Unfortunatly some opn-sites has been attacked by a very special exploit. We (the dev team) has been informed by that about 10:30 april 30. After an analysis and first hotfixes the cause is as followed (15:00 april 30):

• a special weak combination of php settings and opn settings is needed for a successful attack
• not all opn sites are concerned by that exploit

In your php.ini settings please look for the settings of:

• register_globals
• allow_url_fopen

First off:we recommend to enable "Encode the URL-Parameters" in administration-> settings -> security settings

security-fix:
A fixed version of the file "master.php" ist available in trunk and branch. If you do not use subversion there is also a zip file file with the updated master.php available for download:security fix - download

An updated opn package (2.3.5) will be published shortly containing all necessary security fixes. We strongly recommend to update as soon as possible.

At this time we do not have any reports that say the database has been corrupted. It is a direct defacement attack. A successful defacment involves additional files has been uploaded to your webspaces for future attacks of your sites. So a drastic cleanup of your system is needed.

scenario 1: up-to-date backup is available

• step 1. Remove all (!) opn files from your webserver. It is not possible to just overwrite them since the ftp rights are not high enough to catch them all. The hack gives itself higher acl values to prevent ypu from overwrite them. So you need to delete them to get rid of them.
• step 2. restore your backup

scenario 2: no backup is available

• step 1. backup your "mainfile.php"
• step 2. backup the "cache" directory
• step 3. if you use a custom theme - backup it.
• step 4. Remove all (!) opn files from your webserver. It is not possible to just overwrite them since the ftp rights are not high enough to catch them all. The hack gives itself higher acl values to prevent ypu from overwrite them. So you need to delete them to get rid of them.
• step 5. Upload the current (complete) opn package incl. the security fix
• step 6. Check your backuped "mainfile.php" for conspicuities and restore it
• step 7. Check your backuped "cache" directory for conspicuities (look at your local filesystem for files with a timestamp around the attack and remove those files) and restore the directory
• step 8. Check your backuped theme for conspicuities (look at your local filesystem for files with a timestamp around the attack and remove those files) and restore the directory
• step 9. adjust the directory rights to the ones named recommended in the documentation

Do not forget to check the "cgi-bin" directory (which in most cases is outside the html directory) for additional files placed by the hack.

Our recommendation:

• Backup - a continous backup is always a good idea
• If possible set php.ini setting "register_globals" to "off". (If this is not possible for you, encourage your hoster to do so. If he does not want to do that lookup for a another hoster).