Possible Rootkit installed on my server

[kevinrstruck]

I have been having problem with my site so I checked the folders and found a folder names BOS. Inside that folder contained a rootkit virus and logs showing that the server was comprimised.

Could there be security issue/hole with this program? The hacker screwed up my application.php file which caued the site to go down for several days.

I have a copy of the BOS folder if you would like to see it.

[kevinrstruck]

I can not believe it has been two days and no repsonse to this. I confirmed with my host it is a rootkit. I also confirmed there has been no unauthorized access to the server. There is a hole in this script and the owner does not even acknowledge the original post. My host is giving me crap saying they are going to cancel my account unless the script is fixed or I delete it.

Do I get a refund if I am forced to do this from you for buying an unsecure script that you do not support?

I also posted my error log and no reponse to that either. This guy charges people money, takes it, offers very little or no support but continues to build other products and ask for more money.

Maybe concentrating on one product, making sure it is secure and giving your paying customers support should be more important than another crappy "Link to me" script. There are tons of these out there and they do not work unless the site your linking to is worthless.

[esm]

Well, I certainly understand your concern. I raised the security issue shortly after the release of v5 (or maybe sometime before that when dody offered a sulution to an INDEXU user for a server problem). and see http://www.nicecoder.com/community/s...6&postcount=12

You may want to read:
http://www.nicecoder.com/community/s...ead.php?t=3345
http://www.nicecoder.com/community/s...ead.php?t=3404
http://www.nicecoder.com/community/s...ead.php?t=3412

I looked at the code in the zip file referenced as security update in one of the above posts, but I didn't see any thing related to security. But I guess I just overlooked it.

In looking at the INDEXU code, I am of the opinion that INDEXU is subject to the nasty things that bad folks do: SQL injections, CSS, etc. And I am not ready to believe any pronouncement from dody that all is well.

Given the importance of this issue, I would like to have a independent security expert evaluate INDEXU and issue a "safe" (or not safe) opinion on such software attacks.


.

[dody]

Are you using windows server?

According to http://www.symantec.com/avcenter/ven...n.rootkit.html

Type: Trojan Horse
Infection Length: 6,656 bytes and 15,360 bytes
Systems Affected: Windows 2000, Windows NT, Windows Server 2003, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX, Windows 3.x

There're many way the windows server get infected. Indexu is distributed in zip file and there's no executable files. I'm pretty sure we deliver it clean.

[kevinrstruck]

No, I am using a linux server.

Since deleting the last rootkit, another has been installed.

I have a very good friend who is a security expert and who works for one of the premiere security firms in the US, he has confirmed there are security risks with this software that need to be fixed immediately. He also states that anyone should be able to spot these if they are a developer and keep up with the latest information.

If you want to hire him to point out the issues, you will have to pay him his going rate of $450 per hour, but he is willing to do it.

In the meantime, I would like a refund on my purchase unless you fix this within 48 hours.

[kevinrstruck]

It is also very concerning that Dody took 5 days to even respond to this thread. 5 Days to respond is unacceptable, especially when he responded to other posts in this category several times. Why ignore this one?

Saying he thinks he delivers clean code is unacceptable.

[esm]

If you want to hire him to point out the issues, you will have to pay him his going rate of $450 per hour, but he is willing to do it.

While I have previously call for a security expert to review the software, $450/hr seems a bit excessive.

You might even find a fullly qualified security expert that will give a quick look-see for free. But even at $125/hr, it may take a few hours.

But something definately needs to be done.



.

[esm]

It is also very concerning that Dody took 5 days to even respond to this thread. 5 Days to respond is unacceptable, especially when he responded to other posts in this category several times. Why ignore this one?

Saying he thinks he delivers clean code is unacceptable.

While I too believe this to be a significant issue, it has amazed me that folks seem to ignore the reviews posted all over the internet about the lack of support by the developer for INDEXU.

also, in the Pre-Sales Question forum see the sticky "Helpdesk and email support": http://www.nicecoder.com/community/s...ead.php?t=3106

Which states in relevant part "We provide support for installation, templating, and consultation about your project for custom work. Please understand that we may not able to provide support for code hacking and modification."

There actually is no mention support for bugs. That may be splitting hairs but it is still the truth.

I'm just as frustrated as you, maybe even more so. But it is his software and he can damn well do with it as he pleases.

I will say that dody has been a little more active in supporting v5.x but not to the level that I think is needed to take this software into the top 5 of link directory software. But that is just my opinion.

But I would agree with you, he hasn't given this issue the attention it deserves.


.

[kevinrstruck]

Thank god I used a credt card to purchase. I already called them and aksed them what my recourse was. They say I can make a claim that the software does not work and they would charge him back if he is not making an effort to fix the problem. They also said it was not a given I would get my money back.

It is just unforunate this has to happen. This software is actually pretty cool and does a good job for the most part. I chose it over all the other Links software out there, but neglected to read the warnings I have since found about the horrible support.

The only good news is that since it states he will support the product, but is not, I have a good chance at receiving a refund from my cc company.

If I do not hear something in the next day, I am submitting the claim. Heck, all my proof is in this forum.

[esm]

yes, I would agree with you that the software is actually pretty good.

It just so sad that dody does not support it at the level it needs to be.



.

[dody]

kevinrstruck,
It's true that 5.0.0 and 5.0.1 has a security issue, it's possible to be hacked using cross site scripting. But it has been fixed.

In most case why indexu website is hijacked, it's caused by the owner did not delete the installation folder. The hijacker could reinstall the script and login as admin.

If you're talking about register global, it's on, doesn't mean it's insecure. As long as it's handled correctly it's safe.

However we will take this security issue as our priority for next release and will hire an expert.

[esm]

kevinrstruck,
It's true that 5.0.0 and 5.0.1 has a security issue, it's possible to be hacked using cross site scripting. But it has been fixed.

does the same issue exist with versions earlier than v5, like v3.1 and v3.2?

can you tell us specifically what needs to be changed to correct the problem?



.

[dody]

does the same issue exist with versions earlier than v5, like v3.1 and v3.2?

No, version 3.x is safe.

To fix it see here
http://www.nicecoder.com/community/s...ead.php?t=3404
You can download the patch at client area:
http://www.nicecoder.com/order/

[retrolyte]

Haha Doddy, I like how version 3 was safe and you moved up to a more vulnerable, less secure script with version 5.

Kevin, were you using version 5.1.1? I'd like to know.