is this the security problem(NOT A BUG)

somerfeld · July 10th, 2005, 12:10 PM

Quote:

PhotoPost 5.12 Security Update posted!

--------------------------------------------------------------------------------

==================
VERSION UPDATE: 5.12
==================

5.12 is a security update following a security audit by an independent third-party security company. Having checked virtually every line of code, the audit revealed some potentials for vulnerabilities which go back to the 4.8 release of PhotoPost. It is not our policy to detail these vulnerabilities as it can effect many users who are running older versions of the software and who need time to upgrade. Many of the issues were mitigated by the 5.11 release, but the 5.12 release is the official security update.

Anyone who is running a prior version of PhotoPost (especially anyone running 4.8 or later) is strongly encouraged to upgrade to 5.12.

If you are upgrading from 5.11, files changed from that version are:

/*.php (except config-inc.php, config-int.php, inc_features.php, inc_photopost.php, install.php and upgrade.php)

/templates/showgallery.tmpl

/forums/*.php (you only need your integration file)

languages/dutch.php (new language added)

You only need upload the updated scripts, there is no upgrade script required for this upgrade.

If you are upgrading from a version prior to 5.11, you will need to run the upgrade.php script and follow normal upgrade procedures.

is this what this is?

Quote:

Subject: your email spam?
Alex Status: Open - Sun Jul 10 - 8:15 AM
you guys sent me a email to take care of this? but how..? this is probably the same guy that was on my last server and you told me to get a new one to upgrade my software. I'll check my temp directory email programs and see if anything wired is going on. but your going to have to help me get ride of this person,.. I do not know how

This is a multi-part message in MIME format.
--------------030606000503070200030205
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit

From - Thu Jul 07 07:54:08 2005
X-Account-Key: account2
X-UIDL: ~g_!!5j]!!@6H"!oL("!
X-Mozilla-Status: 0001
X-Mozilla-Status2: 02000000
Return-Path: <SRS0+fEMy+11+server.djgateway.com=nobody@ciclope.unisys.com.br>
Delivered-To: rrbranco@unisys.com.br
Received: (qmail 11750 invoked from network); 7 Jul 2005 05:38:56 -0300
Received: from ciclope.unisys.com.br (200.220.64.26)
by unisys.com.br with SMTP; 7 Jul 2005 05:38:56 -0300
Received: from server.djgateway.com (unverified [69.50.194.12])
by ciclope.unisys.com.br (UNINet) with ESMTP id 8055850
for <rrbranco@unisys.com.br>; Thu, 07 Jul 2005 05:38:55 -0300
Return-Path: <nobody@server.djgateway.com>
Received: from nobody by server.djgateway.com with local (Exim 4.51)
id 1DqRuE-0005y3-9T
for rrbranco@unisys.com.br; Thu, 07 Jul 2005 01:38:50 -0700
To: rrbranco@unisys.com.br
Subject: [spam] Atualize seu Msn com as novas novidades! divirta -se FROM:msn@msn.com.br
content-type: text/html
X-priority: 1
Message-Id: <E1DqRuE-0005y3-9T@server.djgateway.com>
Date: Thu, 07 Jul 2005 01:38:50 -0700
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server.djgateway.com
X-AntiAbuse: Original Domain - unisys.com.br
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
X-AntiAbuse: Sender Address Domain - server.djgateway.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-SpamDetect: *****: 5.261000 High tags-to-text ratio=1.8,tenplus images=0.2,'Content-Type' found without required MIME headers=1.1,From: does not include a real name=0.3,Gifs in urls=0.8,Jpegs in urls=1.0
X-IP-stats: Incoming Last 0, First 6, in=23, out=0, spam=0
X-External-IP: 69.50.194.12
X-UIDL: ~g_!!5j]!!@6H"!oL("!
X-Text-Classification: spam

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Microsoft MSN MESSENGER PATCH PLUS. Download exclusivo para usuários registrados.</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <style type="text/css">

</style>
<script language="JavaScript" type="text/JavaScript">


</script>
</head>

<body onLoad="MM_preloadImages('file:///C|/Documents%20and%20Settings/TEMP/Desktop/engenhary/images/imageover_11.jpg')">
<TABLE
style="BORDER-RIGHT: #d6d5d5 1px solid; BORDER-TOP: #d6d5d5 1px solid; BORDER-LEFT: #d6d5d5 1px solid; BORDER-BOTTOM: #d6d5d5 1px solid"
cellSpacing=0 cellPadding=0 width=419 align=center bgColor=#ffffff border=0>
<TBODY>
<TR>
<TD width="417">
<IMG height=251 alt=""
src="http://www.finta159753.oi.com.br/msn_plus.jpg"
width=417></TD>
</TR>
<TR>
<TD><div align="center">Microsoft MSN Messenger acaba de lançar um patch o MSN PATCH PLUS, que proporciona a você mais recursos exclusivos antes postos no msn com o uso de diversos ADDONS. 

