Welcome to Geeklog, Anonymous Thursday, March 28 2024 @ 12:46 pm EDT

Geeklog Forums

php injection - phishing site


Status: offline

colonel_flagg

Forum User
Newbie
Registered: 09/13/06
Posts: 13
I cannot find a reference on the 'net pertaining to this issue directly. Although, I have found several mentions of "php injection" pertaining to geeklog, none have directly mentioned "phishing".

What I've come across is a site that has been compromised and the attacker has left a "home" directory under the public_html directory and a "home.zip" file in the same location. The contents of this directory and the parent home.zip file contain a PayPal phishing site.

I have checked my logs back as far as I can and nothing, including a command line history shows when/how the site was compromised. I am assuming this was a php injection exploit and I will be continuing on that line of reasoning until shown otherwise.

What I am looking for is any information pertaining to:

geeklog
phishing
home
home.zip

or related documentation showing a vulnerable php file that allows execution of injected code into a URL for a geeklog site.

Since there's no "Security" forum, I figured the "feedback" or "general help" forums would be my best choice for bringing this issue to light.



/CF
 Quote

Status: offline

jmucchiello

Forum User
Full Member
Registered: 08/29/05
Posts: 985
There are currently no known exploits for geeklog. So any website showing one is showing something that has been plugged or was not an issue with geeklog. Why exactly do you want this information?
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Assuming, of course, that we're talking about a site that was running 1.4.1 or a fully patched 1.4.0 version ...

We did have a few issues in the past that would qualify as "PHP injection":

Geeklog 1.4.0sr1 and 1.3.11sr4
Exploit for FCKeditor's mcpuk file manager

bye, Dirk
 Quote

Status: offline

colonel_flagg

Forum User
Newbie
Registered: 09/13/06
Posts: 13
I want the information so that I may fix and/or document the problem properly. There's nothing currently documented showing a compromise such as this. Therefore, if it is a php injection problem and it's happening to a current geeklog install, it could be a 0day exploit and therefore, you, the developers need to be made aware of it.

I will look into the URLs given and monitor this install of geeklog.

If I find anything, I will pass it along.


/CF
 Quote

Status: offline

jmucchiello

Forum User
Full Member
Registered: 08/29/05
Posts: 985
You haven't said what version of GL you are running. What plugins (and their versions) do you have installed? Is the geeklog installation installed properly, in other words are all the directories that are supposed to be unreachable really unreachable? We need a lot more details.

You don't have a phishing attack. You have an attack where the intruder was able to upload a zip file and extract it. After breaking in, they installed a phishing kit.
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
It wasn't clear (to me, at least) from your initial post what you were really looking for. You did see the Geeklog Security link on the left, I assume?

When looking for what happened to that site, keep in mind that other software on that server may have been compromised. There have been cases of server's admin panels (e.g. Cpanel) being hacked, for example.

Let us know what you find out.

bye, Dirk
 Quote

Colonel Flagg

Anonymous
it was directly related to an older exploit for geeklog 1.4.0. dealing with a php file that allowed file uploads to the server, then using the new file, they created a shell and imported not one, but two different phishing sites in the /home and /polls/home directories. all of this is well documented in exploit databases.

my problem was, the previous admin made a hybrid version of geeklog. i have since updated completely to 1.4.1

a little google'ing and searching the exploit databases with the correct keywords found the problem and i was able to resolve by upgrading the entire site.


/CF
 Quote

All times are EDT. The time is now 12:46 pm.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content