Welcome to Geeklog, Anonymous Thursday, March 28 2024 @ 01:30 pm EDT

Geeklog Forums

site hacked


ismael

Anonymous
Hi,

i have a question, i use geeklog 1.4.1, can anybody upload a file to my server via fckeditor?

i have been hacked, and i have 3 files uploaded by anybody to my images directory (public_html/images). One of this files is an php spy script. This directory had 777 permisions.

Thank you,
ismael
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by: ismael

i have a question, i use geeklog 1.4.1, can anybody upload a file to my server via fckeditor?


There was an issue a while back regarding uploads through FCKeditor. But even then FCKeditor won't let you upload .php files. You would still need a second security to do anything evil.

bye, Dirk
 Quote

ismael

Anonymous
i've found this:

http://secunia.com/advisories/27123/
 Quote

ismael

Anonymous
Do you know if the uploaded files only can be uploaded to the public_html/images directory or it is possible to upload to any other directory?
 Quote

iam

Anonymous
Quote by: ismael

Do you know if the uploaded files only can be uploaded to the public_html/images directory or it is possible to upload to any other directory?



when the hacker can create a folder call "images" in your main public directory with the permission of 777 than they can change your site code and every thing. latter on your site will not show your index page but it will show the attacker home index page.

now I guess attacker still practice to hack the small site first, than the big next target site we don't know.

thanks.

PS. your situation same as me.
 Quote

Status: offline

::Ben

Forum User
Full Member
Registered: 01/14/05
Posts: 1569
Location:la rochelle, France
777 permisions are very big holes in the security. If you don't want to loose too much, make backups everyday (db and cms).

::Ben
I'm available to customise your themes or plugins for your Geeklog CMS
 Quote

iam

Anonymous
hello my friends, just want to show you guys. in my spamx logs have to many difference IP post as USER 1 at my site, but delete as spam link: here......
Text Formatted Code
Found Spam Post matching Spam Link Verification (SLV) posted by user 1 from IP 194.8.75.155

alot of difference IP with the user 1.

thanks.

 Quote

Status: offline

hfd

Forum User
Junior
Registered: 06/19/08
Posts: 16
more USER 1 IP here:

Text Formatted Code
Thu 02 Apr 2009 00:01:08 MDT - Deleted Spam Post
Thu 02 Apr 2009 07:59:18 MDT - SLV: spam detected
Thu 02 Apr 2009 07:59:18 MDT - Found Spam Post matching Spam Link Verification (SLV) posted by user 1 from IP 194.8.75.155
Thu 02 Apr 2009 07:59:18 MDT - Deleted Spam Post
Fri 03 Apr 2009 06:07:12 MDT - Deleted Spam Post
Sat 04 Apr 2009 23:03:31 MDT - SLV: spam detected
Sat 04 Apr 2009 23:03:31 MDT - Found Spam Post matching Spam Link Verification (SLV) posted by user 1 from IP 87.118.90.189
Sat 04 Apr 2009 23:03:31 MDT - Deleted Spam Post
Sun 05 Apr 2009 06:05:23 MDT - SLV: spam detected
Sun 05 Apr 2009 06:05:23 MDT - Found Spam Post matching Spam Link Verification (SLV) posted by user 1 from IP 92.112.116.128
Sun 05 Apr 2009 06:05:23 MDT - Deleted Spam Post
Mon 06 Apr 2009 03:22:17 MDT - SLV: spam detected
Mon 06 Apr 2009 03:22:17 MDT - Found Spam Post matching Spam Link Verification (SLV) posted by user 1 from IP 195.2.240.126
Mon 06 Apr 2009 03:22:17 MDT - Deleted Spam Post
 

this is a normal or ........?

thanks
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
UID 1 is the pseudo account for anonymous users. So the above log entries only mean that a user that wasn't logged in tried to post spam. This is not at all security related.

bye, Dirk
 Quote

Status: offline

1000ideen

Forum User
Full Member
Registered: 08/04/03
Posts: 1298
Quote by: ismael


PS. your situation same as me.


No I don`t think so, every web account is different and the quality of your hoster may vary strongly. I don`t have any subdirectory with 777.

Unfortunately you did not reply if you read Dirk`s hint and if you had used it before the hacking: http://www.geeklog.net/article.php/file-uploads
 Quote

All times are EDT. The time is now 01:30 pm.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content