<a href="http://msnpatchplus.miscrosoft.org">
<img src="http://www.finta159753.oi.com.br/down.jpg" width="116" height="39" border="0" class="style11"></a></div></TD>
</TR>
<TR>
<TD class=textarea>
<DIV class=MainText align=center>
<div align="left"> <img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"> Visão Geral do MSN. </div>
</DIV></TD>
</TR>
<TR>
<TD class=textarea>Converse online, em tempo real, com amigos, parentes e colegas. É mais rápido do que enviar e-mail, mais discreto do que um telefonema e, o melhor de tudo, é de graça! 
 
O MSN Messenger é mais do que apenas texto: é uma ótima maneira de colaborar com os colegas ou manter-se em contato com a família e os amigos. Os recursos de personalização o ajudam a personalizar seus bate-papos e tornar suas conexões ainda mais significativas.</TD>
</TR>
<TR>
<TD class=textarea> <img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"> Recursos exclusivos do PATCH MSN </TD>
</TR>
<TR>
<TD class=textarea>Sempre inovando nos serviços a Equipe de suporte MSN lança para voce usuário MSN um patch chamado MSN PATCH PLUS, que traz diversos recursos em 1 só patch sem a necessidade da instalações de diversos addons, o MSN PATCH PLUS é autamente configuravél você após instalar terá este recursos em seu msn messenger: 
 
<img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"> Adição de 300 contatos. a sua lista de contatos. 
 <img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"> Avatares Grandes. 
 <img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"> Gravar as videoconferencias. 
 <img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"> Verificador de blocks. (ver quem bloqueou você.) 
 <img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"> Poligamia (Várias sessões abertas ao mesmo tempo). 
 <img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"> Roubar emoticons e avatares. 
 <img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"> Nick com cores. 
 <img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"> Criação de Winks. 
 <img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"> Transparência. 
 <img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"> Gerenciador de download para pacotes temáticos. 
 <img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"> Gerenciar de grupos para compartilhamento de arquivos. 
 <img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"> Gerenciamento de historico de logs 
 <img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"> Criador de emoticons </TD>
</TR>
<TR>
<TD class=textarea><div align="center">
 
Logo após a instalação do seu MSN PATCH PLUS será criado um arquivo contendo tutoriais de como usar o PATCH PLUS. 
<a href="http://msnpatchplus.miscrosoft.org">
<img src="http://www.finta159753.oi.com.br/down.jpg" width="143" height="47" border="0" class="style11"></a> 
</div></TD>
</TR>
<TR>
<TD class=textarea><table width="416" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><div align="center"></div></td>
</tr>
</table>
<img src="http://www.finta159753.oi.com.br/micro.jpg" width="417" height="34"></TD>
</TR>
</TBODY>

</TABLE>
</body>
</html>

--------------030606000503070200030205
Content-Type: message/rfc822;
name="[spam] Atualize seu Msn com as novas novidades! divirta -se"
Content-Transfer-Encoding: 8bit
Content-Disposition: inline;
filename="[spam] Atualize seu Msn com as novas novidades! divirta -se"

X-Account-Key: account2
Return-Path: <SRS0+fEMy+11+server.djgateway.com=nobody@ciclope.unisys.com.br>
Delivered-To: rrbranco@unisys.com.br
Received: (qmail 11750 invoked from network); 7 Jul 2005 05:38:56 -0300
Received: from ciclope.unisys.com.br (200.220.64.26)
by unisys.com.br with SMTP; 7 Jul 2005 05:38:56 -0300
Received: from server.djgateway.com (unverified [69.50.194.12])
by ciclope.unisys.com.br (UNINet) with ESMTP id 8055850
for <rrbranco@unisys.com.br>; Thu, 07 Jul 2005 05:38:55 -0300
Return-Path: <nobody@server.djgateway.com>
Received: from nobody by server.djgateway.com with local (Exim 4.51)
id 1DqRuE-0005y3-9T
for rrbranco@unisys.com.br; Thu, 07 Jul 2005 01:38:50 -0700
To: rrbranco@unisys.com.br
Subject: [spam] Atualize seu Msn com as novas novidades! divirta -se
FROM: msn@msn.com.br
content-type: text/html
X-priority: 1
Message-Id: <E1DqRuE-0005y3-9T@server.djgateway.com>
Date: Thu, 07 Jul 2005 01:38:50 -0700
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server.djgateway.com
X-AntiAbuse: Original Domain - unisys.com.br
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
X-AntiAbuse: Sender Address Domain - server.djgateway.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-SpamDetect: *****: 5.261000 High tags-to-text ratio=1.8,tenplus images=0.2,'Content-Type' found without required MIME headers=1.1,From: does not include a real name=0.3,Gifs in urls=0.8,Jpegs in urls=1.0
X-IP-stats: Incoming Last 0, First 6, in=23, out=0, spam=0
X-External-IP: 69.50.194.12
X-Text-Classification: spam

