Welcome to Geeklog, Anonymous Tuesday, July 16 2024 @ 07:46 am EDT

Geeklog Forums

Possible hacking attempt (successful)


Caveman Joe

Anonymous
angry
This morning I woke up to find all the index.php and index.cgi pages on my Geeklog installation had been removed.
The site is www.twistedlibrarian.com, and the Geeklog version is 1.4.0sr2.
Has anybody seen this happen before? Even the index.cgi file in AWStats was removed - not even a part of the Geeklog installation.

Thanks for any help,

~CMJ
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by Caveman Joe: the Geeklog version is 1.4.0sr2

First thought: Did you remove the FCKeditor file manager?

bye, Dirk
 Quote

Caveman Joe

Anonymous
No, I did not. Doh! - that was a mistake
Would that allow such sweeping access across the site, even in non-Geelog folders?
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
To quote:
The exploit allows an attacker to upload and execute arbitrary code.

Typically, in cases like this the hackers upload a PHP script that lets them execute unix commands in the browser.

There's still the possibility that they used a weakness in some other software on your server, but that was the first thing that came to mind.

To make sure, check your webserver's logfiles for requests directly accessing the file manager. Also check the file manager's directories for any suspicious files, as explained in the above article.

bye, Dirk
 Quote

Caveman Joe

Anonymous
Got 'im.

twistedlibrarian.com 84.161.2.204 - - [16/Jul/2006:16:23:52 +0100] "GET / HTTP/1.1" 200 123 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4"
twistedlibrarian.com 84.161.2.204 - - [16/Jul/2006:16:23:53 +0100] "GET /favicon.ico HTTP/1.1" 404 300 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4"
twistedlibrarian.com 84.161.2.204 - - [16/Jul/2006:16:24:01 +0100] "GET /fckeditor/ HTTP/1.1" 403 303 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4"
twistedlibrarian.com 84.161.2.204 - - [16/Jul/2006:16:24:28 +0100] "GET /fckeditor/editor HTTP/1.1" 301 348 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4"
twistedlibrarian.com 84.161.2.204 - - [16/Jul/2006:16:24:28 +0100] "GET /fckeditor/editor/ HTTP/1.1" 403 310 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4"
twistedlibrarian.com 84.161.2.204 - - [16/Jul/2006:16:24:41 +0100] "GET /fckeditor/editor/filemanager HTTP/1.1" 301 360 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4"
twistedlibrarian.com 84.161.2.204 - - [16/Jul/2006:16:24:41 +0100] "GET /fckeditor/editor/filemanager/ HTTP/1.1" 403 322 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4"

Some nasty piece of work in Amsterdam. Reported.

Thanks for all your help, Dirk - and keep up the good work, GeekLog is still my favourite CMS system ever. Smile
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by Caveman Joe: Some nasty piece of work in Amsterdam. Reported.

LOL. Thanks for reporting me Wink

You should learn how to read the WHOIS output. All European IP addresses are managed by RIPE in Amsterdam. The actual owner follows that initial information (in this case: Deutsche Telekom).

Also, you should have checked last night's logfiles, not the current ones.

bye, Dirk
 Quote

Caveman Joe

Anonymous
Ah. Whoops. Doh! - that was a mistake

Sorry about that, mate. Embarassed
 Quote

All times are EDT. The time is now 07:46 am.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content