Simiens Crew


#1

This group hacked into the zuma server on Jan. 28/29. This same group has taken down phpbb.com as well as other websites. I was curious if Dreamhost has identified how these hackers got into the server and has the vulnerability been addressed?


#2

See my other post, but it’s usually through a script on your site. Note that it’s unlikely that they “hacked” the server - more likely they just compromised an out of date script on your site and gained access to your user / your files.

Please read my notes on the other recent thread about this - it’s really important that you get (and read) our announcements, and also sign up for announcements from vendors of any third party software you use.


#3

It was my understanding that, after Dreamhost updated the version of php running on the server, as long as I am running the newest version of phpbb (2.0.11), the vulnerability would be eliminated. At the time my site was hacked, I did have the latest version of phpbb installed. I do not have awstats. Is there something else that is a known vulnerability?

p.s. I had assumed Zuma was hacked because all the other people affected on Jan. 28 seemed to be on that server.


#4

a note from Graham at phpbb…“Our system was compromised Sunday evening by a group of hackers/crackers who (based on available information apparently corroborated by said hackers/crackers) used an exploit in awstats to gain entry. I’ll repeat this very clearly since some people and worse some hosting providers are not listening to what is being said. Based on said information we do not believe, nor do we have any reason to believe, that our system was compromised due to any fault in phpBB 2.0.11.”

They had not updated their AWSTATs. It looks as if it had nothing to do with php or phpbb.

My question is…if someone on a shared server is using awstats, am i at risk on that same shared server?

As for your 2.0.11 phpbb, you may want to wait until phpbb is back up and running but read the ‘Anty-Santy’ thread. If my memory serves me (it’s early here) there were a few users, who, after upgrading to 2.0.11, had problems. This was due (my memory is bad) to them getting hacked prior to updating to 2.0.11, which left some vulnerabilities in the viewtopic.php and something else…


#5

Here is what I got from dh when I asked about this:

The hack was a combination of two exploits, both of which were pretty
new.

First the attacker got local non-root access to the machine through a
compromised awstats script (which we had announced about two days prior).

Gaining local non-root access isn’t all that big a deal in general (since
anybody can get it if they pay us $10 a month).

However, there was a kernel exploit that had been discovered only a few
hours earlier that allowed any local user to gain root access. We had to
upgrade the kernels on a few hundred of our machines in a really big
hurry (it was also complicated by the fact that there was not yet a
current patch for the kernel version (2.4) that a majority of our
machines were running).

The kernel problem is patched and we’re working with users to patch all
exploitable scripts they may have installed.

Thanks!
Nathaniel