Warning to FlashChat users - security hole

[Transverse Styles]

If you're looking for a very secure chat, check out www.flasherize.com... try the demo.

[jw00dy]

Have any of you tried running chkrootkit or rkhunter to see if it finds the back door?

[MPDev]

Look for files with a creation or modified date of the day of the hack (or later). I found an IRC relay setup posted in an obsecure directory that I had to remove - they had also placed an entry in the apache crontab to restart itself every 10 minutes that I had to remove.

Check your cron files; check your site directories for new files/directories; try something like:

find . -name "*" -exec grep c99 {} \;

to see if you get any files which have the c99 tag in them (the shell script that are installing).

[JGM007]

I was running flash chat and was not as lucky as most people when I was hit yesterday. The message board was the only thing left, the index file for that had been replaced with something to the effect HACKEYD BY STOUNE!!! and a link to http://stounee.ifrance.com/

I went to replace the index file and found every single other directory and file was gone! for some reason they left the board though.
The web host did have a recent backup for me thankfuly, but at a price of course.
I ended up dumping my whole vB directory and upgrading to 3.6 and changed passwords on everything.

[The Finman]

Quote:

Originally Posted by JGM007

The web host did have a recent backup for me thankfuly, but at a price of course.

I ended up dumping my whole vB directory and upgrading to 3.6 and changed passwords on everything.

That's horrible.

We at RonaldReagan.com use VPS hosting from KnownHost.com and they back up all our sites and subdomains daily with no extra charge for it or restore. I would have a serious problem with any web host trying to profit off a client's hour of need.

[smacklan]

Quote:

Originally Posted by The Finman

We at RonaldReagan.com

Nice domain! Great man too...I may just have to join up and fellowship with other RR admirers

[The Finman]

Quote:

Originally Posted by smacklan

Nice domain! Great man too...I may just have to join up and fellowship with other RR admirers

We would be glad to have you!

[JGM007]

Heh I wish my host was as friendly in a time of need like you are.
Since cleaning up, I have been checking the web site error logs and in the last six hours there been 20 hits looking for aedatingCMS.php, all different IP addresses.
I wonder how long before they realize it is gone give up trying to find it.

[belindaj]

Quote:

Originally Posted by trilOByte

An update. The hackers came back tonight and somehow gained access again, even after uninstalling the flashchat plugin and all associated plugins, and totally removing all the flashchat files and deleting the chat dir. It seems they must have left some script behind to keep the door open. The first thing that happened was that my chat dir re-appeared and a new set of flashchat files dropped in from the ether.

If we can pin down this backdoor, script, pl file or whatever it is, I'll let you know.

FYI -

Your host needs to check the contents of /tmp. Any of the following rogue files/directories needs to be removed from there. (Reference: RSTbackdoor technical details from Symantec) Probably how they got back in a second time.

/tmp/bdpl
/tmp/back
/tmp/bd
/tmp/bd.c
/tmp/dp
/tmp/dpc
/tmp/dpc.c

Also - make sure you reinstalled your flashchat with completely clean files. I thought replacing the index page would fix it - it didn't - when I downloaded the entire chat directory down to my drive for scanning it also found another trojan within those files called hacktool.flooder (Symantec related page)

And of course, after uploading all clean files - remove the cmses files that are not related to your current installation as Paul stated.

[lmongello]

Was hacked last Friday (thank you, FlachChat). Program removed and will never be reinstalled again. Still trying to do serious damage control after what the hackers put on my home page on emailed to my members.