ismael

Anonymous
Hi,

i have a question, i use geeklog 1.4.1, can anybody upload a file to my server via fckeditor?

i have been hacked, and i have 3 files uploaded by anybody to my images directory (public_html/images). One of this files is an php spy script. This directory had 777 permisions.

Thank you,
ismael

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Quote by: ismael

i have a question, i use geeklog 1.4.1, can anybody upload a file to my server via fckeditor?


There was an issue a while back regarding uploads through FCKeditor. But even then FCKeditor won't let you upload .php files. You would still need a second security to do anything evil.

bye, Dirk

ismael

Anonymous
i've found this:

http://secunia.com/advisories/27123/

ismael

Anonymous
Do you know if the uploaded files only can be uploaded to the public_html/images directory or it is possible to upload to any other directory?

iam

Anonymous
Quote by: ismael

Do you know if the uploaded files only can be uploaded to the public_html/images directory or it is possible to upload to any other directory?



when the hacker can create a folder call "images" in your main public directory with the permission of 777 than they can change your site code and every thing. latter on your site will not show your index page but it will show the attacker home index page.

now I guess attacker still practice to hack the small site first, than the big next target site we don't know.

thanks.

PS. your situation same as me.

Status: offline

::Ben

Forum User
Full Member
Registered: 14/01/05
Posts: 1569
777 permisions are very big holes in the security. If you don't want to loose too much, make backups everyday (db and cms).

::Ben
I'm available to customise your themes or plugins for your Geeklog CMS

iam

Anonymous
hello my friends, just want to show you guys. in my spamx logs have to many difference IP post as USER 1 at my site, but delete as spam link: here......
PHP Formatted Code
Found Spam Post matching Spam Link Verification (SLV) posted by user 1 from IP 194.8.75.155

alot of difference IP with the user 1.

thanks.


Status: offline

hfd

Forum User
Junior
Registered: 19/06/08
Posts: 16
more USER 1 IP here:

PHP Formatted Code
Thu 02 Apr 2009 00:01:08 MDT - Deleted Spam Post
Thu 02 Apr 2009 07:59:18 MDT - SLV: spam detected
Thu 02 Apr 2009 07:59:18 MDT - Found Spam Post matching Spam Link Verification (SLV) posted by user 1 from IP 194.8.75.155
Thu 02 Apr 2009 07:59:18 MDT - Deleted Spam Post
Fri 03 Apr 2009 06:07:12 MDT - Deleted Spam Post
Sat 04 Apr 2009 23:03:31 MDT - SLV: spam detected
Sat 04 Apr 2009 23:03:31 MDT - Found Spam Post matching Spam Link Verification (SLV) posted by user 1 from IP 87.118.90.189
Sat 04 Apr 2009 23:03:31 MDT - Deleted Spam Post
Sun 05 Apr 2009 06:05:23 MDT - SLV: spam detected
Sun 05 Apr 2009 06:05:23 MDT - Found Spam Post matching Spam Link Verification (SLV) posted by user 1 from IP 92.112.116.128
Sun 05 Apr 2009 06:05:23 MDT - Deleted Spam Post
Mon 06 Apr 2009 03:22:17 MDT - SLV: spam detected
Mon 06 Apr 2009 03:22:17 MDT - Found Spam Post matching Spam Link Verification (SLV) posted by user 1 from IP 195.2.240.126
Mon 06 Apr 2009 03:22:17 MDT - Deleted Spam Post
 

this is a normal or ........?

thanks

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
UID 1 is the pseudo account for anonymous users. So the above log entries only mean that a user that wasn't logged in tried to post spam. This is not at all security related.

bye, Dirk

Status: offline

1000ideen

Forum User
Full Member
Registered: 04/08/03
Posts: 1298
Quote by: ismael


PS. your situation same as me.


No I don`t think so, every web account is different and the quality of your hoster may vary strongly. I don`t have any subdirectory with 777.

Unfortunately you did not reply if you read Dirk`s hint and if you had used it before the hacking: http://www.geeklog.net/article.php/file-uploads