I just noticed the Russian IP ... is this a backdoor? Searching "xxxxxxxxxx amember" in google pulls up a tmp sess from an amember client <?php if($_SERVER['REMOTE_ADDR']!='xxxxxxxxxxx' && $_SERVER['REMOTE_ADDR']!='xxxxxxxxxxxx')die('hello,world!'); $pc['db'] = '************'; $pc['user'] = '************'; $pc['pass'] = '************'; $pc['host'] = '************'; $pc['prefix'] = 'amember_'; Scary that I can see the admin user/pass on that google search ... what else is going on here??
What version of aMember are you using? (trial or pro?) I do not see this in the 3.1.9 or 3.2.3 code. Sounds like your host was compromised are you unknowingly installed a hacked version of aMember?
That is not a backdoor. I believe you've contacted aMember support several days ago, they worked to debug your website, and kept that file. It is definitely is not acceptable, file must be removed immediately after work is done. I will find out how it might happen, and I'll make sure it will never happen again. If you could send me the file content (without the actual password) and URL where it has been available to alex@cgi-central.net, it would help a lot to find out customer support person in charge for this incident. I am sorry for this issue, and I ensure you that is not a backdoor and it was never used for anything other than aMember debug - you can check site access logs to ensure.
Regarding the tmp session you see in google search: - it is not admin password, it is the hash which you cannot use to login; - the site is dead and owner does not care; - someone has configured to store session info into tmp/ folder and did not protect it anyhow; - aMember does not store sessions to tmp folder, seems owner has configured it for something
@riskymedia I can definitely vouch for Alex here when I say this. aMember is very robust, and any security holes found are patched immediately (this type of patch is available as a code update if you do not have a current subscription to aMember -- so there is no reason to have security holes). I have been using and coding for this application for about 8 years now, and have never seen anything that would pose as a security risk that proper server administration could not take care of. (eg. Ensure .htaccess and paths are properly locked down, files like config.inc.php are flagged read only, local access only account to mysql, public mysql port blocked, etc). Version 4, is looking pretty spiffy so far and sounds like it will have a bit more security (not really needed) like regular member accounts passwords will be encrypted now. Overall, I would say that a properly configured aMember installation in it's default state, is secure, and the stuff you see otherwise, is poorly done 3rd party code or due to poor system administration.
microvb, thanks for support! Unfortunately I could not agree, there is always a security risk - with any software and script. For example, few security problems has been found today in a very popular and widely used Wordpress script. But about that case there is really nothing to worry. I have found a support person who did it - he worked on a support ticket for you, and installed that script - it is in fact "lite" version of phpMyAdmin to run several SQL queries. Then after work finish, he forgot to delete the script. These IP you saw in the script are our office IPs. I am sorry for this incident, and I had a talk to the support person to ensure it will never happen again.
@Alex, I agree with you, and understand that software is not always locked down, especially in community based projects where so many people have their hands in the cookie jar (like wordpress, joomla, drupal, etc) Admittedly, I have never completed a comprehensive analasis of your application, but from what I have looked at, it is pretty solid. Anything that has come up in the past, you have promptly released a patch. For the security holes that were found and a patch released, the issues seemed to be rather minor in nature.