<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#ffffff">
A couple shots in the dark here - <br>
<br>
* What roles have "administer comments" rights?<br>
* Are there any VBO-based comments administration views on the site?<br>
* How secure is the site's database? Is root access still available?
If so, is the password secure?<br>
* Is phpMyAdmin installed on the site? That can be a weak spot.<br>
* Do the Apache logs from the time of the breach show anything
odd/curious ?<br>
<br>
Also, at the risk of stating the obvious, I'd strongly recommend
creating a superuser role and retiring your UID1 account for
everything but upgrades/updates.<br>
<br>
Cheers,<br>
<br>
Bill<br>
<br>
On 12/16/10 9:32 PM, Shai Gluskin wrote:
<blockquote
cite="mid:AANLkTi=_3FhtCdidBGdEjyTVuNxzVe0MKuFZh+32DXXV@mail.gmail.com"
type="cite">Hi gang,
<div><br>
</div>
<div>The author and URL of an anonymous comment was changed about
three months after the comment was originally posted. The change
happened last week. The new name was in Chinese and the URL is
to a Chinese web site. The content of the comment was not
changed.</div>
<div><br>
</div>
<div>I've never had anything like that happen before. After I
discovered this I changed user/1 pw (that is the only account on
the site with admin privileges).</div>
<div><br>
</div>
<div>There is no other evidence of other damage at the site that I
found in the wake of this discovery.</div>
<div><br>
</div>
<div>
<meta charset="utf-8">
(Site was using 6.19 at the time of the breach).</div>
<div><br>
</div>
<div>I'm stumped. Ideas anyone?</div>
<div><br>
</div>
<div>Shai</div>
</blockquote>
<br>
</body>
</html>