Well I was notified today that my sites were hacked by my internet provider. I don't believe that the hack was performed through geeklog but I thought I'd let you all know. I'm still checking into it but it looks like a file was added to each of my web sites root folders (including just normal html web sites). The files were dated Oct 11, 2006. most of them where named index.html, default.html and 1 own.php to a site that was and has not been running for the past year. All the files contain this:
0wned By ShaF***31 You couLdn'T eVeN The things i HaVe aLReaDY DoNe .. c0n74cT : ShaFuq31@HoTMaiL.CoM
Where the *** are above is actually a swear word. The version of geeklog is 1.4.0sr3 and I am using Windows 2003 (always updated). I run virus scanners nightly which then sometimes pick up a file in the php/uploadtemp directory that it then deletes.
Anyone have any ideas on how this may of happend?
One of the Geeklog Core Developers.
After looking through about 8 different log files I found the problem. It was a php script from TuFat called FlashChat. A good chat program but a bug was found in september that I was not notified about.
I was actually mistaken about the file dates. All file dates where Nov 10, 2006. I got confused because I was looking at web logs as well which flips the month and day around
Not much damaged done except what I mentioned before. The did upload a script they where using called phpFileManager 0.9.3 to add in the index files.
One of the Geeklog Core Developers.
Quote by Laugh: The version of geeklog is 1.4.0sr3
Just wanted to point out that you're two security fixes behind. If you haven't removed FCKeditor's file manager yet, this may also explain what you've been seeing ...
I have removed FCK editor's file manager. I was planning on updating to Geeklog 1.4.1 (when the final is released) since I have a few mods to apply to geeklog once an upgrade is finished, maybe I will not wait.
then there's mailer.php, index.php (check all your index.php files, you'll know it when you see it. Look for AOD Mailer in the first few lines) and all the files info.txt, letter.txt, emails.txt.
I have flash chat and still use it. If you go to tufat and check out the info on the security update and delete aedating2CMS.php you should be ok. Flash chat is pretty involved and I'm no php expert, so I make no guarantees.
But look for those files. You can really get hacked with those left lying around.
The one time I was hacked, my procedure what to delete everything and upload my offline backup. That's the only way to truly know there are no stray files lurking on your server. For stuff like file uploads, you have to make backups of that directory to an offline backup regularly.
I realize this doesn't help you now, but you should consider it going forward.