ListMailPRO Email Marketing Software Forums
ListMailPRO Email Marketing Software Forums => General Help & How-To => Topic started by: RowdyRhodes on December 28, 2004, 01:40:06 pm
-
Hello Dean,
Is ListMailPro vulnerable at all to this new worm called NeverEverNoSanity WebWorm generation X?
It hit my site through a phpBB installation on another website that is located on the same server as us.
It appears that the way it accessed my site was not through phpbb [we don't use it], which is the norm. It came at us through our web hosting server's use of php language version less than the latest.
If anyone is reading this, they should check to ensure their servers are running the latest version of php 4.3.10 and 5.0.3. and website managers should check for the latest version of phpbb. Both suppliers have a fix.
To check and see what version of php your host is running, create a .php file called info.php and place the following inside of it. Then upload it to your main directory and point your browser to it and go.
<?PHP
phpinfo();
?>
That will give you a bunch of info about your server.
To check versions of phpbb, I can't tell you. I don't use it.
Anyway, I've digressed.
This worm causes damage to .html, .php and a few other file types. It seems to have missed LMP [thank the lord] but the worm might come back while trying to sort things out. Finally getting to the question upper most in my mind:
I'm wondering whether the LMP system and data are at all at risk? If I recall LMP is written in php. Is LMP set up to repel this worm?
BTW: Where do I find the version # for LMP? I know I don't have the most current and I'm trying to find out what version I am running. Thanks!
All the best to you and yours during the coming New Year.
Rowdy Rhodes
Site Manager
Freelance Writing Organizzation - Int'l
http://www.fwointl.com
-
I don't believe that this is related to the PHP bug. PHP bug worms should not, usually, be able to damage your web site files. That is, unless your host runs Apache as root (not a good idea). As far as I know, the worm's operations are restricted to /tmp and, perhaps, any directory owned by the apache user. Once in, (from my experience) the worm might launch a massive DoS attack using the wget utility, which will slow down your server considerably and put you in (temporary) violation of the server provider's AUP.
I'm speaking from my own experience here with a different worm that just plagued the listmailpro.com server. The PHP bug does not affect ListMail, there are few places to enter data and none of them use the at-risk functions (unserialize(), etc)
I am not absolutely sure if NeverEverNoSanity can obtain root (admin) access or not. I don't know of any sites on my server that have been defaced.
Any good news links about the NeverEverNoSanity virus would be helpful.
I just read something that said NeverEverNoSanity takes advantage of SQL-injection in phpBB's viewtopic.php. It might be possible to gain admin access from this, but I'm not sure how. If you run phpBB i recommend you upgrade to the latest version ASAP.
The version # for ListMail isn't currently viewable. At the top of admin.php you will see $ver = '1.77'; but this is just the database version. Sometimes I release small fixes and improvements with the same database version and simply update the distribution file in the members area. To be sure you're on the latest files, re-download the ZIP and overwrite your main ListMail files.
Regards
-
Sometimes I release small fixes and improvements with the same database version and simply update the distribution file in the members area. To be sure you're on the latest files, re-download the ZIP and overwrite your main ListMail files.
Hi Dean,
OK. My next question then is by downloading and overwriting, what, if any, adverse affects will happen? ie I have customized all of the response emails for signup, error messages, etc., etc. I feel kind of dumb asking this, but if I download and overwrite everything, isn't that going to blow out my customizations?
Thanks
RR
-
Rowdy,
No, overwriting the ListMail files will never result in loss of data. All of ListMail's data, which includes users, Custom HTML, List Settings, Followups, etc. etc. is stored in the MySQL database. The files simply access the database. Even if you were to delete ALL of your ListMail files and folders you could still extract your data with PhpMyAdmin. Or, you can re-upload ListMail, re-setup config.php, and continue exactly where you left off!
Having the program set up this way allows me to release updates with instructions to simply overwrite all files except config.php. It makes things very easy.
Regards :D