Technology ramblings of a pro breaker and fixer.
Categories

e107 Exploit – “rocknrollaaaa” information

Just a quick alert to the server admin community there seems to be a new wave of exploits targeting the e107 CMS.

Our honeypots have detected a run of the mill remote file / command injection specifically targetting the e017 contact php file

The remote exploit targets in a way attacks a  a weak variable in the e107 CMS. Once injection is complete it attempts to spawn a shell process. (currently “rocknrollaaaa”) which makes a connection to an irc channel to await directions.

Among the functions we discovered a ddos utility and spam system.

This also seems to be affecting the latest 0.7.22 – the only fix at this point is to rename (or better yet delete) the contact.php file.

The sever can be secured as a whole by not allowing the shell_exec or exec commands – although this may interfere with your customers web options.  imo security is the way to go.

e107 Exploit - "rocknrollaaaa" information, 5.0 out of 5 based on 5 ratings

Leave a Reply