[XHP-users] XHP exploit in the wild
Status: Beta
Brought to you by:
cjlars
Menu
▾
▴
[XHP-users] XHP exploit in the wild
|
From: Laurentiu M. <lau...@ta...> - 2006-03-23 09:34:47
|
Bad news... it seems we have some attention. I have reports of an XHP exploit in the wild. I will detail below so you can protect yourselft. The exploit is actually using a whole in the HTMLArea Filemanager plugin to write malicious files in the /filemanager directory. They first search Google for "Powered by XHP CMS" (consider removing that) to spot victims. Then they attack HTMLArea (which is included in XHP > v0.4), upload malicious files to the disk and use them to execute whatever the apache user has the right to execute. You can see that you were attacked if you find in your /filemanager folder files like suntzu*.php. Quick fix: 1. Remove the directory inc/htmlarea 2. Remove all files in the /filemanager directory (if you think you can see what are the malicious files and what are the files uploaded by you can delete only bad files). This will of course leave XHP crippled. We are working on a new release to fix this issue. We expect to have it ready this week-end. Lars |