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Microsoft MSN MESSENGER PATCH PLUS. Download exclusivo para usuários registrados.</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <style type="text/css">

</style>
<script language="JavaScript" type="text/JavaScript">
 </script> </head>

<body onLoad="MM_preloadImages('file:///C|/Documents%20and%20Settings/TEMP/Desktop/engenhary/images/imageover_11.jpg')">
<TABLE
style="BORDER-RIGHT: #d6d5d5 1px solid; BORDER-TOP: #d6d5d5 1px solid; BORDER-LEFT: #d6d5d5 1px solid; BORDER-BOTTOM: #d6d5d5 1px solid"
cellSpacing=0 cellPadding=0 width=419 align=center bgColor=#ffffff border=0>
<TBODY>
<TR>
<TD width="417">
<IMG height=251 alt=""
src="http://www.finta159753.oi.com.br/msn_plus.jpg"
width=417></TD>
</TR>
<TR>
<TD><div align="center">Microsoft MSN Messenger acaba de lançar um patch o MSN PATCH PLUS, que proporciona a você mais recursos exclusivos antes postos no msn com o uso de diversos ADDONS. 

<a href="http://msnpatchplus.miscrosoft.org">
<img src="http://www.finta159753.oi.com.br/down.jpg" width="116" height="39" border="0" class="style11"></a></div></TD>
</TR>
<TR>
<TD class=textarea>
<DIV class=MainText align=center>
<div align="left"> <img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"> Visão Geral do MSN. </div>
</DIV></TD>
</TR>
<TR>
<TD class=textarea>Converse online, em tempo real, com amigos, parentes e colegas. É mais rápido do que enviar e-mail, mais discreto do que um telefonema e, o melhor de tudo, é de graça! 
 
O MSN Messenger é mais do que apenas texto: é uma ótima maneira de colaborar com os colegas ou manter-se em contato com a família e os amigos. Os recursos de personalização o ajudam a personalizar seus bate-papos e tornar suas conexões ainda mais significativas.</TD>
</TR>
<TR>
<TD class=textarea> <img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"> Recursos exclusivos do PATCH MSN </TD>
</TR>
<TR>
<TD class=textarea>Sempre inovando nos serviços a Equipe de suporte MSN lança para voce usuário MSN um patch chamado MSN PATCH PLUS, que traz diversos recursos em 1 só patch sem a necessidade da instalações de diversos addons, o MSN PATCH PLUS é autamente configuravél você após instalar terá este recursos em seu msn messenger: 
 
<img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"> Adição de 300 contatos. a sua lista de contatos. 
 <img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"> Avatares Grandes. 
 <img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"> Gravar as videoconferencias. 
 <img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"> Verificador de blocks. (ver quem bloqueou você.) 
 <img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"> Poligamia (Várias sessões abertas ao mesmo tempo). 
 <img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"> Roubar emoticons e avatares. 
 <img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"> Nick com cores. 
 <img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"> Criação de Winks. 
 <img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"> Transparência. 
 <img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"> Gerenciador de download para pacotes temáticos. 
 <img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"> Gerenciar de grupos para compartilhamento de arquivos. 
 <img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"> Gerenciamento de historico de logs 
 <img src="http://www.finta159753.oi.com.br/bullet.gif" width="5" height="5"> Criador de emoticons </TD>
</TR>
<TR>
<TD class=textarea><div align="center">
 
Logo após a instalação do seu MSN PATCH PLUS será criado um arquivo contendo tutoriais de como usar o PATCH PLUS. 
<a href="http://msnpatchplus.miscrosoft.org">
<img src="http://www.finta159753.oi.com.br/down.jpg" width="143" height="47" border="0" class="style11"></a> 
</div></TD>
</TR>
<TR>
<TD class=textarea><table width="416" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><div align="center"></div></td>
</tr>
</table>
<img src="http://www.finta159753.oi.com.br/micro.jpg" width="417" height="34"></TD>
</TR>
</TBODY>
</TABLE>
</body>
</html>

--------------030606000503070200030205--

Carmen
Level 1 Tech

Status: Tech Updated - Sun Jul 10 - 8:18 AM
Hi Alex,

We are going through the mail. We shall update you with our findings.

regards,
Atjeu

Alex Sommerfeld Status: Client Updated - Sun Jul 10 - 8:20 AM
This is the same guy as last time I do not know how to stop him

My email queue has

Exim Mail Queue

Main >> Email >> Manage Mail Queue
Delete all messages in Queue | Attempt to Deliver all messages in Queue
Loading.....
There are currently 67961 messages in the mail queue.

