Posts: 4,392
Threads: 63
Joined: Nov 2008
Reputation:
263
2014-11-17, 05:38 PM
(This post was last modified: 2014-11-17, 05:38 PM by frostschutz.)
This user has been denied support.
Quote:(they set it to 1803 so right now, unless people rebuild their cache, it won't update until 1804 gets released)
In that case you should crank it up, so it gets updated anyway.
Remove the condition of it only updating when newer in the next version so things can go back to normal...
I didn't know about this task, haven't had the time to update to 1.8 yet. I also log into the ACP only rarely, did so because of the announcements... With 1.8 it probably would have hit me too... careless.
Anyone who hasn't checked for this issue yet, should also disable JavaScript in their browser before checking, just in case...
Posts: 101
Threads: 7
Joined: Jan 2010
Reputation:
3
2014-11-17, 05:38 PM
(This post was last modified: 2014-11-17, 05:45 PM by Maechlis.)
(2014-11-17, 05:31 PM)Darth Apple Wrote: You can delete /admin/modules/tools/backupdb.php just to be on the safe side. I've already done this on my forum.
I can do nothing already. Why, I can, but that would be to no avail
Rather please add that recommendation to the blog post so that others don't share my fate.
From the malicious code I understand that not the entire database was being stolen, but only the "users" table. That's a bit better than the worst case scenario of stealing the whole database with all PM's etcetera.
(2014-11-17, 05:38 PM)Pirata Nervo Wrote: (2014-11-17, 05:23 PM)Maechlis Wrote: Then as I said above it makes sense to adopt your blog recommendation to that case. Because I think there are lots of people now who read the post, go to their ACP and have the malicious code executed, like I had it.
Perhaps they would better disable the admin panel backup first (by modifying the php code or something)! I'm not sure I'm following you. I mention in the blog post to clear the cache entry. Are you suggesting that I suggest people to delete the backup module first?
Yes, exactly. I think it's pretty clear that perhaps the worst thing that can be made to a forum and its users is having its DB backup passed to malicious hands. So this should be prevented in the first place, regardless of that the attacker may now change the script to something else.
(Maybe there's another way to combat the DB leakage besides deleting the backup module, I don't know).
Posts: 4,392
Threads: 63
Joined: Nov 2008
Reputation:
263
This user has been denied support.
(2014-11-17, 05:38 PM)Maechlis Wrote: From the malicious code I understand that not the entire database was being stolen, but only the "users" table.
The only hope is that you didn't dally and went on right to whatever you wanted to do (settings, plugins, whatever) so the script didn't have time to execute the actual upload on the ACP home / version check. The log entry is created right away, there is no success indication for the attack itself...
The larger your number of members and the slower your internet connection, the higher your chances are that nothing terrible happened. Of course, you can't really count on it...
Posts: 101
Threads: 7
Joined: Jan 2010
Reputation:
3
2014-11-17, 05:51 PM
(This post was last modified: 2014-11-17, 05:51 PM by Maechlis.)
Quote:The only hope is that you didn't dally and went on right to whatever you wanted to do (settings, plugins, whatever) so the script didn't have time to execute the actual upload on the ACP home / version check. The log entry is created right away, there is no success indication for the attack itself...
The larger your number of members and the slower your internet connection, the higher your chances are that nothing terrible happened. Of course, you can't really count on it...
Yes I get your point. The code may have been modified in the later time to allow for the whole DB download, not just one table.
Unfortunately I have quite a few members and a 30 Mbps connection ) well, what's done is done.
Posts: 3,218
Threads: 489
Joined: Oct 2007
Reputation:
26
running 1.6.15 on my BBO. my update_check shows this:
Array
(
[dateline] => 1405227831
)
am I good to go?
Posts: 4,392
Threads: 63
Joined: Nov 2008
Reputation:
263
This user has been denied support.
@Shemo: That's how it looks like after you already hit rebuild.
Posts: 3,218
Threads: 489
Joined: Oct 2007
Reputation:
26
(2014-11-17, 06:41 PM)frostschutz Wrote: @Shemo: That's how it looks like after you already hit rebuild.
I haven't hit rebuild prior to me posting this.
Posts: 4,392
Threads: 63
Joined: Nov 2008
Reputation:
263
This user has been denied support.
dateline seems to be Sun, 13 Jul 2014 05:03:51 GMT - so maybe you rebuilt caches around that date (see if your logs reach back that far) and never ran a version check since. in that case you're completely fine.
Posts: 3,218
Threads: 489
Joined: Oct 2007
Reputation:
26
2014-11-17, 06:58 PM
(This post was last modified: 2014-11-17, 06:59 PM by andrewjs18.
Edit Reason: typo
)
(2014-11-17, 06:53 PM)frostschutz Wrote: dateline seems to be Sun, 13 Jul 2014 05:03:51 GMT - so maybe you rebuilt caches around that date (see if your logs reach back that far) and never ran a version check since. in that case you're completely fine.
my admin log reaches back almost a full year.
there's nothing in the admin log whatsoever from the 13th, and I don't see anything suspicious from the 13th to the present time.
should I rebuild the cache now, in my browser that has javascript disabled?
Posts: 4,241
Threads: 113
Joined: Jan 2006
Reputation:
111
No, you are not affected at all.
|