sini please reread Tims post thats not what he meant did not say Jut did this the person you warned him about did

Edited....*learning to read*

no prob things get heated and sometimes we read too quickly mistakes happen

How can I? It's closed source software, so fly your broom in the other direction, unless you wish to turn over the source and left me fix it.

And as JLD pointed out, I didn't blame Jutaky of anything other than ignoring the problem and blaming the host instead. I blame the true-money guy that you brought to my attention as taking revenge out on me for canceling his server and not refunding his $100 that he had just paid for the next month.

As a server admin you should be able to point us the route in. Not in code level (that is not necessary), but filename and the method of how it's used.

Not my job to maintain your software

Of course it's not your job, but if you make accusations you should be able to show something that supports the accusation...which you are unable to do, because there is no such hole.

Actually, I would point it out if I knew how they accessed it, but unlike you, I actually have customers so I don't have time to be crawling around helping your cause. Had you not taken the arrogance level you've taken, and the marketing tactic of stealing customers to grow as opposed to honest growth, some in the hosting industry might actually respect you.

So how you actually then know that there is one if you don't know anything about it?

...If you know there is a hole you can proove it...otherwise you do not know there is one.

Whether I know there is a hole or not is not the point, I choose to refuse any useful interaction with you as to not disturb you while on your high horse, that is the point, and to return the favor and steal as many of your customers as possible.

Sini, did the hacker need a hole to do what they did? They've accessed the servers, different servers from different hosts. In geg07 they made changes to the banners in a particular way, and also inserted an email that was sent via the site inbox as well as via the mailserver (or was it only via the inbox?), in this one they've done the banners and it looks like in the same way as geg07.

Where do they do this, how do they do this, do they need a hole in CC to do it or is server access enough? I'm not asking you to tell me, but if you can see where and how it's done, then can't you tell whether or not a hole is needed and if it is, then roughly where to look for it?

Please IM as I can not comment that here.

Originally I thought that I will not reply to this thread as I did not have anything intelligent to add to it, but Wagdoll threw quite good post I want to comment on.


Hole in CashCrusader is not a requirement to alter data in database, CashCrusader is only one "MySQL client" among others. Server and MySQL can be compromised other ways too.


Servers gather huge amounts of log files and usually unauthorized accesses are visible in logs in some form or another.


Those of you who know me, know that I am constantly peeking, tweaking, hacking and cracking CashCrusader. I take security very seriously and I am pro-active about security and I have fixed every hole/issue I have found. And I certainly do not close my eyes to this issue - security is my passion.

And some notes about exploits and CashCrusader in general.

Common way to insert/edit databases from script side (CashCrusader in this case) is to inject data via user forms with properly forged input. Then this input needs to go into MySQL unmodified. This is why a CashCrusader plugin can also be the issue as they have input fields for users. But to make MySQL inject a bit harder in CashCrusader, PHP's mysql_query() does not support stacked queries, so in order for cracker to totally define own query it needs to be feeded to MySQL via different route than CashCrusader. Another common exploit method is to poison variable and get it to run via eval() - but CashCrusader does not use eval() function. Another way to get access to server is uploading remote shell using faulty software on the server and cracker can get a control panel and depending on environment, can do quite many things there.

Less than half of CashCrusader is encoded. Only admin panel has been protected, so all publicly available forms etc scripts sources are available. Extra pair of eyes is always welcome if someone thinks they can find a security flaw.

Thanks, Jutaky Most of that is too technical for me but I think I understand the point you're making lol.

No matter how patches and updates are released (not just on CC but things like apache, cpanel etc too) there always seems to be some vulnerability hackers will use to attack sites. I guess everyone just has to be aware that it might happen to them and try to keep everything updated and watch out for intrusions.

And unfortunately on very busy servers, these logs are set to rotate out quite frequently, hence I have no idea how anyone injected the code, as it was over 12 hours before it was brought to my attention. Sure I could block it with mod_security rules, and block half the site members in the process from all the trash that is run as a normal course of business in GPTland.



Obviously it is a simple 1 line injection "UPDATE `rotating_ads` SET `site_url` = 'http://sometrash.com';"



And I run a cron daily on all the shared servers

0 0 * * * /usr/bin/find /home/*/public_html -type d -perm 777 | xargs /bin/chmod 755
15 0 * * * /bin/chmod 777 /home/*/public_html/scripts/mysql_restore
15 0 * * * /bin/chmod 777 /home/*/public_html/scripts/plugins/geoip_plg



There is a flaw, but we will have to wait til this punk strikes again, it was wrong of you to accuse my hosting, but it was proper to collect the data, but what commonality did you find?

I've had root shell access on your servers, they are no different than mine for the most part, so if my hosting is to blame, yours would be just as susceptible. There are only minor cosmetic differences on how we compile apache and run mysql.

Like I wrote above, PHP MySQL function mysql_query() does not support stacked queries, so they can't add whole queries like that* via CashCrusader. If they could, the problem would be far more common due adstats2.php vulnerability, which allows MySQL injection when unpatched.

* http://dev.mysql.com/tech-resources/articl...ecurity-ch3.pdf First two pages


Common for all reports considering this new potential exploit, was that they were hosted with you and that there were no unauthorized entries in access_logs, so CashCrusader admin panel was not compromised. Unfortunately very few gave complete answers to all questions and many ignored almost all questions.



One difference can be all it takes - one root exploit and the whole server can be history. You have not had root access to our shared hosting servers.

Thank you for your explanation. This would imply to me that this hacker could attack many sites and servers, not just PTR and CashCrusader.