Geeklog Forums

This morning I woke up to find all the index.php and index.cgi pages on my Geeklog installation had been removed.
The site is www.twistedlibrarian.com, and the Geeklog version is 1.4.0sr2.
Has anybody seen this happen before? Even the index.cgi file in AWStats was removed - not even a part of the Geeklog installation.

Thanks for any help,

~CMJ

First thought: Did you remove the FCKeditor file manager?

bye, Dirk

No, I did not.
Would that allow such sweeping access across the site, even in non-Geelog folders?

To quote:
Typically, in cases like this the hackers upload a PHP script that lets them execute unix commands in the browser.

There's still the possibility that they used a weakness in some other software on your server, but that was the first thing that came to mind.

To make sure, check your webserver's logfiles for requests directly accessing the file manager. Also check the file manager's directories for any suspicious files, as explained in the above article.

bye, Dirk

Got 'im.

twistedlibrarian.com 84.161.2.204 - - [16/Jul/2006:16:23:52 +0100] "GET / HTTP/1.1" 200 123 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4"
twistedlibrarian.com 84.161.2.204 - - [16/Jul/2006:16:23:53 +0100] "GET /favicon.ico HTTP/1.1" 404 300 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4"
twistedlibrarian.com 84.161.2.204 - - [16/Jul/2006:16:24:01 +0100] "GET /fckeditor/ HTTP/1.1" 403 303 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4"
twistedlibrarian.com 84.161.2.204 - - [16/Jul/2006:16:24:28 +0100] "GET /fckeditor/editor HTTP/1.1" 301 348 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4"
twistedlibrarian.com 84.161.2.204 - - [16/Jul/2006:16:24:28 +0100] "GET /fckeditor/editor/ HTTP/1.1" 403 310 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4"
twistedlibrarian.com 84.161.2.204 - - [16/Jul/2006:16:24:41 +0100] "GET /fckeditor/editor/filemanager HTTP/1.1" 301 360 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4"
twistedlibrarian.com 84.161.2.204 - - [16/Jul/2006:16:24:41 +0100] "GET /fckeditor/editor/filemanager/ HTTP/1.1" 403 322 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4"

Some nasty piece of work in Amsterdam. Reported.

Thanks for all your help, Dirk - and keep up the good work, GeekLog is still my favourite CMS system ever.

LOL. Thanks for reporting me

You should learn how to read the WHOIS output. All European IP addresses are managed by RIPE in Amsterdam. The actual owner follows that initial information (in this case: Deutsche Telekom).

Also, you should have checked last night's logfiles, not the current ones.

bye, Dirk

Ah. Whoops.

Sorry about that, mate.