Welcome to Geeklog, Anonymous Friday, March 29 2024 @ 08:30 am EDT

Geeklog Forums

Static pages hacked


Status: offline

::Ben

Forum User
Full Member
Registered: 01/14/05
Posts: 1569
Location:la rochelle, France
Hi everybody,

4 static pages where hacked on a geeklog 1.4.1 site with:

- static page plugin 1.4.3
- php 4.4.9
- mysql 4.1.22-standard

The hack is the same in each static pages:
Text Formatted Code

sp_id:  
<meta http-equiv="refresh" content="0;UR

sp_title:
<meta http-equiv="refresh" content="0;URL=http://***********.us/*******">

sp_content:
<meta http-equiv="refresh" content="0;URL=http://***********.us/*******">
 


Have you ever seen this before?

::Ben
I'm available to customise your themes or plugins for your Geeklog CMS
 Quote

Status: offline

::Ben

Forum User
Full Member
Registered: 01/14/05
Posts: 1569
Location:la rochelle, France
No one?

So the question is: "Do you think it can be a geeklog vulnerability?"

Install plugins were

Text Formatted Code

calendar        1.0.0-1.4.1    
captcha         3.0.2-1.4.1    
chameleon       1.0.2-1.4.1    
links           1.0.1-1.4.1    
polls           1.1.0-1.4.1    
spamx           1.1.0-1.4.1    
staticpages     1.4.3-1.4.1
 


FCKEditor Version 2.3.1 on (very old one)

::Ben
I'm available to customise your themes or plugins for your Geeklog CMS
 Quote

Status: offline

::Ben

Forum User
Full Member
Registered: 01/14/05
Posts: 1569
Location:la rochelle, France
Hi Geeklog community,

Sorry for putting up this post but :banghead: is sql injection was possible on geeklog with this config?

and if it is possible how to prevent us from?

I think the reason to hacked this very small audience site (less than 3 visits a day) was because the site is a politic site.

::Ben
I'm available to customise your themes or plugins for your Geeklog CMS
 Quote

Status: offline

suprsidr

Forum User
Full Member
Registered: 12/29/04
Posts: 555
Location:Champaign, Illinois
You should consider upgrading as your issue has probably already been addressed.
And if yoursite is small with little traffic, upgrading should be fairly unobtrusive.

I cannot believe a core dev has not answered you though being a security issue.

-s
FlashYourWeb and Your Gallery with the E2 XML Media Player for Gallery2 - http://www.flashyourweb.com
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by: suprsidr

I cannot believe a core dev has not answered you though being a security issue.


Things tend to get buried in the forums. That's why we have a dedicated security contact address for these issues ...

I did actually have a quick look through the code when it was first posted but couldn't see anything obvious. Sounds odd that only static pages would be modified.

Ben, please send us as much information as you can (e.g. when you noticed it and whether there's anything in your logfiles - Geeklog's and the webserver's - for that time).

bye, Dirk
 Quote

richard.bkk

Anonymous
We had the exact same problem, only our problem was that we where running Nextide, which is what we belief based on Geeklog 1.4.1.

We tried to do a clean Geeklog 1.5.1 install and install the Nextide plugins after wards, but we run into problems with one of the core plugins. The plugins Nexlist keeps saying ...

Text Formatted Code
Fatal error: Cannot redeclare plugin_getadminoption_nexlist() (previously declared in /home/account/public_html/domain/plugins/nexfile/functions.inc:51) in /home/account/public_html/domain/plugins/nexlist/functions.inc on line 49


when we try to install it...
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by: richard.bkk

We had the exact same problem


Your static pages have been modified without your knowledge? Then please send us all the information you can give us to our security contact address (see above).

bye, Dirk
 Quote

richard.bkk

Anonymous
Hi Dirk,

One of our “smart” workers had deleted before we could save, the actual static page. On its own was the page nothing impressive it was a black background with a flag of Chili.

It also mentioned something ….software and it showed a gmail.com and a .la email address.

The more interesting part was that the static page was generated and saved from the admin account. This is extra funny as our admin passwords change daily, and are based on several calculations and are entered in 17 hexadecimal number. I cannot imagine how impossible it is to get this right by pure luck.

The accident happened 6 Sepetember, and nothing special happened in our log files. We look in the RAW log file of our server, but could not find anything suspicious also nobody from Chile had visited our website.

After this accident, we directly prepared for the upgrade to GL 1.5.1, which went fine until we encountered the problem with Nexlist plugin. Now the project is a bit to a standstill. Some voices talk about reinstalling Nextide (gl 1.4.1) and disable the static page plugin (as we not use that serious).

On the other hand is it likely that the hacker could do much more, especially if he somehow can get his hand on the admin password.

With kind regards,

Richard
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by: richard.bkk

On the other hand is it likely that the hacker could do much more, especially if he somehow can get his hand on the admin password.


Ben sent us an SQL dump from his site. In his case at least, the content of the static page was modified but the timestamp wasn't. Which seems to indicate that this wasn't done using any Geeklog account but through other means, e.g. an SQL injection.

At the moment we don't have enough information to make any educated guesses. We'll go over the code for the static pages plugin in 1.4.1 again (which has since been heavily modified, btw). Another possible attack vector are admin interfaces provided by the hosting service (Webmin, etc.). But it's odd that in both cases only static pages were modified ...

We'll keep you posted.

bye, Dirk
 Quote

Status: offline

richard.bkk

Forum User
Junior
Registered: 09/27/08
Posts: 21
For now as far as possible, we upgraded all Geeklog websites to 1.5.1 and updated all plugins to the latest... Lets see if it happens again...

On the one server were the "hack" happened are we running several Geeklog websites, and it is weird that the hackers selected the one they did, as it is nothing spectacular or popular website.
 Quote

All times are EDT. The time is now 08:30 am.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content