Recent hacks due to AGSQL? - GoFuckYourself.com

jerzeemedia · 05-13-2006, 10:58 AM

Has anyone else experienced intrusions on their servers due to the recent AGSQL security issues?

madawgz · 05-13-2006, 01:32 PM

nope, but heres a bump for you

FreeFastHost · 05-13-2006, 01:42 PM

Two of my sites got hacked, jmbsoft are a bunch of retards, that's the last time I buy anything from them.

jerzeemedia · 05-13-2006, 02:27 PM

FreeFast,

Do you have ICQ so we can maybe compare what happened? I've got a situation I'm trying to patch up here and it'd help a great deal.

Thanks,

JM

PS: Thanks for the bumps madawgz

Big John · 05-13-2006, 03:23 PM

Anybody have specific details? We were recently hit hard by exploits in i-rater, the heap of crap rating script.

Would hate to be hit again.

Babaganoosh · 05-13-2006, 03:28 PM

This should help you:

http://www.******************/index.php?showtopic=2530
http://bbs.adultwebmasterinfo.com/sh...pagenu mber=1

Big John · 05-13-2006, 03:35 PM

Quote:

Originally Posted by Babaganoosh

This should help you:.....

Thanks - read both of those earlier but they say little. Only thing you can get from those threads is that it may be AGSQL causing it or the root cause may be something else.

Without specific info on what the exploit is it's hard to protect yourself from it

From what I've read it may not be the case that every site running agsql is at risk.

jerzeemedia · 05-13-2006, 03:42 PM

Welp, here's an example of what I saw on the box:

In /tmp, a script named 'x' was uploaded, as well as 'http', along with a directory named .ssh within /tmp. /tmp of course is set to noexec, however, if you provide the full path to the binary (example: /usr/bin/perl /bin/sh etc), you can execute it from outside of /tmp. Had my provider call me alerting me of a 60 meg outgoing DDoS to some ISPs from the server in question. This sounding familiar to anyone else yet?

Babaganoosh · 05-13-2006, 03:48 PM

I tried to help out someone who had been hit with this. JMB said that they had seen this several times and in each incident the "hacker" actually logged in to the admin area. If that was the case, I assumed that he had gained access to the .htpasswd file. I added the site owners hostname to the .htaccess file so he would be the only one able to access the admin area and so far the attack hasn't happened again.

That obviously doesn't do anything to prove who is responsible for the security issue but it seems to have helped temporarily plug a hole. Time will tell.

jerzeemedia · 05-13-2006, 04:07 PM

babaganoosh,

Hmm, interesting. You know what I noticed however, is since I've firewalled SSH out ( I generally do this, but not with this server as per client's request ), the issues have stopped. But, your current method of rectification, I will try. Thanks a lot. Appreciate it.

elitetec · 05-13-2006, 04:16 PM

well its happend sometime,I've got a situation I'm trying to patch up here.

Terry · 05-13-2006, 04:18 PM

I am having the same issue on my server and have asked JMB for help.. even offered to pay... so far nothing. Looks like I'll probably just change scripts if I dont hear back.

Big John · 05-13-2006, 04:51 PM

It still sounds to me like people have problems that may not be specifically caused by the script and are looking for a scapegoat.

It's hard to protect yourself against a crap commercial script until after the event, as you presume people will code securely. However, there's 1001 ways to hack into a server outside of any vulnerability AGSQL may or may not have and it still sounds like people could be blaming the script for their general lack of security. Unsecure password files and SSH have been mentioned in this thread so far.

If it is the script I would love proper info on what the vulnerability is, but so far nobody seems to have any. From the very limited info available it seems quaite possible that people are blaming the script for problems they have elsewhere.

VicD · 05-13-2006, 05:04 PM

No, don't forget to upgrade....

flothrager · 05-14-2006, 05:12 PM

looks like jmbsoft is putting their money where their mouth is. i just saw this on their forums:

There have recently been some claims that a security hole in AutoGallery SQL has been used by hackers to
gain access to and compromise servers. We have done an extensive investigation, including examining a compromised
site along with a complete code review, and have found no evidence that such a security hole exists. Site owners
that have been hacked have also not been able to provide any evidence that shows a security hole.

To put this issue to rest and to show that we are serious and confident in our product's security, we are now
offering a $500 US dollar reward for anyone who can provide instructions for an AutoGallery SQL code exploit that
can be reproduced. Details on the requirements for this reward can be found below. If you have any questions
regarding this, you can send an e-mail message to [email protected].

