Subject: site hacked

Posted on: 08/04/09 12:55pm
By: Anonymous

Hi,

i have a question, i use geeklog 1.4.1, can anybody upload a file to my server via fckeditor?

i have been hacked, and i have 3 files uploaded by anybody to my images directory (public_html/images). One of this files is an php spy script. This directory had 777 permisions.

Thank you,
ismael

Re: site hacked

Posted on: 08/04/09 03:49pm
By: Dirk

Quote by: ismael

i have a question, i use geeklog 1.4.1, can anybody upload a file to my server via fckeditor?


There was an issue a while back regarding uploads through FCKeditor. But even then FCKeditor won't let you upload .php files. You would still need a second security to do anything evil.

bye, Dirk

Re: site hacked

Posted on: 08/04/09 05:02pm
By: Anonymous

i've found this:

http://secunia.com/advisories/27123/

Re: site hacked

Posted on: 08/04/09 05:50pm
By: Anonymous

Do you know if the uploaded files only can be uploaded to the public_html/images directory or it is possible to upload to any other directory?

Re: site hacked

Posted on: 08/04/09 06:00pm
By: Anonymous

Quote by: ismael

Do you know if the uploaded files only can be uploaded to the public_html/images directory or it is possible to upload to any other directory?



when the hacker can create a folder call "images" in your main public directory with the permission of 777 than they can change your site code and every thing. latter on your site will not show your index page but it will show the attacker home index page.

now I guess attacker still practice to hack the small site first, than the big next target site we don't know.

thanks.

PS. your situation same as me.

Re: site hacked

Posted on: 09/04/09 04:01pm
By: ::Ben

777 permisions are very big holes in the security. If you don't want to loose too much, make backups everyday (db and cms).

::Ben

Re: site hacked

Posted on: 09/04/09 04:49pm
By: Anonymous

hello my friends, just want to show you guys. in my spamx logs have to many difference IP post as USER 1 at my site, but delete as spam link: here......
PHP Formatted Code
Found Spam Post matching Spam Link Verification (SLV) posted by user 1 from IP 194.8.75.155

alot of difference IP with the user 1.

thanks.


Re: site hacked

Posted on: 09/04/09 04:54pm
By: hfd

more USER 1 IP here:

PHP Formatted Code
Thu 02 Apr 2009 00:01:08 MDT - Deleted Spam Post
Thu 02 Apr 2009 07:59:18 MDT - SLV: spam detected
Thu 02 Apr 2009 07:59:18 MDT - Found Spam Post matching Spam Link Verification (SLV) posted by user 1 from IP 194.8.75.155
Thu 02 Apr 2009 07:59:18 MDT - Deleted Spam Post
Fri 03 Apr 2009 06:07:12 MDT - Deleted Spam Post
Sat 04 Apr 2009 23:03:31 MDT - SLV: spam detected
Sat 04 Apr 2009 23:03:31 MDT - Found Spam Post matching Spam Link Verification (SLV) posted by user 1 from IP 87.118.90.189
Sat 04 Apr 2009 23:03:31 MDT - Deleted Spam Post
Sun 05 Apr 2009 06:05:23 MDT - SLV: spam detected
Sun 05 Apr 2009 06:05:23 MDT - Found Spam Post matching Spam Link Verification (SLV) posted by user 1 from IP 92.112.116.128
Sun 05 Apr 2009 06:05:23 MDT - Deleted Spam Post
Mon 06 Apr 2009 03:22:17 MDT - SLV: spam detected
Mon 06 Apr 2009 03:22:17 MDT - Found Spam Post matching Spam Link Verification (SLV) posted by user 1 from IP 195.2.240.126
Mon 06 Apr 2009 03:22:17 MDT - Deleted Spam Post
 

this is a normal or ........?

thanks

Re: site hacked

Posted on: 09/04/09 04:57pm
By: Dirk

UID 1 is the pseudo account for anonymous users. So the above log entries only mean that a user that wasn't logged in tried to post spam. This is not at all security related.

bye, Dirk

Re: site hacked

Posted on: 11/04/09 04:56am
By: 1000ideen

Quote by: ismael


PS. your situation same as me.


No I don`t think so, every web account is different and the quality of your hoster may vary strongly. I don`t have any subdirectory with 777.

Unfortunately you did not reply if you read Dirk`s hint and if you had used it before the hacking: http://www.geeklog.net/article.php/file-uploads

Geeklog - Forum
https://www.geeklog.net/forum/viewtopic.php?showtopic=86926