e107 Exploit – “rocknrollaaaa” information

Just a quick alert to the server admin community there seems to be a new wave of exploits targeting the e107 CMS.

Our honeypots have detected a run of the mill remote file / command injection specifically targetting the e017 contact php file

The remote exploit targets in a way attacks a  a weak variable in the e107 CMS. Once injection is complete it attempts to spawn a shell process. (currently “rocknrollaaaa”) which makes a connection to an irc channel to await directions.

Among the functions we discovered a ddos utility and spam system.

This also seems to be affecting the latest 0.7.22 – the only fix at this point is to rename (or better yet delete) the contact.php file.

The sever can be secured as a whole by not allowing the shell_exec or exec commands – although this may interfere with your customers web options.  imo security is the way to go.

Rating: 5.00/5. From 10 votes.
Please wait...

Leave a Comment

Your email address will not be published. Required fields are marked *