1. The hack must be effective against a fresh installation of AutoGallery SQL version 3.5.0 or newer.

2. The hack must be effective against an unmodified installation. All AutoGallery SQL scripts must be the same that
are provided with the standard distribution.

3. The hack must be an exploit of the AutoGallery SQL code. Exploits of webserver software (Apache), telnet, SSH or
other programs will not be accepted. Successful hacks must show that the AutoGallery SQL code can be exploited to
allow access to the compromised server or allow the user to access the AutoGallery SQL control panel without having
prior knowledge of the username and password.

4. Hacks that simply utilize the AutoGallery SQL control panel to create files on a user's server will not be
accepted unless they are accompanied by details on a code exploit that allowed them to access the AutoGallery SQL
control panel without having prior knowledge of the username and password. It is known that files can be created
through the control panel, and this is a software feature, not a security hole.

5. Successful hacks should be sent to [email protected] with complete instructions on how the hack was done so
that it can be reproduced on a fresh installation of AutoGallery SQL. Upon confirmation of a successful hack, the
amount of $500 US dollars will be transferred to the PayPal account of the individual who provides the complete
instructions.

JMB Software · 05-15-2006, 08:42 AM

Just want to update this information. We have increased the offer to $2000. Offical information and any updates will be posted at our site. See /reward.html at jmbsoft.com.

05-13-2006, 10:58 AM	#1
jerzeemedia Confirmed User Industry Role: Join Date: May 2004 Location: New Jersey Posts: 1,532	Recent hacks due to AGSQL? Has anyone else experienced intrusions on their servers due to the recent AGSQL security issues? __________________ Free Adult Blog Hosting http://www.waqn.com free porn www.mojohost.com - Best guys, best host.

05-13-2006, 01:32 PM	#2
madawgz 8.8.8.8 Industry Role: Join Date: Mar 2006 Location: Noordermarkt Posts: 30,509	nope, but heres a bump for you __________________ TAEMDLRMSKRJIXMRLSMRJ.

05-13-2006, 02:27 PM	#4
jerzeemedia Confirmed User Industry Role: Join Date: May 2004 Location: New Jersey Posts: 1,532	FreeFast, Do you have ICQ so we can maybe compare what happened? I've got a situation I'm trying to patch up here and it'd help a great deal. Thanks, JM PS: Thanks for the bumps madawgz __________________ Free Adult Blog Hosting http://www.waqn.com free porn www.mojohost.com - Best guys, best host. Last edited by jerzeemedia; 05-13-2006 at 02:29 PM..

05-13-2006, 03:23 PM	#5
Big John Confirmed User Join Date: May 2006 Location: Never never land Posts: 470	Anybody have specific details? We were recently hit hard by exploits in i-rater, the heap of crap rating script. Would hate to be hit again. __________________

05-13-2006, 03:28 PM	#6
Babaganoosh ♥♥♥ Likes Hugs ♥♥♥ Industry Role: Join Date: Nov 2001 Location: /home Posts: 15,841	This should help you: http://www.******************/index.php?showtopic=2530 http://bbs.adultwebmasterinfo.com/sh...pagenu mber=1 __________________ I like pie.

05-13-2006, 01:42 PM	#3
FreeFastHost Confirmed User Join Date: Oct 2001 Location: Somewhere Posts: 1,588	Two of my sites got hacked, jmbsoft are a bunch of retards, that's the last time I buy anything from them.

05-13-2006, 03:42 PM	#8
jerzeemedia Confirmed User Industry Role: Join Date: May 2004 Location: New Jersey Posts: 1,532	Welp, here's an example of what I saw on the box: In /tmp, a script named 'x' was uploaded, as well as 'http', along with a directory named .ssh within /tmp. /tmp of course is set to noexec, however, if you provide the full path to the binary (example: /usr/bin/perl /bin/sh etc), you can execute it from outside of /tmp. Had my provider call me alerting me of a 60 meg outgoing DDoS to some ISPs from the server in question. This sounding familiar to anyone else yet? __________________ Free Adult Blog Hosting http://www.waqn.com free porn www.mojohost.com - Best guys, best host.

05-13-2006, 03:48 PM	#9
Babaganoosh ♥♥♥ Likes Hugs ♥♥♥ Industry Role: Join Date: Nov 2001 Location: /home Posts: 15,841	I tried to help out someone who had been hit with this. JMB said that they had seen this several times and in each incident the "hacker" actually logged in to the admin area. If that was the case, I assumed that he had gained access to the .htpasswd file. I added the site owners hostname to the .htaccess file so he would be the only one able to access the admin area and so far the attack hasn't happened again. That obviously doesn't do anything to prove who is responsible for the security issue but it seems to have helped temporarily plug a hole. Time will tell. __________________ I like pie.

