Welcome to Geeklog, Anonymous Friday, March 29 2024 @ 11:40 am EDT

Geeklog Forums

Site Hacked


Status: offline

Laugh

Site Admin
Admin
Registered: 09/27/05
Posts: 1468
Location:Canada
FYI - Geeklog Community

Well I was notified today that my sites were hacked by my internet provider. I don't believe that the hack was performed through geeklog but I thought I'd let you all know. I'm still checking into it but it looks like a file was added to each of my web sites root folders (including just normal html web sites). The files were dated Oct 11, 2006. most of them where named index.html, default.html and 1 own.php to a site that was and has not been running for the past year. All the files contain this:


0wned
By
ShaF***31
You couLdn'T eVeN The things i HaVe aLReaDY DoNe ..
c0n74cT :
ShaFuq31@HoTMaiL.CoM



Where the *** are above is actually a swear word. The version of geeklog is 1.4.0sr3 and I am using Windows 2003 (always updated). I run virus scanners nightly which then sometimes pick up a file in the php/uploadtemp directory that it then deletes.

Anyone have any ideas on how this may of happend?
One of the Geeklog Core Developers.
 Quote

Status: offline

Laugh

Site Admin
Admin
Registered: 09/27/05
Posts: 1468
Location:Canada
After looking through about 8 different log files I found the problem. It was a php script from TuFat called FlashChat. A good chat program but a bug was found in september that I was not notified about.

I was actually mistaken about the file dates. All file dates where Nov 10, 2006. I got confused because I was looking at web logs as well which flips the month and day around Embarassed

Not much damaged done except what I mentioned before. The did upload a script they where using called phpFileManager 0.9.3 to add in the index files.
One of the Geeklog Core Developers.
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by Laugh: The version of geeklog is 1.4.0sr3

Just wanted to point out that you're two security fixes behind. If you haven't removed FCKeditor's file manager yet, this may also explain what you've been seeing ...

bye, Dirk
 Quote

Status: offline

Laugh

Site Admin
Admin
Registered: 09/27/05
Posts: 1468
Location:Canada
I have removed FCK editor's file manager. I was planning on updating to Geeklog 1.4.1 (when the final is released) since I have a few mods to apply to geeklog once an upgrade is finished, maybe I will not wait.


One of the Geeklog Core Developers.
 Quote

Status: offline

scroff

Forum User
Regular Poster
Registered: 02/19/03
Posts: 111
I was also hacked through flash chat. There are several files you need to look for that may provide someone shell access to your server...

cgi.php, www.php, .0x3.php, avatar9921_12.php, r57shell.php, httpd.php...

then there's mailer.php, index.php (check all your index.php files, you'll know it when you see it. Look for AOD Mailer in the first few lines) and all the files info.txt, letter.txt, emails.txt.

I have flash chat and still use it. If you go to tufat and check out the info on the security update and delete aedating2CMS.php you should be ok. Flash chat is pretty involved and I'm no php expert, so I make no guarantees.

But look for those files. You can really get hacked with those left lying around. Doh! - that was a mistake
 Quote

Status: offline

Laugh

Site Admin
Admin
Registered: 09/27/05
Posts: 1468
Location:Canada
Thanks for the tips I'll scan my server for these files now. The phpFileManager script that I found had been named 06.php.

Does anyone know of a good website that have recommended procedures for certain server setups when you get hacked?
One of the Geeklog Core Developers.
 Quote

Status: offline

jmucchiello

Forum User
Full Member
Registered: 08/29/05
Posts: 985
The one time I was hacked, my procedure what to delete everything and upload my offline backup. That's the only way to truly know there are no stray files lurking on your server. For stuff like file uploads, you have to make backups of that directory to an offline backup regularly.

I realize this doesn't help you now, but you should consider it going forward.
 Quote

All times are EDT. The time is now 11:40 am.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content