E107 sites under attack
Over the past couple of days a lot of e107-based sites (including e107.org) have been under attack from two angles:
Over the past couple of days a lot of e107-based sites (including e107.org) have been under attack from two angles:
1. Repeated accesses of contact.php. The objective of these attacks was to compromise sites via a vulnerability which existed in older e107 versions.
This vulnerability is fixed (as far as we know) in 0.7.22 - so if you haven't already upgraded, do it yesterday!
If you already have 0.7.22 installed, the attack simply loads up the server, and becomes a DDOS. It shouldn't be able to gain access to your site; but will slow it down (or seize it up).
If you are running earlier versions of e107, the hackers will most likely have gained access and uploaded various files. These include a Perl script which does all sorts of nasty things. So upgrade your site, and check carefully for strange files - delete any which shouldn't be there.
This thread lists the files one user found. File Inspector will also help here.
2. Repeated accesses of the file 'help_us.php' (which they expect to be uploaded as part of the previous attack). Usually this will trigger a 'page not found' error. Typically this is the standard e107 error page, which does some database access, again slowing down the server. Thus this is also a DDOS attack.
In most cases (assuming you are running 0.7.22) your host is the best person to help with these attacks, by putting in server level blocks on the relevant IP addresses. (There are a large number of addresses involved - most likely a botnet of some sort).
There are a number of forum threads on this topic; things you can do to reduce the effect of the attacks (but not stop them) include:
1. If you're not using the contact form, delete contact.php
2. If you are using the contact form, rename it, and update the link.
3. Put in a 'pure HTML' error page for '404' (page not found) errors
While we believe that 0.7.22 blocked these attacks, we are aware of a few 0.7.22 sites that have been compromised. It seems likely that a different attack vector was used in these cases - most likely via a plugin. Or possibly via other means, such as a compromised FTP password. So please check server logs etc to try and identify how access was gained.