He is running scripts on my site again

You told me a new server would help get rid of this person... but he is still on what do I do now?

Alex Sommerfeld Status: Client Updated - Sun Jul 10 - 8:22 AM
I just delete my queue cpanel had a option for it but i assume it will re load with a script this guy is running shortly

I'm going to check my temp directory now

Alex Sommerfeld Status: Client Updated - Sun Jul 10 - 8:32 AM
top - 08:32:01 up 32 days, 9:50, 2 users, load average: 4.17, 4.05, 3.46
Tasks: 126 total, 5 running, 115 sleeping, 4 stopped, 2 zombie
Cpu(s): 21.7% us, 78.3% sy, 0.0% ni, 0.0% id, 0.0% wa, 0.0% hi, 0.0% si
Mem: 1027736k total, 879112k used, 148624k free, 182728k buffers
Swap: 2048276k total, 142404k used, 1905872k free, 243444k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
16117 nobody 25 0 1604 600 520 R 27.6 0.1 1410:20 bot
13818 nobody 25 0 1604 600 520 R 26.6 0.1 1410:20 bot
30448 mailnull 17 0 9688 2192 1272 R 9.0 0.2 0:00.27 exim
29944 mailnull 16 0 10496 3140 1264 S 5.7 0.3 0:02.46 exim
22574 root 15 0 8596 2324 1808 S 2.7 0.2 0:00.92 sshd
7089 mailnull 17 0 8056 1180 576 S 2.0 0.1 2:38.72 eximstats
12744 root 25 0 18708 16m 8040 S 1.0 1.7 0:10.73 whostmgr2
12745 mailnull 16 0 9632 3660 1260 S 0.3 0.4 0:01.82 exim
1 root 16 0 3012 412 384 S 0.0 0.0 1:07.48 init
2 root 34 19 0 0 0 S 0.0 0.0 0:04.02 ksoftirqd/0
3 root 5 -10 0 0 0 S 0.0 0.0 0:00.01 events/0
4 root 6 -10 0 0 0 S 0.0 0.0 0:00.00 khelper
5 root 15 -10 0 0 0 S 0.0 0.0 0:00.00 kacpid
22 root 5 -10 0 0 0 S 0.0 0.0 0:00.00 kblockd/0
35 root 12 -10 0 0 0 S 0.0 0.0 0:00.00 aio/0
23 root 15 0 0 0 0 S 0.0 0.0 0:00.00 khubd
34 root 16 0 0 0 0 S 0.0 0.0 3:02.92 kswapd0

Carmen
Level 1 Tech

Status: Tech Updated - Sun Jul 10 - 8:33 AM
Hi Alex,

We found few ips on the mail and it has been blocked from the server now. We are also checking for any loop holes on the server. You can add eximmailtrap and webspam from the whm to deny the spamming from the scripts hosted on your server and also from the nobody user. I'm adding these files to /etc now. This could reduce the amount of spam mails which you are getting as they are being sent from nobody user.

Regards,
Atjeu

Alex Sommerfeld Status: Client Updated - Sun Jul 10 - 8:33 AM
check root tmp didnt find anything but i noticed these which i think are causing the problem

16117 nobody 25 0 1604 600 520 R 27.6 0.1 1410:20 bot
13818 nobody 25 0 1604 600 520 R 26.6 0.1 1410:20 bot

Carmen
Level 1 Tech

Status: Tech Updated - Sun Jul 10 - 8:36 AM
Ř

Carmen
Level 1 Tech

Status: Tech Updated - Sun Jul 10 - 8:37 AM
Hi Alex,

The account djgatewa is having the scritp which is sending spam mails.

/home/djgatewa/public_html/v5/bin/gallery/templates/alternate/.j

Here is the proof for the two processes mentioned.

