Home »
FUDforum Development »
FUDforum 3.0+ »
Mass cracking of FUDForum sites
Mass cracking of FUDForum sites [message #27994] |
Tue, 04 October 2005 15:55 |
heron
Messages: 10 Registered: May 2005
Karma: 0
|
Junior Member |
|
|
Hi,
I'm watching my log for referrer URL quite closely. Recently I noticed a strange looking Google query with the exclusion keyword ihackstuff.
"http://www.google.com/search?num=100&hl=en&lr=&safe=off&c2coff=1&q=%22Powered+by+FUDForum+2.6%22+-site%3Afudforum.org+-johnny.ihackstuff&btnG=Search"
I traced this back to a Google hack database listing the following entry
http://johnny.ihackstuff.com/index.php?module=prodreviews&func=showcont ent&id=1410
This produces a list of sites still running FUDForum 2.6.
I looked for further traces from the same IP and saw an attempt to exploit the avatar upload bug. The guy had created an account named 'bonjour' with a yahoo email address. The attack came from a Taiwanese IP (211.76.97.246).
I then checked other sites on that list and sure enough they all had an account 'bonjour' created some time in September. If you are still running 2.6 and have avatar uploads enabled, it's time to check your box.
Heron
|
|
|
Re: Mass cracking of FUDForum sites [message #27995 is a reply to message #27994] |
Tue, 04 October 2005 16:06 |
Ilia
Messages: 13241 Registered: January 2002
Karma: 0
|
Senior Member Administrator Core Developer |
|
|
Good catch, yet another reason to upgrade your forums to 2.7.X series if you have not done so already.
Another security tip is to go through your avatars directory and see if you have any files with a non image extension.
FUDforum Core Developer
|
|
|
Goto Forum:
Current Time: Wed Nov 27 00:39:53 GMT 2024
Total time taken to generate the page: 0.05435 seconds