The SCCS server was compromised and was being used to host and send out pharmaceutical spam content, reports SCCS administrator Kit LaTouche ’08. As a result, SCCS had to re-install the system, leaving it down for five hours from 7 PM to midnight on Monday evening.
LaTouche wrote in an e-mail that “in going through the logs, it appears that there was a URL vulnerability in The Phoenix‘s index.php, and elsewhere, but that it began with the index.” This means that “the page didn’t properly check input from the URL query string.” The exploitable Phoenix site has been disabled, and will have to undergo a security audit before going back online.
Working off of the URL vulnerability, wrote LaTouche, “it seemed… [that] the attackers were able to execute arbitrary commands as the system user www-data, which is what the webserver runs as, and put files on the system that allowed them later access, even if we fixed the vulnerability in The Phoenix‘s site.” These files were placed on multiple sites hosted by SCCS, including the Daily Gazette and Free Culture.
The SCCS administrators could either “comb through the entire system for files that shouldn’t be there, and, worse, binary files that may have been altered to act as backdoors, or simply re-install the system. We opted for the latter course of action.”
After Monday night’s re-install, spam is no longer being hosted on the SCCS server, but the SCCS admins will be checking The Phoenix‘s website carefully for vulnerabilities before it goes back online.