programmers and is way beyond the scope of round cube forum.

I just want to warn all the users of tuney's script to put an .htaccess file in the /config dir.
I had one and they still got me, if you don't put one they are SURE to get you.

"emsignup.php" is one of the TOP 10 Search Result Hits for my site, you don't think people are looking for emsignup.php by name because they want to "sign-up", huh? Obviously they are looking for DB's to crack...

renameing the emsignup.php file, RC folder and emsu folder to 16 char. ascii helps to limit the results from emsignup.php searches on gogle, yaho and .......

Be warned, be careful.

Alex
« Last Edit: May 13, 2008, 08:50:54 PM by firemail »