Why do I purchase clothing without trying things on or, for that matter, bothering to look closely at what I’m actually buying?
A lament in haiku form.
New jeans. Old habits.
Way too much morning coffee.
“What the..?!” Buttons fly.
I think this punctuates the post on Kiyosaki/Maloney predictions.
Any Mantis users out there running older versions should consider upgrading immediately. Recently crackers have been using an exploit in pre-1.1.4 versions of Mantis to execute arbitrary code via a sort parameter. The exploit attempts to execute a call to create_function from manage_proj_page.php.
See the CVE on Mitre and details in the Mantis forums.
It would appear that this exploit is used to create a cron under the username of the web server. When fired, the cron generates a new “mc-root” directory within the Mantis tree which would appear to contain some kind of root kit or similar.
In addition to upgrading, I recommend adding the following to your Mantis conf_inc.php if you do not run an open-access Mantis system:
#############################
# Signup and Lost Password
#############################
# --- signup ----------------------
# allow users to signup for their own accounts.
# Mail settings must be correctly configured to work
$g_allow_signup = OFF;
# Max. attempts to login using a wrong password before
# lock the account.
#
# When locked, it's required to reset the password
# (lost password)
# Value resets to zero at each successfully login
# Set to OFF to disable this control
$g_max_failed_login_count = 3;