Recent hacks due to AGSQL?
 

Has anyone else experienced intrusions on their servers due to the recent AGSQL security issues?

nope, but heres a bump for you

Two of my sites got hacked, jmbsoft are a bunch of retards, that's the last time I buy anything from them.

FreeFast,

Do you have ICQ so we can maybe compare what happened? I've got a situation I'm trying to patch up here and it'd help a great deal.

Thanks,

JM

PS: Thanks for the bumps madawgz

Anybody have specific details? We were recently hit hard by exploits in i-rater, the heap of crap rating script. :( Would hate to be hit again.

This should help you:

http://www.******************/index.php?showtopic=2530
http://bbs.adultwebmasterinfo.com/sh...pagenu mber=1

Thanks - read both of those earlier but they say little. Only thing you can get from those threads is that it may be AGSQL causing it or the root cause may be something else.

Without specific info on what the exploit is it's hard to protect yourself from it :( From what I've read it may not be the case that every site running agsql is at risk.

Welp, here's an example of what I saw on the box:

In /tmp, a script named 'x' was uploaded, as well as 'http', along with a directory named .ssh within /tmp. /tmp of course is set to noexec, however, if you provide the full path to the binary (example: /usr/bin/perl /bin/sh etc), you can execute it from outside of /tmp. Had my provider call me alerting me of a 60 meg outgoing DDoS to some ISPs from the server in question. This sounding familiar to anyone else yet?

I tried to help out someone who had been hit with this. JMB said that they had seen this several times and in each incident the "hacker" actually logged in to the admin area. If that was the case, I assumed that he had gained access to the .htpasswd file. I added the site owners hostname to the .htaccess file so he would be the only one able to access the admin area and so far the attack hasn't happened again.

That obviously doesn't do anything to prove who is responsible for the security issue but it seems to have helped temporarily plug a hole. Time will tell.

babaganoosh,

Hmm, interesting. You know what I noticed however, is since I've firewalled SSH out ( I generally do this, but not with this server as per client's request ), the issues have stopped. But, your current method of rectification, I will try. Thanks a lot. Appreciate it. :)

well its happend sometime,I've got a situation I'm trying to patch up here.

I am having the same issue on my server and have asked JMB for help.. even offered to pay... so far nothing. Looks like I'll probably just change scripts if I dont hear back.

It still sounds to me like people have problems that may not be specifically caused by the script and are looking for a scapegoat.

It's hard to protect yourself against a crap commercial script until after the event, as you presume people will code securely. However, there's 1001 ways to hack into a server outside of any vulnerability AGSQL may or may not have and it still sounds like people could be blaming the script for their general lack of security. Unsecure password files and SSH have been mentioned in this thread so far.

If it is the script I would love proper info on what the vulnerability is, but so far nobody seems to have any. From the very limited info available it seems quaite possible that people are blaming the script for problems they have elsewhere.

No, don't forget to upgrade....

looks like jmbsoft is putting their money where their mouth is. i just saw this on their forums:

There have recently been some claims that a security hole in AutoGallery SQL has been used by hackers to
gain access to and compromise servers. We have done an extensive investigation, including examining a compromised
site along with a complete code review, and have found no evidence that such a security hole exists. Site owners
that have been hacked have also not been able to provide any evidence that shows a security hole.

To put this issue to rest and to show that we are serious and confident in our product's security, we are now
offering a $500 US dollar reward for anyone who can provide instructions for an AutoGallery SQL code exploit that
can be reproduced. Details on the requirements for this reward can be found below. If you have any questions
regarding this, you can send an e-mail message to [email protected].

1. The hack must be effective against a fresh installation of AutoGallery SQL version 3.5.0 or newer.

2. The hack must be effective against an unmodified installation. All AutoGallery SQL scripts must be the same that
are provided with the standard distribution.

3. The hack must be an exploit of the AutoGallery SQL code. Exploits of webserver software (Apache), telnet, SSH or
other programs will not be accepted. Successful hacks must show that the AutoGallery SQL code can be exploited to
allow access to the compromised server or allow the user to access the AutoGallery SQL control panel without having
prior knowledge of the username and password.

4. Hacks that simply utilize the AutoGallery SQL control panel to create files on a user's server will not be
accepted unless they are accompanied by details on a code exploit that allowed them to access the AutoGallery SQL
control panel without having prior knowledge of the username and password. It is known that files can be created
through the control panel, and this is a software feature, not a security hole.

5. Successful hacks should be sent to [email protected] with complete instructions on how the hack was done so
that it can be reproduced on a fresh installation of AutoGallery SQL. Upon confirmation of a successful hack, the
amount of $500 US dollars will be transferred to the PayPal account of the individual who provides the complete
instructions.

Just want to update this information. We have increased the offer to $2000. Offical information and any updates will be posted at our site. See /reward.html at jmbsoft.com.