Gradwell have updated //www.gradwellstatus.com/ with the following:

... A further injection attempt was made this morning around 5:30, but this attempt was blocked by an on-call sysadmin before the exploit could fully deliver its payload.

While this is no doubt true, the exploit was certainly able to deliver enough of its payload to infect all the code on my clients' various accounts.

The target for the exploit is our PHP 4.4 cluster, which we announced the end of life for a while ago. To keep our network secure for everyone we will be removing these servers from service by the end of this week (week ending Christmas day) and moving all users across to our PHP 5.2 platform. ...

The end-of-life for the 4.4 cluster was notified on 2009-10-01:

The End of Life date for PHP 4.4 on our platform is Fri, 16 Apr 2010.

A Gradwell sysadmin has posted on uk.net.providers.gradwell:

Once they had access to the PHP 4.4 application servers they had access to all home directories via. a local root exploit.

I'm taking this to mean that clients should assume any data stored on the clusters has been compromised, and change passwords for FTP accounts, ssh access, mysql accounts, and also web application passwords stored in any databases on the cluster.

comments powered by Disqus