[PHPiCalendar-DEV] Site progress

[Jim Hu <ji...@ta...>]

BTW, in case anyone is wondering:  The site has been down for the  
past couple of weeks because our computer security people found the  
server on a bbs for script kiddies.  This led us to discover that  
there was a process we didn't recognize sending a lot of outbound  
packets.  Further investigation revealed three intrusions on the  
server....it's not clear if they were independent.  These included a  
one-line backdoor in a calendars directory, another more complex one  
in a cache directory, and an IRC relayer in a wiki config directory  
that I should have deleted.  The common feature is that they  
exploited places that were writeable that were also under mod_php.  I  
don't think they came in through either phpicalendar or phpBB2.  I've  
also been running a blogging package called Simplog (I'm on that dev  
team too), and there was an unsanitized include that was the exploit  
listed in four posts on the bbs.

We might be paranoid, but it looked like the hackers got shell  
access, which means that the possibility of a rootkit is there.  The  
first attempt to get back up failed a security scan in a way that  
confirmed paranoia - the scan found a vuln in something we a) never  
installed and b) could not find on the server's hard disk!  The  
reinstall had wiped one but not both disks on the server.  As I write  
this, I'm backing up everything to a new external drive in  
preparation for wiping everything on all disks.  We'll be putting  
things back gradually, and the server has to pass the university's  
security scan before we can open port 80 through the firewall again.

So...I hope we'll be back online next week...but that's what I  
thought last week.

Jim