HI all, I received the following email: and ask the support team for any comments because some of the files in the download looked odd. There reply was: ++++++++++++++++++++++++++++++++++++++++++++++++++++ Hello, Dereck. Please do not take any actions! We didn't sent that message, and we never send security updates via PM in forum. In addition amember-downloads.com is not our domain. > Just before I do this update, there is a file called functions.php. > 1. Looking at the content all the code is at the bottom of the file, is there a reason for this? > 2. I do not have this file in my current amember director, is it a new file and if so what does it do? -- Andrey Seredkin ++++++++++++++++++++++++++++++++++++++++++++++++++++ That message was sent through vBulletin PM system. I guess there is a bug in it. That's why you see it sent from webmaster@amember.com ++++++++++++++++++++++++++++++++++++++++++++++++++++ DO NOT REPLY TO THIS EMAIL! *************************** Dear baggage, You have received a new private message at aMember Pro Forum from servicebot, entitled "Urgent October Security Update - Update Now!". To read the original version, respond to, or delete this message, you must log in here: http://www.amember.com/forum/private.php This is the message that was sent: *************** Hello, this is a bot message. Please be notified that an urgent security update was released. Please, update your AMember today! Download it here: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx All instructions are inside the archive. Thanks, Service Bot *************** Again, please do not reply to this email. You must go to the following page to reply to this private message: http://www.amember.com/forum/private.php All the best, aMember Pro Forum
I'm really surprised not to see more threads about this bogus update email sent a couple of weeks ago. I also received the PM with the "security notice" and downloaded the update from amember-downloads.com. If you're not already aware, this is an attack that will compromise your amember member database if you downloaded and installed the "update". I have to admit it was a cleverly thought out attack as I didn't stop to question the domain name or that it might not be real. Fortunately I downloaded it to look at but didn't apply the "update" until after Alex sent out an official notification that it was bogus. Here's what happens if you install this bogus update. What the attack does is add an extra file called functions.php in the main directory that is executed when someone logs into Amember by accessing the login.php page. functions.php includes a hidden, encoded function which extracts the username and passwords of your admin users from the database and also the member id, username, password, email address, first name and last name of every member in your database. All of those details are then emailed to a gmail email address. So if anyone reading this patched their copy of amember with the bogus patch then your database has completely compromised. At the very least you need to change all of your admin passwords immediately. It would also be a good idea to notify your members to change all their passwords as well. If you're not sure if you updated the patch or not, look in the directory where amember is installed and look for a file called functions.php. If you see that file and view it, you'll find that it is mostly filled with empty lines. On line 841 you will see an encoded function (it looks like gibberish) that starts with: base64_decode('ZXZhbChiY ... This is the function that copies all your database details and emails it to the gmail address. To remove this attack you must delete the functions.php file. You must also edit login.php, go to line 21 and delete the line: include('./functions.php'); This prevents login.php from trying to load and execute functions.php. The key lesson here is to NEVER, EVER trust an Amember security update that is sent via a PM - just as Alex said. I really hope this hasn't affected too many Amember owners.