Thread: Warning to FlashChat users - security hole
View Single Post
  #39  
Old 09-06-2006, 03:37 PM
belindaj belindaj is offline
 
Join Date: Sep 2002
Posts: 12
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by trilOByte
An update. The hackers came back tonight and somehow gained access again, even after uninstalling the flashchat plugin and all associated plugins, and totally removing all the flashchat files and deleting the chat dir. It seems they must have left some script behind to keep the door open. The first thing that happened was that my chat dir re-appeared and a new set of flashchat files dropped in from the ether.

If we can pin down this backdoor, script, pl file or whatever it is, I'll let you know.
FYI -

Your host needs to check the contents of /tmp. Any of the following rogue files/directories needs to be removed from there. (Reference: RSTbackdoor technical details from Symantec) Probably how they got back in a second time.

/tmp/bdpl
/tmp/back
/tmp/bd
/tmp/bd.c
/tmp/dp
/tmp/dpc
/tmp/dpc.c

Also - make sure you reinstalled your flashchat with completely clean files. I thought replacing the index page would fix it - it didn't - when I downloaded the entire chat directory down to my drive for scanning it also found another trojan within those files called hacktool.flooder (Symantec related page)

And of course, after uploading all clean files - remove the cmses files that are not related to your current installation as Paul stated.
Reply With Quote
 
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01099 seconds
  • Memory Usage 1,763KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD_SHOWPOST
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_quote
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_box
  • (1)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit_info
  • (1)postbit
  • (1)postbit_onlinestatus
  • (1)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • reputationlevel
  • showthread
Included Files:
  • ./showpost.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showpost_start
  • bbcode_fetch_tags
  • bbcode_create
  • postbit_factory
  • showpost_post
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • showpost_complete