Just a quick alert to the server admin community there seems to be a new wave of exploits targeting the e107 CMS.
Our honeypots have detected a run of the mill remote file / command injection specifically targetting the e017 contact php file
The remote exploit targets in a way attacks a a weak variable in the e107 CMS. Once injection is complete it attempts to spawn a shell process. (currently “rocknrollaaaa”) which makes a connection to an irc channel to await directions.
Among the functions we discovered a ddos utility and spam system.
This also seems to be affecting the latest 0.7.22 – the only fix at this point is to rename (or better yet delete) the contact.php file.
The sever can be secured as a whole by not allowing the shell_exec or exec commands – although this may interfere with your customers web options. imo security is the way to go.