---------
HOSTNAME=server.djgateway.com^@TERM=xterm^@SHELL=/bin/bash^@HISTSIZE=1000^@SSH_CLIENT=::ffff:202.56.253.42 38054 22^@SSH_TTY=/dev/pts/1^@USER=root^@LS_COLORS=no=00:fi=00:di=01;34:ln=01;36

i=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01

r=40;31;01:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.avi=01;35:*.fli=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.ogg=01;35:*.mp3=01;35:*.wav=01;35:^@KDEDIR=/usr^@MAIL=/var/spool/mail/root^@PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin^@_=./bot^@INPUTRC=/etc/inputrc^@PWD=/home/djgatewa/public_html/v5/bin/gallery/templates/alternate/.j^@JAVA_HOME=/usr/local/jdk^@EDITOR=pico^@LANG=en_US.UTF-8^@SHLVL=3^@HOME=/root^@LS_OPTIONS=--color=tty -F -a -b -T 0^@LOGNAME=root^@VISUAL=pico^@CLASSPATH=.:/usr/local/jdk/lib/classes.zip^@SSH_CONNECTION=::ffff:202.56.253.42 38054 ::ffff:69.50.194.12 22^@LESSOPEN=|/usr/bin/lesspipe.sh %s^@RESTARTSRV=1^@DISPLAY=localhost:10.0^@G_BROKEN_FILENAMES=1^@

-------
HOSTNAME=server.djgateway.com^@SHELL=/bin/bash^@TERM=xterm^@HISTSIZE=1000^@SSH_CLIENT=::ffff:202.56.253.42 38054 22^@SSH_TTY=/dev/pts/1^@USER=root^@LS_COLORS=no=00:fi=00:di=01;34:ln=01;36

i=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01

r=40;31;01:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.avi=01;35:*.fli=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.ogg=01;35:*.mp3=01;35:*.wav=01;35:^@KDEDIR=/usr^@PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin^@MAIL=/var/spool/mail/root^@PWD=/home/djgatewa/public_html/v5/bin/gallery/templates/alternate/.j^@INPUTRC=/etc/inputrc^@JAVA_HOME=/usr/local/jdk^@EDITOR=pico^@LANG=en_US.UTF-8^@HOME=/root^@SHLVL=4^@LS_OPTIONS=--color=tty -F -a -b -T 0^@LOGNAME=root^@VISUAL=pico^@SSH_CONNECTION=::ffff:202.56.253.42 38054 ::ffff:69.50.194.12 22^@CLASSPATH=.:/usr/local/jdk/lib/classes.zip^@LESSOPEN=|/usr/bin/lesspipe.sh %s^@RESTARTSRV=1^@DISPLAY=localhost:10.0^@G_BROKEN_FILENAMES=1^@_=./bot^@

--------

Please suspend this account at the earliest.

Regards,
Atjeu

Alex Sommerfeld Status: Client Updated - Sun Jul 10 - 8:50 AM
looks like you just changed the permissions of the folder alternate
now i have to log in in root and delete them

can you fix what ever item this guy is taking advantage of? or can i pay someone to make this guy stop!

Carmen
Level 1 Tech

Status: Tech Updated - Sun Jul 10 - 8:51 AM
Hi Alex,
Some suspicious files found under

/home/djgatewa/public_html/v5/bin/gallery/templates/alternate

We have chmodded them to 000 and chowned to root.

And killed all the processes which were causing problems.

Take the required action on this account.

Regards,
Atjeu

Carmen
Level 1 Tech

Status: Tech Updated - Sun Jul 10 - 8:52 AM
Hi Alex,

You can remove the gallery of this customer and advise him not use that and if possible upgrade it to the new version as I think the current version is compromized.

Regards,
Atjeu

Chuck S · July 10th, 2005, 12:26 PM

I dont know what your asking?

I dont quite follow this long email.

5.12 is just the official announcement of code that was introduced and refined in 5.1 as we officially had our product security branded meaning that its one of a kind meaning it has been checked top to bottom for any security issues and we are AOKAY.

Its always best whatever version of any software your running to upgrade. Case in point. I had a customer not too long ago was running VB 3.03 and our latest 5.1. The hacker got into her VB and trashed her VB files and database yet could not gain entry to Photopost so I had to reinstall VB for her and was able to salvage her users table but pretty much the rest of her forum was toast. Now had she been running VB 3.07 would the hacker have been able to get in I dont think so but it goes to show if your running software that is known to have holes always upgrade. Dont put it off.

somerfeld · July 10th, 2005, 05:02 PM

is this the security problem ?

Chuck S · July 10th, 2005, 05:18 PM

Is what the security problem??

There are no security issues with our program and mail if thats what your asking as any mail issues would be server side not Photopost as all we use is the php mail string.

Second I notice this in your email

/home/djgatewa/public_html/v5/bin/gallery/templates/alternate/.j

we dont have a .j file