Forum Preview

04/08/09 12:55pm

ismael

Anonymous

Hi,

i have a question, i use geeklog 1.4.1, can anybody upload a file to my server via fckeditor?

i have been hacked, and i have 3 files uploaded by anybody to my images directory (public_html/images). One of this files is an php spy script. This directory had 777 permisions.

Thank you,
ismael

04/08/09 03:49pm

Status: offline

Dirk

Site Admin

Admin

Registered: 01/12/02

Posts: 13073

Quote by: ismael

i have a question, i use geeklog 1.4.1, can anybody upload a file to my server via fckeditor?

There was an issue a while back regarding uploads through FCKeditor. But even then FCKeditor won't let you upload .php files. You would still need a second security to do anything evil.

bye, Dirk

04/08/09 05:02pm

ismael

Anonymous

i've found this:

http://secunia.com/advisories/27123/

04/08/09 05:50pm

ismael

Anonymous

Do you know if the uploaded files only can be uploaded to the public_html/images directory or it is possible to upload to any other directory?

04/08/09 06:00pm

iam

Anonymous

Quote by: ismael

Do you know if the uploaded files only can be uploaded to the public_html/images directory or it is possible to upload to any other directory?

when the hacker can create a folder call "images" in your main public directory with the permission of 777 than they can change your site code and every thing. latter on your site will not show your index page but it will show the attacker home index page.

now I guess attacker still practice to hack the small site first, than the big next target site we don't know.

thanks.

PS. your situation same as me.

04/09/09 04:01pm

Status: offline

::Ben

Forum User

Full Member

Registered: 01/14/05

Posts: 1569

777 permisions are very big holes in the security. If you don't want to loose too much, make backups everyday (db and cms).

::Ben

I'm available to customise your themes or plugins for your Geeklog CMS

04/09/09 04:49pm

iam

Anonymous

hello my friends, just want to show you guys. in my spamx logs have to many difference IP post as USER 1 at my site, but delete as spam link: here......

Text Formatted Code
Found Spam Post matching Spam Link Verification (SLV) posted by user 1 from IP 194.8.75.155 

alot of difference IP with the user 1.

thanks.

04/09/09 04:54pm

Status: offline

hfd

Forum User

Junior

Registered: 06/19/08

Posts: 16

more USER 1 IP here:

Text Formatted Code
Thu 02 Apr 2009 00:01:08 MDT - Deleted Spam Post 

Thu 02 Apr 2009 07:59:18 MDT - SLV: spam detected 

Thu 02 Apr 2009 07:59:18 MDT - Found Spam Post matching Spam Link Verification (SLV) posted by user 1 from IP 194.8.75.155 

Thu 02 Apr 2009 07:59:18 MDT - Deleted Spam Post 

Fri 03 Apr 2009 06:07:12 MDT - Deleted Spam Post 

Sat 04 Apr 2009 23:03:31 MDT - SLV: spam detected 

Sat 04 Apr 2009 23:03:31 MDT - Found Spam Post matching Spam Link Verification (SLV) posted by user 1 from IP 87.118.90.189 

Sat 04 Apr 2009 23:03:31 MDT - Deleted Spam Post 

Sun 05 Apr 2009 06:05:23 MDT - SLV: spam detected 

Sun 05 Apr 2009 06:05:23 MDT - Found Spam Post matching Spam Link Verification (SLV) posted by user 1 from IP 92.112.116.128 

Sun 05 Apr 2009 06:05:23 MDT - Deleted Spam Post 

Mon 06 Apr 2009 03:22:17 MDT - SLV: spam detected 

Mon 06 Apr 2009 03:22:17 MDT - Found Spam Post matching Spam Link Verification (SLV) posted by user 1 from IP 195.2.240.126 

Mon 06 Apr 2009 03:22:17 MDT - Deleted Spam Post

this is a normal or ........?

thanks

04/09/09 04:57pm

Status: offline

Dirk

Site Admin

Admin

Registered: 01/12/02

Posts: 13073

UID 1 is the pseudo account for anonymous users. So the above log entries only mean that a user that wasn't logged in tried to post spam. This is not at all security related.

bye, Dirk

04/11/09 04:56am

Status: offline

1000ideen

Forum User

Full Member

Registered: 08/04/03

Posts: 1298

Quote by: ismael

PS. your situation same as me.

No I don`t think so, every web account is different and the quality of your hoster may vary strongly. I don`t have any subdirectory with 777.

Unfortunately you did not reply if you read Dirk`s hint and if you had used it before the hacking: http://www.geeklog.net/article.php/file-uploads