Welcome to Geeklog, Anonymous Thursday, March 28 2024 @ 09:09 am EDT

Geeklog Forums

Geeklog hacked again.


Status: offline

andyofne

Forum User
Chatty
Registered: 08/31/02
Posts: 69
After going through it a couple of weeks ago made the effort to secure the site following the instructions provided. But this morning, I was hacked again.

I've really spent too much time on this and I fear I have to abandon geeklog at this time.

Thanks for your support over the last couple of years, I really appreciate it. I just can't keep dealing with this over and over again.

Seriously depressed and disappointed by this situation.
 Quote

Status: offline

andyofne

Forum User
Chatty
Registered: 08/31/02
Posts: 69
They edited my config.php file that was located in a protected directory. I still haven't quite figured that one out.
 Quote

Status: offline

andyofne

Forum User
Chatty
Registered: 08/31/02
Posts: 69
I realize this conversation is a bit one sided but for the record...

These jerks use google / yahoo search to find the sites in question by hitting on the phrase "Powered by Geeklog". In this instance they added 'trackbacks' to the search.

http://search.yahoo.com/search?p=powered+by+geeklog+trackbacks

It appears that the 'attack' began with an exploit of Spamx's BlackList.Examine.class.php file which was used to execute a remote script located on another website.

Last time, they uploaded the script or a similar one and executed it on my web space.

 Quote

Status: offline

LWC

Forum User
Full Member
Registered: 02/19/04
Posts: 818
protected=outside of the webroot or "just" password protected?
 Quote

Status: offline

andyofne

Forum User
Chatty
Registered: 08/31/02
Posts: 69
As discussed previously, not all web hosts allow you to put files outside the webroot.

I've already figured out that a script can access a web protected directory without any problem. At this point, my question would be will unix file permission make any difference on the config.php file?

I can't figure out what ownership the script is given, is it root or 'user' level?

How annoying is this. I'm stuck with this host for the time being and I honestly can't spend several hours a day every couple of weeks restoring the site, changing all the passwords, and trying to figure out how they got in.

Good thing I had files backed up but that doesn't change the fact that, apparently, they can still strike without much warning.
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Can you password-protect the directories? I.e. using .htaccess / htpasswd. That should stop the attacks.

If you can't, I guess that at this point it's not safe any more to run a Geeklog site on such a host.

bye, Dirk
 Quote

Status: offline

LWC

Forum User
Full Member
Registered: 02/19/04
Posts: 818
If your folder is neither outside the webroot nor, according to Dirk, password protected, then what exactly makes you call it "protected"?

Anyway, you can find a good host for like $10 a month and use the current one (assuming you paid in advance) as a file server or whatever.
 Quote

Status: offline

andyofne

Forum User
Chatty
Registered: 08/31/02
Posts: 69
LWC, I thought I mentioned that the geeklog system files were moved to a protected directory. I took everything that was supposed to be outside the web root and put it in a directory with a nonstandard name (for instance: glz1) and then applied an .htaccess file to that folder. I tested the folder and if you try to access it through a URL it asks for a username and password.

At any rate, it's obvious there was something else I missed somewhere since the site was defaced again.

The lack of concern evidenced here by the developers is, quite frankly, startling.
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by andyofne: At any rate, it's obvious there was something else I missed somewhere since the site was defaced again.

The only other known issue at the moment is the one about the mcpuk file manager. Since you can upload files that way, it's possible to circumvent the password protection.

If you're not on 1.4.0 or did remove (not only disable!) the file manager, then the latest hack was through some other means and we would be very interested to learn how it was done. It could have been through some other software on the server or maybe you missed a modified file from the earlier hack.


Quote by andyofne: The lack of concern evidenced here by the developers is, quite frankly, startling.

Quite frankly, I'm offended by that remark Neutral

So far you have given us not enough information to assess what really happened on your site. I can understand that you're upset and I'm embarrassed about the amount of security issues that have cropped up recently, but what makes you say we don't care? We've reacted to every issue ASAP and with as much information as we could.

bye, Dirk
 Quote

Status: offline

andyofne

Forum User
Chatty
Registered: 08/31/02
Posts: 69
I realize you must be very busy, Dirk, and I know you've put a lot of effort into this project -- it's commendable, really.

