next »

[reager]

Has ssi.pl ever been part of the calendarscript distribution?  We have been using calendarscript for some time and have upgraded along the way several times.

Our website has been the target of hackers and the target seems to be the file ssi.pl in

cgi-bin/calendarscript/templates/calendars/default/ssi.pl which seems to be a version of cgi-telnet that is apparently quite easily compromised.  

Is this a file that has ever been part of calendarscript or did we acquire this file from some other method?

This is a Redhat Linux server if that makes a difference

[DanO]

** Has ssi.pl ever been part of the calendarscript distribution? **

I've never seen it included.

** We have been using calendarscript for some time and have upgraded along the way several times. **

If the version in use now is not 3.21 I STRONGLY suggest you upgrade it to the current version.

JMO

Dan O.

[This message has been edited by DanO (edited May 13, 2005).]

[DanO]

** cgi-bin/calendarscript/templates/calendars/default/ssi.pl **

PS. I would suggest you do NOT give execute permissions to any directories besides the one with calendar.pl and calendar_admin.pl files in it. At most the other directories should only need to be chmod to 666 or in some (rare) cases 766.

777 is NOT a good idea and isn't even allowed on some server setups.

JMO

Dan O.

[This message has been edited by DanO (edited May 13, 2005).]

[celinahex]

I had the same file, in the same location in my install.
and also many, many hacker problems.

and yes, i've upgraded to 3.2.1

now i've gone and disabled that ssi.pl. we'll see if everything keeps working.

------------------

[DanO]

** and yes, i've upgraded to 3.2.1 **

After you found the intrusions or they occurred even with version 3.21 already installed??

Your message sounds a little ambiguous to me and was hopping you could clarify it.

Dan O.

------------------

[reager]

I believe now that when we were hacked and exploited prior to upgrading to 3.21 our intruder left a vulnerable program on our system disguised as part of calendarscript.

The program CGI-Telnet is discussed in other forums as having a root exploit.  I found it on our system called ssi.pl. From log entries I can tell that it is what our most recent intruder used to get on our system.

Doing a Google search for "Powered by CalendarScript" I located at least one other user with that in the same location.  I thought maybe it was somehow part of the CalendarScript install.  (But it is not!)

Since then, I have used grep to find any other copies in var/www/cgi-bin.  The CGI-Telnet program is written in plaintext Perl.  I found a rather unique looking function name and serched for it this way:
   cd /var/www/cgi-bin
   grep -r PrintLoginFailedMessage *
I found another copy called calendar.cgi. This would have still been available for the next intruder.

Now I'm wondering why I had a folder named config under the CalendarScript folder that contained a lot of UnrealIRCd stuff?

------------------

[celinahex]

oh yes, i think this may be it. i found all kinds of naughty things in my directory, dated from back before we upgraded to 3.2.1 (I think). I've disabled them, and disabled the latest hacking directories, and we'll seee if they can still come back.

------------------

[celinahex]

oh yeah, just for reference:

in addition to the naughty, naughty ssi.pl , i also found:
postmaster.cgi
and
protect.cgi

i was able to find the naughty bits by looking at files that had more recent creation dates than the files of the program (of course, i know there are sessions created constantly and stuff).

------------------