Bugtraq mailing list archives

Re: [Full-disclosure] e107 latest download link is backdoored

From: Gregor Schneider <rc46fi () googlemail com>
Date: Wed, 27 Jan 2010 08:51:04 +0100

2010/1/26 Fernando Augusto <fernando () gamecreator com br>:

Fun stuff...

From here (Brazil) neither me nor anyone I asked, even through different
carriers, are getting this kind of data while looking at
http://e107.org/news.php.... I am not someone that talks here, but I believe
that it should be looked with more care. I use Sophos here (up to date) and
no warning was sent, so it gave me something to wander...


well, well,

the link you provided above now gives a 404.

if you go to e107.org, you'll find the following message:

========= [ snip ] =========

 e107.org compromised

OK, here's what I know happened and what's been done:

* e107.org was hacked using the exact exploit we patched in .17, it
looks like we waited too long to fix e107.org. I have spent the past
day attempting to clean everything up and am relatively confident I've
cleaned it up, but you never know. If hacks persist, we'll have to
resort to more drastic measures.

* Yes, there was a zip file that was backdoored. This file was NOT the
officially released zip file and the source code was not compromised.
While the hackers had access to our server, they uploaded their own
version of the full zip file and re-pointed the download link to this
corrupt file. It was only the full install .zip file. If you upgraded
your version of e107 using files from the full install .zip file,
please download the one that is available from sourceforge and
re-upgrade.

* The current version (0.7.17) is safe (as far as I know) from further
attacks in this same manner, there will be a .18 release someday, but
there are no immediate plans for it's release.

* Yes .17 has a new favicon, this was a mistaken commit by one of the
devs and the current .17 package files have this file restored.

* When downloading e107 release files, please ensure they are coming
from sourceforge, we only release files from there. We have, in the
past, provided specific patch files from e107.org locally, but this
will stop. If you get a file from somewhere other than sourceforge,
don't trust it.

If anyone sees anything odd with their sites or with e107.org, or just
has specific question, please do not hesitate to contact me
personally. Please be patient, I will attempt to answer anything I
receive.
posted by McFly on Tuesday 26 January 2010 - 11:04:55
comments: 14

========= [ snap ] =========

besides, when in doubt wether a side was compromised or not, it's
useful having a look at the source-code... *cough*

cheers

gregor
-- 
just because your paranoid, doesn't mean they're not after you...
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available
@ http://pgpkeys.pca.dfn.de:11371
@ http://pgp.mit.edu:11371/
skype:rc46fi

Current thread:

e107 latest download link is backdoored Bogdan Calin (Jan 25)
- Re: e107 latest download link is backdoored Chris Travers (Jan 25)
- Re: e107 latest download link is backdoored Valery Marchuk (Jan 25)
- Re: e107 latest download link is backdoored Carsten Eilers (Jan 26)
  - Re: [Full-disclosure] e107 latest download link is backdoored David Sopas (Jan 26)
  - Re: [Full-disclosure] e107 latest download link is backdoored Gregor Schneider (Jan 26)
    - Re: [Full-disclosure] e107 latest download link is backdoored Fernando Augusto (Jan 26)
    - Re: [Full-disclosure] e107 latest download link is backdoored Gregor Schneider (Jan 27)
- <Possible follow-ups>
- Re: Re: e107 latest download link is backdoored track (Jan 26)