We all were witnesses of a great panic and a lot of accusations of how weak and non-safe is e107 recently. The reason was a massive attack against most of the e107 based (community and non-community) sites and e107.org itself.

Let's summarize the facts first.

It's true that a number of security holes was recently reported, and some of them were bad - really bad. I'll write in a separate post the sad story behind some of the reports, which caused SO MUCH damage to a lot of e107 based sites and hosting companies (sad, because it was done by PHP security adviser owner of php-security.org - a popular person - who acted as a teenager - understand totally unprofessional). I'm pretty much sure this story triggered the start of the attack against e107 but this is not a subject of this article.

The reaction of the core development team was fast enough - we did quick fixes, we released number of quick patches and security releases. We were already prepared with a notification system which delivered the information about the recent available security patches direct to site owners' administration area. We also published a lot of information (news on e107.org), all the information we got. I don't think the whole could have been done better.

The panic came AFTER the last security patch. It was caused by a number of bot attacks which were trying to go through an ALREADY PATCHED security hole (the so popular recently contact.php). Bots were following (exactly) the INSTRUCTIONS pointed in one of the advisories - php-security.org/2010/05/19/mops-2010-035-e107-bbcode-remote-php-code-execution- vulnerability/index.html (do you remember the sad story I was talking about earlier?)

What exactly happened?

The bad guys used the fact that this vulnerability was first published and spread around the World Wide Web without the knowledge of e107 core development team. They attacked and infected servers (not secured enough - see below). All infected servers was made attackers. They infected more servers, etc.

The number of infected servers was low at the beginning of the attack - at this time patch was already available. The problem is people do not pay enough attention on this even if shown on the top of their site administration panel, so patching required time. Those who were late, lost the game. Unfortunately those who weren't late, didn't win the game. They were attacked by all infected servers. Although the hole was patched, attacks became DDOS. They affected all servers which can't handle such attacks.

What can do e107 CMS about all this?

Near nothing, nor any other CMS/PHP script can do more. e107 core development team could do one thing only - security patch, preventing php code execution in this particular case. Neither development team nor PHP itself are able to help you stop the requests to your site. I hope everyone understand this.

I saw all kind of advises as 'delete contact.php', 'add .htaccess rules', etc. This could work in very short term.

Here are blocked requests from the logs on this server:

As you see, there is only one solution - server security software.