spykids ownz your server -- help

[CCamacho]

Today, my two Mambo sites had their index.php re-written with the words "spykids ownz your server". I only run Mambo on one site 4.5.1a with vBulletin, and Mambo 4.5 on the other. I DO NOT run PhpBB.

I'm running on a Virtual Host, and the server uses Plesk (latest). It's a Linux box.


I'm trying to figure out how the crackers got in. I'm nervous that this could be a Mambo hole since that is the only PHP that is running.

Running php 4.3.10.

Any ideas?

Cheers,

Carlos
p.s. please contact me at idg|atmark|mxi.netwave.or.jp if you know the secruity hole.

[CCamacho]

Here is a follow up...

No other sites on the server I am on got defaced. The main index.php file and index2.php in the Mambo folder was fine. What was altered was the index.php and index.html inside the template I was using. Very odd!

Other index.php/index.html files on my machine were fine.

So, is this a Mambo hole?

Cheers,

[CCamacho]

Yet more news...

I had my system admin search for /mambots on the server to see if there were more installs of Mambo. He found two, and sure enough... both were hit.

He mentioned files with permissions of 707.

That isn't odd because the install docs in fact say....

Quote:

chmod -R 707 images
chmod -R 707 media
chmod -R 707 uploadfiles
chmod -R 707 components
chmod -R 707 language
chmod -R 707 modules
chmod -R 707 templates
chmod -R 707 administrator/backups
chmod -R 707 administrator/components
chmod 644 configuration.php

So, I'm wondering.... should I and others follow such instructions?

Hmm.. still not sure how they were able deface, but considering templates/ content is usually set so Mambo can delete files in there... I'm not suprised.

[sacr0]

what is your page that got hacked? Do you have a link? to your site?

These defacement guys have a list of servers/sites they have done and I don't see any close to your email domain.( guessing your domain/or host )
In the lists from spykids I see, so far are only phpNuke and phpBB.

Without more specific information about the 'attack' it's hard to work with.

If you want real help, what do the logs say?

[CCamacho]

Well, after a few hours... More info has be learned.

At first, I only found the changed files in /templates

Then I found them in all directories with index.html

Then, by pointing things out to my system ad (hosting co), we were able to find more cases of bad index.html.

So, now we are confident to say that users with PhpBB on the same server caused this mess. Seems as though many of them did not patch their forums. Ahhh!!!!! To think I thought it was me...and Mambo... errrrrr!!!

Sorry for the false alarm!

Cheers,

Carlos

[alexpons]

Hello Carlos, I have the same problem with spykids. The page I administrate (www.euroreptiles.com) have some index files changed. I could change with the backup files, but I'm worry they can do it again.
So, did you find a solution to keep your mambo sites of this kind of attacks?
Thanks