The last time I was 'hacked' I e-mailed you directly thinking that I had experienced something unique but I was to learn later that it wasn't a unique event. I know you were probably busy dealing with the problem so I understand why you didn't respond. I'm sure you get a lot of e-mail about various issues and can't reply to them all.

Still, at that time the attitude on this site was that it was a So-called Geeklog "exploit" when, in fact, it was an exploit for an improperly installed geeklog. The attitude seemed dismissive and cavalier.

As you've mentioned, the hosting company that I am using does not allow me to create files outside of the webroot. I imagine this is a situation that affects many people.

I immediately applied an .htaccess file to a new directory to secure the geeklog files but OBVIOUSLY I left something out or missed something entirely. I do not blame you. Yet I still have to deal with the aftermath.

I'm not a programmer or professional web designer so I can't say exactly what happened. But since there's been no questions from anyone I can't provide any other answers either.

Hence my remark about lack of concern.

I've been using geeklog for at least 3 years and I really like it but I can't afford to keep dealing with these issues.

I've scrapped entirely three sites all of which were set up for non-profit organizations and which I've been supporting out of pocket for some time now. I am frustrated and angry and unsure of how to proceed.

I apologize if my comments offend you.
 Quote

Status: offline

LWC

Forum User
Full Member
Registered: 02/19/04
Posts: 818
I imagine this is a situation that affects many people.

I don't want to tell you those people are asking for it, but if for like $10 you can get a decent host that gives you access outside of the webroot, how much cheaper are those people's hosts that they're willing to settle for an embarrasing service?

P.S.
I could only wish Dirk would have responded to patches and feature requests like he does for security matters...
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by andyofne: The last time I was 'hacked' I e-mailed you directly thinking that I had experienced something unique but I was to learn later that it wasn't a unique event. I know you were probably busy dealing with the problem so I understand why you didn't respond.

By the time you emailed me, there were already posts about that "exploit" in the forums and on the frontpage.

Besides, security issues should really be sent to our security contact address, as outlined on our Geeklog Security page.


Quote by andyofne: Still, at that time the attitude on this site was that it was a So-called Geeklog "exploit" when, in fact, it was an exploit for an improperly installed geeklog. The attitude seemed dismissive and cavalier.

Yep, that didn't go down to well with a few people. I still stand by what I wrote in that post and this comment, though.

Geeklog was always supposed to be installed the way it is and we've been preaching for years that that is the only really safe way to install it. Even before those hacking attempts, you would have given the entire web access to your database backups(!), for example, if you didn't install it correctly.


Quote by andyofne: As you've mentioned, the hosting company that I am using does not allow me to create files outside of the webroot. I imagine this is a situation that affects many people.

We have an FAQ entry for these cases.

I have to admit, though, that I wasn't aware of all those automatic installations that don't seem to follow our advise.


Quote by andyofne: I'm not a programmer or professional web designer so I can't say exactly what happened. But since there's been no questions from anyone I can't provide any other answers either.

Above, you mentioned that the hack involved BlackList.Examine.class.php - that shouldn't have been possible after you password-protected your Geeklog directory. So either you were talking about the first hack or something's wrong here.

bye, Dirk
 Quote

Mickey

Anonymous
My website got hacked, too. Also with BlackList.Examine.class.php, which was installed by fantastico on BlueHost.com. The installation is kind of a mess now, so it's not clear to me what directories should be protected, and what directories should be open. Is there a list of geeklog directories and whether or not they should be readable via http somewhere? Thanks.
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by Mickey: My website got hacked, too. Also with BlackList.Examine.class.php, which was installed by fantastico on BlueHost.com.

From what I heard (never seen such an installation), Fantastico drops everthing that should be outside of Geeklog's public_html directory into that directory. So you have a directory that contains files like the lib-common.php, but also config.php and the plugins and systems directory.

