Posted on: 06/08/07 12:17pm
By: colonel_flagg
I cannot find a reference on the 'net pertaining to this issue directly. Although, I have found several mentions of "php injection" pertaining to geeklog, none have directly mentioned "phishing".
What I've come across is a site that has been compromised and the attacker has left a "home" directory under the public_html directory and a "home.zip" file in the same location. The contents of this directory and the parent home.zip file contain a PayPal phishing site.
I have checked my logs back as far as I can and nothing, including a command line history shows when/how the site was compromised. I am assuming this was a php injection exploit and I will be continuing on that line of reasoning until shown otherwise.
What I am looking for is any information pertaining to:
geeklog
phishing
home
home.zip
or related documentation showing a vulnerable php file that allows execution of injected code into a URL for a geeklog site.
Since there's no "Security" forum, I figured the "feedback" or "general help" forums would be my best choice for bringing this issue to light.
/CF
Re: php injection - phishing site
Posted on: 06/08/07 12:54pm
By: jmucchiello
There are currently no known exploits for geeklog. So any website showing one is showing something that has been plugged or was not an issue with geeklog. Why exactly do you want this information?
Re: php injection - phishing site
Posted on: 06/08/07 01:27pm
By: Dirk
Re: php injection - phishing site
Posted on: 06/08/07 03:31pm
By: colonel_flagg
I want the information so that I may fix and/or document the problem properly. There's nothing currently documented showing a compromise such as this. Therefore, if it is a php injection problem and it's happening to a current geeklog install, it could be a 0day exploit and therefore, you, the developers need to be made aware of it.
I will look into the URLs given and monitor this install of geeklog.
If I find anything, I will pass it along.
/CF
Re: php injection - phishing site
Posted on: 06/08/07 04:04pm
By: jmucchiello
You haven't said what version of GL you are running. What plugins (and their versions) do you have installed? Is the geeklog installation installed properly, in other words are all the directories that are supposed to be unreachable really unreachable? We need a lot more details.
You don't have a phishing attack. You have an attack where the intruder was able to upload a zip file and extract it. After breaking in, they installed a phishing kit.
Re: php injection - phishing site
Posted on: 06/08/07 04:04pm
By: Dirk
It wasn't clear (to me, at least) from your initial post what you were really looking for. You did see the
Geeklog Security[*1] link on the left, I assume?
When looking for what happened to that site, keep in mind that other software on that server may have been compromised. There have been cases of server's admin panels (e.g.
Cpanel[*2] ) being hacked, for example.
Let us know what you find out.
bye, Dirk
Re: php injection - phishing site
Posted on: 06/12/07 12:28pm
By: Anonymous (Colonel Flagg)
it was directly related to an older exploit for geeklog 1.4.0. dealing with a php file that allowed file uploads to the server, then using the new file, they created a shell and imported not one, but two different phishing sites in the /home and /polls/home directories. all of this is well documented in exploit databases.
my problem was, the previous admin made a hybrid version of geeklog. i have since updated completely to 1.4.1
a little google'ing and searching the exploit databases with the correct keywords found the problem and i was able to resolve by upgrading the entire site.
/CF