[Coco] Uploads section

Roger Taylor operator at coco3.com
Fri Nov 23 17:55:53 EST 2007


CoCo Tower wrote:
 > WAIT.  Ok, now the user "testing" appears to have
 > uploaded the PHP/C99shell.B backdoor script as
 > reported by Microsoft OneCare.  How in the heck do the
 > powers that be let this stuff happen.  The authors of
 > PHP and MySQL have got to get their stuff together.

 > I do hope that whoever this juvenile is gets caught. It's just
 > ridiculous. And I agree that the timing indicates a directed attack
 > with clear malicious intent.


Just for the record, I wasn't blaming whoever "Randy" is of 
personally doing anything wrong.

In fact, I didn't know who "Randy" was.  There's a "Greg" I have no 
idea about, either.  Well, "Greg" is now deleted, so it doesn't 
matter.  I haven't been following the DL Logo thread.

At the time, "Greg", "Randy", and "testing" were simply account names 
who floated right to the top of the last-accessed sorting that showed 
the same date/hour/minute/2-seconds apart for accessing 1) an evil 
script, 2) a CoCo logo file. vs all other user's folders showing much 
later and spread apart access times.

Does this prove anything?  No.  But it had to be brought to 
attention.  Also, everyone should check their systems for spyware, 
things that just don't seem right anymore, and so forth.  I installed 
a 90-day free trial of MS OneCare, and it caught those bad scripts 
just by me VIEWING them as a text file!

It's possible that someone's system *could* be infected so that it 
uses open gateways of sorts to post into the forums that the user 
might be posting into at the time.  I have seen many times using the 
last coco3.com forum system how a regular user would post a message, 
then at the same time a SPAM would be posted right below it by an 
"unregistered user".

This screams of session ID hijacking by evil software running in the 
background of the infected computer.

I'm at fault for trusting an Uploads feature that may even have been 
developed by a hacker himself.  It's a drop-in module that has 
security features for disallowing certain filetypes, but we see now 
that it was bypassed or didn't ever work.

For those who get good use out of swapping files through the Uploads 
section, I apologize for having to shut it down for now.



More information about the Coco mailing list