Posted on: 09/22/08 03:55am
By: ::Ben
Hi everybody,
4 static pages where hacked on a geeklog 1.4.1 site with:
- static page plugin 1.4.3
- php 4.4.9
- mysql 4.1.22-standard
The hack is the same in each static pages:
Text Formatted Code
sp_id:
<meta http-equiv="refresh" content="0;UR
sp_title:
<meta http-equiv="refresh" content="0;URL=http://***********.us/*******">
sp_content:
<meta http-equiv="refresh" content="0;URL=http://***********.us/*******">
Have you ever seen this before?
::Ben
Re: Static pages hacked
Posted on: 09/26/08 07:57am
By: ::Ben
No one?
So the question is: "Do you think it can be a geeklog vulnerability?"
Install plugins were
Text Formatted Code
calendar 1.0.0-1.4.1
captcha 3.0.2-1.4.1
chameleon 1.0.2-1.4.1
links 1.0.1-1.4.1
polls 1.1.0-1.4.1
spamx 1.1.0-1.4.1
staticpages 1.4.3-1.4.1
FCKEditor Version 2.3.1 on (very old one)
::Ben
Re: Static pages hacked
Posted on: 10/07/08 07:04am
By: ::Ben
Hi Geeklog community,
Sorry for putting up this post but :banghead: is sql injection was possible on geeklog with this config?
and if it is possible how to prevent us from?
I think the reason to hacked this very small audience site (less than 3 visits a day) was because the site is a politic site.
::Ben
Re: Static pages hacked
Posted on: 10/07/08 09:33am
By: suprsidr
You should consider upgrading as your issue has probably already been addressed.
And if yoursite is small with little traffic, upgrading should be fairly unobtrusive.
I cannot believe a core dev has not answered you though being a security issue.
-s
Re: Static pages hacked
Posted on: 10/07/08 02:52pm
By: Dirk
Quote by: suprsidrI cannot believe a core dev has not answered you though being a security issue.
Things tend to get buried in the forums. That's why we have a dedicated
security contact address[*1] for these issues ...
I did actually have a quick look through the code when it was first posted but couldn't see anything obvious. Sounds odd that only static pages would be modified.
Ben, please send us as much information as you can (e.g. when you noticed it and whether there's anything in your logfiles - Geeklog's and the webserver's - for that time).
bye, Dirk
Re: Static pages hacked
Posted on: 10/08/08 05:37pm
By: Anonymous (richard.bkk)
We had the exact same problem, only our problem was that we where running Nextide, which is what we belief based on Geeklog 1.4.1.
We tried to do a clean Geeklog 1.5.1 install and install the Nextide plugins after wards, but we run into problems with one of the core plugins. The plugins Nexlist keeps saying ...
Text Formatted Code
Fatal error: Cannot redeclare plugin_getadminoption_nexlist() (previously declared in /home/account/public_html/domain/plugins/nexfile/functions.inc:51) in /home/account/public_html/domain/plugins/nexlist/functions.inc on line 49
when we try to install it...
Re: Static pages hacked
Posted on: 10/09/08 01:07am
By: Dirk
Quote by: richard.bkkWe had the exact same problem
Your static pages have been modified without your knowledge? Then please send us all the information you can give us to our security contact address (see above).
bye, Dirk
Re: Static pages hacked
Posted on: 10/09/08 01:52am
By: Anonymous (richard.bkk)
Hi Dirk,
One of our “smart” workers had deleted before we could save, the actual static page. On its own was the page nothing impressive it was a black background with a flag of Chili.
It also mentioned something ….software and it showed a gmail.com and a .la email address.
The more interesting part was that the static page was generated and saved from the admin account. This is extra funny as our admin passwords change daily, and are based on several calculations and are entered in 17 hexadecimal number. I cannot imagine how impossible it is to get this right by pure luck.
The accident happened 6 Sepetember, and nothing special happened in our log files. We look in the RAW log file of our server, but could not find anything suspicious also nobody from Chile had visited our website.
After this accident, we directly prepared for the upgrade to GL 1.5.1, which went fine until we encountered the problem with Nexlist plugin. Now the project is a bit to a standstill. Some voices talk about reinstalling Nextide (gl 1.4.1) and disable the static page plugin (as we not use that serious).
On the other hand is it likely that the hacker could do much more, especially if he somehow can get his hand on the admin password.
With kind regards,
Richard
Re: Static pages hacked
Posted on: 10/11/08 07:55am
By: Dirk
Quote by: richard.bkkOn the other hand is it likely that the hacker could do much more, especially if he somehow can get his hand on the admin password.
Ben sent us an SQL dump from his site. In his case at least, the content of the static page was modified but the timestamp wasn't. Which seems to indicate that this wasn't done using any Geeklog account but through other means, e.g. an SQL injection.
At the moment we don't have enough information to make any educated guesses. We'll go over the code for the static pages plugin in 1.4.1 again (which has since been heavily modified, btw). Another possible attack vector are admin interfaces provided by the hosting service (Webmin, etc.). But it's odd that in both cases only static pages were modified ...
We'll keep you posted.
bye, Dirk
Re: Static pages hacked
Posted on: 10/11/08 08:23am
By: richard.bkk
For now as far as possible, we upgraded all Geeklog websites to 1.5.1 and updated all plugins to the latest... Lets see if it happens again...
On the one server were the "hack" happened are we running several Geeklog websites, and it is weird that the hackers selected the one they did, as it is nothing spectacular or popular website.