Author Topic: Server problems  (Read 115471 times)

Offline DarkViper

  • Forum administrator
  • *****
  • Posts: 3012
  • Gender: Female
Server problems
« on: July 15, 2014, 08:05:09 PM »
As you may have encountered we had some trouble with our server during the last days. Precisely not with the server itself but lots of PHP files on the homepage and also the forum which were infected with malicious code. Nearly everything was infected: Core, modules, language files and templates. By this, there were lots of Apache instances started, so there were no ressources left for webserver and database.

In the meantime (hopefully) the files are clean again and the server is up and running - but only for a short time, because I don't trust the server configuration any longer and will set up a brand new, clean installation on a replacement server. When the new server is ready, the old one will be completely erased, rebuilt from the scratch and then takeover the system from the replacement server again.

I don't want to go to deep into detail about the offence. Actually, there were lots of different kinds of malicious code, each of which was encoded in different ways. So due to this, literally every single file had to be checked and cleaned manually. Often occuring keywords were (as usual) base64, str_rot13 and preg_replace (that one sometimes with the modifier /e). The main keys could not be searched because they were built of many different variables and constants.

The 'good' news: The infection hit only files with executable PHP code. Most of the infected files were backdoors which allowed to execute all kind of PHP code on the server. Currently not all the codes could be analyzed yet.

According to forum passwords: Those of you who use a good, strong password are quite safe, because the passwords are stored as MD5-hashes in the databsse (and not as plain text). But if you are using a password which is already collected in a rainbowtable or an existing hash collides with a hash from one of the tables, there is the possibility that the offender _could_ have your password.

We strongly recommend to change your forum password, and, if you use it for any other website, change it there too.

The downloads are clean because they are permanently reviewed by one of my machines and immediately corrected if necessary.

The addon repository was not infected neither, because it runs on another physical server.

The SVN was not infected neither, it also runs on another server. The only place where errors could occur is Redmine, but only in that way that tickets, texts or sth. similiar could have been modified in the database. Redmine itself is written in Ruby so it cannot be infected by PHP offences.


(*Sorry for pidigin english, translation by instantflorian)
« Last Edit: February 26, 2016, 11:33:33 AM by DarkViper »
Der blaue Planet - er ist nicht unser Eigentum - wir haben ihn nur von unseren Nachkommen geliehen

"You have to take the men as they are… but you can not leave them like that !" :-P
Das tägliche Stoßgebet: Oh Herr, wirf Hirn vom Himmel !