Everyone, heads up.. Install the latest security patch for Viart.
 
I have been running a race tonight with some bone head hackers installing IRC bots and SOCKS proxies in one of my sites. The way they got in was via block_site_map.php to modify block_post.php to modify rss.php which then wrote out index3.pl in the blocks directory.
 
Once that backdoor was in, they kept installing all kinds of nasty goodies. I kept finding them until I ran across the modified Viart files. I thought it was joomla at first but it wasn't.
 
If anyone wants them, I have all 3 modified files (and yes, my dir/file ownership permissions were tight and my environment is phpsuexec).
 
Regards,
Eric
Web-JIVE.com

Just found another file they had hacked.. block_post.php.

Are you on 3.3.2 and have you installed the latest "block" update files (see post on the hotfix)?
 
@Viart: Does the issued hotfix pack address this issue too?

Where is the link for this issue "see post on the hotfix". Unable to find the topic in the forum.
 
Would be nice to list HOT-FIX in the LATEST NEWS section menu by cart version.

Found it...disregard my previous post.

Yes I was on the latest build of viart. The patch was put out after that. The file what was causing the hole has been patched.
 
Another thing I did to help with that is turn Safemode on! That keeps them from using PHP to execute system level calls which is another way they injected their code.

Also check your "Register Globals" setting in PHP!

Very true. I don't want to point out that if something like this does happen, it's usually to install IRC bots or Proxy bots, not to really steal anything other than your bandwidth. If these are dropped and your provider is running cPanel/WHM, it will alert them.
 
Good settings for your php.ini:
 
register_globals = Off
safe_mode = On
 
These two settings will help greatly. The safe mode stops any php system call activities which how they are able to push .pl and other files.

Yes, some hosters do not allow you to change php.ini and if you are on one of those you should set the above via the .htaccess in your root.
 
We are also always amazed to what extend hackers go to find a hole on a server.

They are a veracious group and well organized. This hack from what I can trace back was started around Dec. 8th slowly to keep things under the radar.
 
I have taken things a step further by putting in a BUNCH of mod_security rules, turning on php safe mode by default and using the disable_functions to disable a lot of features un-necessary for my scripts. Overall, it's a super tight environment now that even I have challenges with but it's better than things being to lose.