next »

[flyingember]

I have had multiple times where someone has dropped files into my calendarscript directory, and used them to run services.
I have seen a cron job setup in the name of my http server account, and even some running processes.

I saved a copy of all the files one of the times. it's been the same files each time.  Sometimes more than one person drops in their files, into their own subdirectory.

I've had this happen 4 times.

Only in the calendar script folder structure.  I have more than one cgi-bin directory on the server and they haven't been touched.

now, calendarscript installation says to make -every- file and folder set to 777.  this gives anyone in the world the ability to drop files into that directory structure if they know someone is running the software.  it's an easy target.

I think I have the problem solved but want to be sure.

I changed the user and group of the files and folders to the same as my web server is on.  then changed permissions to 775.

calendarscript works 100%

is this a fix or is it still open?

[DanO]

Have you upgraded to CalendarScript version 3.21? That was released due to security concerns.

Dan O.

------------------

[flyingember]

yes.  I thought that already.  I had files uploaded after the upgrade.  I don't think they're even using calendarscript, but rather uploading to 777 directories.

------------------

[Zim]

How is somone "uploading" to any directory unless there is a form page somewhere that allows a file upload (and they are hacking that path) ?

Or are they ftp'ing into your server and going to the 777 directories from there?

Mike

------------------

[flyingember]

I'm not sure honestly. I uploaded the update again, made sure my files were running under the right user, and changed everything to 755.  It works, so I'm watching it.

------------------

[josefresco]

We too had an incident where someone installed Unreal 3.2 (http://www.unrealircd.com/) in the calendar script directory and was presumably going to exploit the server for something devious.  Our server admin's found it and disabled it.  Can't say for certain that it wasn't someone who got FTP access but I doubt it.

We're using version 3.1.

Has anyone else had any issues with this?

[DanO]

** We're using version 3.1 **

Than I would recommend you upgrade to the most current version 3.21

JMO

Dan O.

------------------

[SodaJim]

Hello,

It just happened today!
It had approx. 120+ processes executing on my server which affected all scripts on the server!
I guess I'll be upgrading...

Glad to see I wasn't loosing my mind!

------------------

[marijun]

i had the same exact thing happen!  unreal 3.2 irc program was uploaded into the calendarscript folder.  sounds like you were luckier than i though, when i deleted their little irc prog, they took their frustrations out on the calendar itself.  wiped out a whole year's worth of data and now the script is barely functioning at all. got a big mess over here!  ::grumble grumble::

[Stick]

A server I administer was also hacked via an older version of CalendarScript that was not being used. It was an easy fix for me, I just moved it out of the web server path (I wanted to inspect the files further).

I noticed because when I SSH'd into the machine and ran a ps aux I saw a process running as the apache user running from the calendarscript directory that had been running for a long time.

It turned out to be the same Unreal IRCd that others have mentioned.

[marijun]

ugh...i applied the upgrade patch a couple weeks ago, and the calendar was hacked again this week.  i give up!  switching calendars.

[drwxr]

hey, you got hacked? put here the logs, , because my website was hacked too, i was running the calendar script 3.2, but i?m not sure that the attacker upload file into my website...
who have the logs?
post here
please
[]?z

------------------

[Scott]

If anyone has security problems _after_ updating to 3.21, please email me any details you can.

------------------
Scott
CalendarScript.com

[DanO]

** my website was hacked too, i was running the calendar script 3.2 **

        Than you should upgrade to the current version 3.21

** who have the logs? **

Your host will. Whether you have access to them only your host's support can tell you (besides looking in their FAQ files for mention of log file access).

JMO

Dan O.

[This message has been edited by DanO (edited August 01, 2004).]

[jgold723]

What's the verdict here? I paid for this program, and I really like it and would certainly prefer to keep using it rather than buy another calendar, install it, etc.

But I am concerned about another attack, as is my client.

I have upgraded to 3.21.

John

------------------