05-13-2006, 04:07 PM	#10
jerzeemedia Confirmed User Industry Role: Join Date: May 2004 Location: New Jersey Posts: 1,532	babaganoosh, Hmm, interesting. You know what I noticed however, is since I've firewalled SSH out ( I generally do this, but not with this server as per client's request ), the issues have stopped. But, your current method of rectification, I will try. Thanks a lot. Appreciate it. __________________ Free Adult Blog Hosting http://www.waqn.com free porn www.mojohost.com - Best guys, best host.

05-13-2006, 04:16 PM	#11
elitetec Too lazy to set a custom title Join Date: Sep 2005 Location: New York Posts: 4,944	well its happend sometime,I've got a situation I'm trying to patch up here. __________________ Add Your Site To My PR4 Blog Selling Sig ICQ-200636146

05-13-2006, 04:18 PM	#12
Terry Confirmed User Join Date: Jan 2002 Location: Montreal Posts: 1,604	I am having the same issue on my server and have asked JMB for help.. even offered to pay... so far nothing. Looks like I'll probably just change scripts if I dont hear back. __________________ TengaCash ICQ: 6776764

05-13-2006, 04:51 PM	#13
Big John Confirmed User Join Date: May 2006 Location: Never never land Posts: 470	It still sounds to me like people have problems that may not be specifically caused by the script and are looking for a scapegoat. It's hard to protect yourself against a crap commercial script until after the event, as you presume people will code securely. However, there's 1001 ways to hack into a server outside of any vulnerability AGSQL may or may not have and it still sounds like people could be blaming the script for their general lack of security. Unsecure password files and SSH have been mentioned in this thread so far. If it is the script I would love proper info on what the vulnerability is, but so far nobody seems to have any. From the very limited info available it seems quaite possible that people are blaming the script for problems they have elsewhere. __________________

05-13-2006, 05:04 PM	#14
VicD ICQ: 304-611-162 Join Date: Feb 2005 Location: Masterdam Posts: 13,245	No, don't forget to upgrade....

05-14-2006, 05:12 PM	#15
flothrager Registered User Join Date: May 2005 Posts: 1	looks like jmbsoft is putting their money where their mouth is. i just saw this on their forums: There have recently been some claims that a security hole in AutoGallery SQL has been used by hackers to gain access to and compromise servers. We have done an extensive investigation, including examining a compromised site along with a complete code review, and have found no evidence that such a security hole exists. Site owners that have been hacked have also not been able to provide any evidence that shows a security hole. To put this issue to rest and to show that we are serious and confident in our product's security, we are now offering a $500 US dollar reward for anyone who can provide instructions for an AutoGallery SQL code exploit that can be reproduced. Details on the requirements for this reward can be found below. If you have any questions regarding this, you can send an e-mail message to [email protected]. 1. The hack must be effective against a fresh installation of AutoGallery SQL version 3.5.0 or newer. 2. The hack must be effective against an unmodified installation. All AutoGallery SQL scripts must be the same that are provided with the standard distribution. 3. The hack must be an exploit of the AutoGallery SQL code. Exploits of webserver software (Apache), telnet, SSH or other programs will not be accepted. Successful hacks must show that the AutoGallery SQL code can be exploited to allow access to the compromised server or allow the user to access the AutoGallery SQL control panel without having prior knowledge of the username and password. 4. Hacks that simply utilize the AutoGallery SQL control panel to create files on a user's server will not be accepted unless they are accompanied by details on a code exploit that allowed them to access the AutoGallery SQL control panel without having prior knowledge of the username and password. It is known that files can be created through the control panel, and this is a software feature, not a security hole. 5. Successful hacks should be sent to [email protected] with complete instructions on how the hack was done so that it can be reproduced on a fresh installation of AutoGallery SQL. Upon confirmation of a successful hack, the amount of $500 US dollars will be transferred to the PayPal account of the individual who provides the complete instructions.

05-15-2006, 08:42 AM	#16
JMB Software Registered User Join Date: Dec 2002 Posts: 3	Just want to update this information. We have increased the offer to $2000. Offical information and any updates will be posted at our site. See /reward.html at jmbsoft.com.