Very Urgent, insecure script allowing mass spam emailing

[rockingh]

I've recently installed pro SM on site www.jordanslets.net and all worked ok.
Earlier this afternoon I had an email from my host provider saying there was a large amount of bounced emails being returned and this was abuse of their server (1and1.co.uk) They then locked all my 50 or so domains so all my customers had no website.
Eventually with their help it was pinned down to one SM php file which they disabled.
I've included a snippet of their email below showing which file it is.
"A security leak in the following file you installed has enabled third parties to
send a large amount of spam through your 1&1 webspace:


./jordans/snippetmaster/includes/tar_lib/pclrest.lib.php

"

Please help, what is this file, how has this happened, what can I do to maintain my customers site etc. etc.
Chris.

[admin]

Hello,

SnippetMaster does not include a file called "pclrest.lib.php" in that folder.

Whomever put this file into your account has nothing to do with SnippetMaster.  You can delete this file -- it is NOT a file that is part of Snippetmaster.

The only files that should be in the "/snippetmaster/includes/tar_ lib" folder are:

pclerror.lib.php
pcltar.lib.php
pcltrace.lib.php
readme.txt

If you see any extra files.. just delete them... and then ask your hosting provider to help find out how the extra (files) got there...

If you have any questions, just let me know. 

[rockingh]

Henri
I changed the file to grant writing permission and then tried ftp,ing back to my pc.
The file was then unfortunately empty so I can't send it to you to look at???
Have you or anybody got any idea how this overal problem could have happened.
I will change the passwords obviously.
Thanks for your prompt reply.
Chris

[admin]

Honestly, I have no idea how this happened...

I do not believe this has anything to do with snippetmaster, but most liklely your account was compromised some other way, and then the hacker decided to put their hack file into the folder and call the file a similar name then the ones already in that folder.  Sneaky!

I highly recommend removing ANY software you have installed on your website (forums, blog, snippetmaster, etc..) and then re-installing each of them from scratch.  Don't just over-write the existing installation.. since the idea here is that there could be other "hidden" files that the hacker has placed in your website...  the only way to know for sure what files do and do not belong is to totally remove the application files and then re-install from the application installation process.

Good luck!

[rockingh]

Ok, SM is the only software apart from the web pages.
Can I just reload the SM without affecting all the website php files?
Otherwise its a major reload etc.
Thanks Chris

[admin]

I don't recommend just reloading Snippetmaster...

.. like I said previously, you need to make sure that you totally remove ALL the files first.  Then reinstall Snippetmaster from scratch, so that you are 100% sure that only the files from the .zip file are on your website. 

Otherwise.. if you simply re-upload everything without first removing everything.. then you could end up with "extra" files that someone has placed on your website.. which seems to be what has happened already for you.

Make sense?

[rockingh]

I agree and understand. I meant to remove all the SM files then reload from scratch.
But to leave all the website snippets as they were because with about 60 pages having to redo all these is major????
Do you think the SM was compromised because I had left two users which I wasn't using with default passwords?
Would it also be more secure if I changed the name of the main folder named snippetmaster to something else. I wondered whether the net was being trawled looking for snippetmaster folders and then looking for default passwords???
Thanks for your time Chris

[admin]

Hello,

Yes, this is possible depending on permissions...

You can change the snippetmaster folder to anything else (/cms, or /editor, or /update, or /whatever) and it will work fine.