Please note that the security breach is not postnuke itself, it was a module that the official site uses to manage it's downloads.
What happens is upon install your database and user information is sent to the hackers server. The hacker cannot access your database from a remote server - he would have to have an account at powweb to access powweb servers. - which would be quite unlikely that a hacker would take that risk.
Either way - If you have installed POSTNUKE over the weekend, take these steps
IMMEDIATELY.
You will also need to change your database name, username and password for your database installation.
Please follow the remaining instructions found in the notice below.
Zip downloads from PostNukes main site were affected by a hacker between the dates of
Oct 24 to Oct 26. If you have downloaded the ZIP postnuke files between those dates you must take immediate action to secure your site. This only affects the Zip archives and does not affect the Tar.gz downloads.
Refering Announcement
Quote:
Posted by: vworld on Tuesday, October 26, 2004 - 07:02 AM
We discovered last night that http://downloads.postnuke.com was the target of a malicious attack and files in the ZIP archive of PostNuke .750 were changed. Immediately upon discovering this all links to the downloads section were removed and on Tuesday the 26th at 8:30 GMT the original download package was restored.
Our investigations so far have revealed the attack was initiated on Sunday, 24.Oct, at 23:50 (11:50 PM) GMT. The attacker used an exploit in the download management software pafiledb to change the download address of PostNuke-0.750.zip to point to a compromised archive. We must stress this is a security compromise of pafiledb and has nothing to do with the PostNuke application.
Note, if you downloaded the tar.gz archive you are not affected so you do nothing, only those who downloaded the zip version were affected and must take immediate action as detailed below.
The changes made by the hackers were in two places. First, during the installation routine all data submitted (this includes the server, the database credentials, the admin name and password) is sent to a different server. Second, in one file there was code allowing a malicious user to execute any shell command on the web server.
As noted before, immediate action is required from everyone who downloaded the .zip package between Sunday (24.Oct) at 23:50 GMT until Tuesday (26.Oct) at 8:30 GMT.
Required Actions
1. Immediately remove the affected file /includes/pnAPI.php and replace it on your server with the original one (either from a fresh download or from http://cvs.postnuke.com/viewcvs.cgi/...viewcvs-markup)
2. Check the access-logs for any entry containing 'oops='. If you find any call please contact the PostNuke Security Team via http://forums.postnuke.com/index.php?module=vpContact providing the access log for further investigation.
3. Change your database details, username, password and if possible, database name.
Future Safety Precautions
In the future to avoid downloading tampered files please compare the MD5 checksums with an independent source to ensure legitimacy, such as http://www.post-nuke.net. For those unfamiliar with MD5 it is a check you can use to make sure the download has not been tampered with and can be trusted. In order to compute a checksum you need an MD5 utility and you can find a variety of tools (for windows) here: http://lists.gpick.com/pages/Checksum_Tools.htm and another favorite is the free and platform independent open source project jacksum (http://www.jonelo.de/java/jacksum/) You can also find more information about this topic on Wikipedia at http://en.wikipedia.org/wiki/Md5
Finally, be assured we are working to find the hacker and will take any and all legal action when they are found.
|
10-26-04, 03:26 PM