Is that correct? If so, you should password protect the following directories: backups, data, language, logs, plugins, sql, system.

Of course, it would be much easier to secure such an install if Fantastico followed our advise on how to do it. I guess it's high time we contact them ...

bye, Dirk
 Quote

Status: offline

scroff

Forum User
Regular Poster
Registered: 02/19/03
Posts: 111
Just my Just my two cents here...

Geeklog is free, and the tech support for that price is fantastic. I have been using GL since 1.3.7 and have had no issues that haven't been solved either here or at one of the plugin developers sites, for free. Even the stupidest of newbie questions have been answered one way or another.

Sometimes Dirk can be a little... curt... but I'm not paying him and I'm grateful to have him and the others around. They provide a good product and good service to me.

That said... my advice is to avoid hosts like GoDaddy, even though they offer GL, like the plague if you want to have a proper GL installation. Also avoid Fantastico installations, even though they're quick and easy. For less than $7 a month I have a host that gives me everything I need for GL and another for less than $4 a month (after buying 2 years).

Shop around for your host with your GL installation in mind. If they won't give you what you need, go elsewhere.

My apologies if I sound rude, sometimes I just get out of hand...
 Quote

Ghost

Anonymous
Quote by Dirk:From what I heard (never seen such an installation), Fantastico drops everthing that should be outside of Geeklog's public_html directory into that directory. So you have a directory that contains files like the lib-common.php, but also config.php and the plugins and systems directory.

Is that correct?

Yes, that's correct. Not to mention my Fantastico included 1.4.0sr1, so it was instantly out of date. That kind of kills the "ease" of the Fantastico install. When I first installed Geeklog using Fantastico the site was hacked within 3 days. After correcting the Fantastico install by moving the critical files out of public_html as suggested, it's been hack free so far.
 Quote

Status: offline

ByteEnable

Forum User
Full Member
Registered: 10/20/03
Posts: 138
I clicked on the security mailing-list link on the Geeklog security page and got:

Not Found

The requested URL /listinfo/geeklog-announce was not found on this server.

 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by ByteEnable: I clicked on the security mailing-list link on the Geeklog security page

You mean the link to the geeklog-announce mailing list, I assume. Fixed, thanks.

bye, Dirk
 Quote

Mark Framness

Anonymous
awake
Greetings All,

One of my Geeklog sites just got cracked Sad as well and it appears to be the Turk attack via the spamx exploit.

First, are there details of exactly what is going on with that spamx exploit? It seems they are looking to hit the SpamX exploit via trackbacks, why else search for "powered by geeklog trackback"? For all of my sites this means I get rid of trackback functionality, I do not need it for my purposes.

Two, it seems stock Fantastico installs may be okay. I have a total of four Geeklog sites. Three had smooth and flawless Fantastico installs the fourth was problematic and I had to kluge it to get it to work. It was the kluged site that was cracked (two of my other three sites have been visited by Turks searching for "powered by geeklog trackbacks" but have yet to be cracked, when I get home from my vacation I will review logs to see if they have been trying to crack it or was just doing a catalog search). So, I have tried to re-Fantastico install a new Geeklog instance and ran into the same problems.

So, to heck with it. So now this is what I intend to do.
*I have transferred all the latest Geeklog files to the host in the structure they untar into.

*I then will setup a link from the root along the following lines: /public_html ---> /geeklog_ver/public_html.

*Then I intend to edit the config.php file so it points at the existing database (as well as copy in all other settings).

*Then delete all unneeded directories (i.e. install etc).

*Request ownership of all directories & files be changed by host administrators.

Thanks
Mark
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Not sure why they're searching for "trackback". Maybe the exploit they use only works with Geeklog 1.4.0.

Trackbacks can be disabled in config.php.

It is my understanding that all Fantastico installs are vulnerable by default. See if you can get to the Spam-X plugin's files by typing their URL into the browser. If you get a blank page, you're vulnerable. If you get an error or something else (e.g. a password form), you're probably safe.

bye, Dirk
 Quote

All times are EDT. The time is now 09:09 am.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content