Geeklog Forums

spam/hack problem here. long time ago installed geeklog with fantastico. running with the newest version at the moment. but still having some big issues reagarding hackers. My provider told me that it looks like a pear attack where hackers use my serverspace to send alot of spam into the world. They are using a script or something like that but don;t know where to look. anyone got some ideas?

That's all a bit vague ... And I'm not sure what PEAR should have to do with it.

Check for files that shouldn't be there (i.e. are not part of Geeklog). Check your server logs for unusual requests. Double-check that not only Geeklog itself but also the plugins you're using are up to date (Media Gallery and the CAPTCHA plugin, for example, also had security issues earlier this year).

bye, Dirk

i already checked the files in geeklog itself. downloaded the complete tar en my own public html but there are no files who don;t belong there. the plugins i use are blockmenu (not enabled)
calendar, gus, links, polls, spamx ,. staticpages, youtube (not enabled) .

the pear story is what my host told me, already checked the loggings but couldn't find anything strange in that (could be possible that i just don't see any strange request, maybe someone with some spare time could thake a look at this log? )

already search for the chmod config, anyone who can help me with the correct chmod configuration?

http://www.geeklog.net/docs/install.html#install

is it a good idea to reinstall geeklog in public_html/index instead of public_html ?

if i do that tho only things i have to change are the config.php and the libcommon. i'm i forgetting something?

What for?

Removals: http://www.geeklog.net/faqman/index.php?op=view&t=37

dirk, did you recieved my e-mail last night?

already send a mail to dirk for help but i;m short on time, my host just given me a deadline to solve my problems...

I;m running out of ideas so is there anybody here who can take al look at my geeklog installation (public_html) en search voor strange files, scripts etc? i already done it twice but could find anything...

Can`t your hoster give you a new webspace? You could do a fresh manual install.

already did that, compleet new installation but still te same problems, even with a clean install without any external plug ins

What indication is your host giving that it's coming from your site? Unless they can tell you how they are doing it I don't see how anyone can fix it. Just saying that it's PEAR is not enough.

You can lock down the site temporarily with the lock down feature in the cfg. I would do that for a few days just to make sure that it's not something in the site.

It may be that you have a registered user sending out spam or if you have it open to annonymous posters. There for I would not allow anonymous users post without going through the queue, again in the cfg. After that check the dates people registered vs when the spammer started. That might indicate who's spamming if they are a registered user.

I didn't think that GL would send out email to non registered users. If that's happening then I'm curious as to how their doing it as I'm sure everyone here is?

You need to talk to your hosting provider and ask them, what the exact nature of the problem they are having with your site other than a simple pear issue. Its possible that it could be their system causing this issue and are conveniently blaming it on your site without fully understanding where the issue is. Especially if this has happened again after you did a clean install. If they are not willing to work with you to resolve this issue, then its time to move on to a new host provider as it may sound like they just want the problem to go away, and not dig to far into it. My personal thoughts, I wouldn't put up with this from them, attacking you twice on the same site without detailed info on the problem.


Michael