07/16/06 11:11am  

Caveman Joe

Anonymous
angry
This morning I woke up to find all the index.php and index.cgi pages on my Geeklog installation had been removed.
The site is www.twistedlibrarian.com, and the Geeklog version is 1.4.0sr2.
Has anybody seen this happen before? Even the index.cgi file in AWStats was removed - not even a part of the Geeklog installation.

Thanks for any help,

~CMJ
 07/16/06 11:26am  
Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Quote by Caveman Joe: the Geeklog version is 1.4.0sr2

First thought: Did you remove the FCKeditor file manager?

bye, Dirk
 07/16/06 11:39am  

Caveman Joe

Anonymous
No, I did not.
Would that allow such sweeping access across the site, even in non-Geelog folders?
 07/16/06 11:53am  
Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
To quote:
The exploit allows an attacker to upload and execute arbitrary code.

Typically, in cases like this the hackers upload a PHP script that lets them execute unix commands in the browser.

There's still the possibility that they used a weakness in some other software on your server, but that was the first thing that came to mind.

To make sure, check your webserver's logfiles for requests directly accessing the file manager. Also check the file manager's directories for any suspicious files, as explained in the above article.

bye, Dirk
 07/16/06 12:45pm  

Caveman Joe

Anonymous
Got 'im.

twistedlibrarian.com 84.161.2.204 - - [16/Jul/2006:16:23:52 +0100] "GET / HTTP/1.1" 200 123 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4"
twistedlibrarian.com 84.161.2.204 - - [16/Jul/2006:16:23:53 +0100] "GET /favicon.ico HTTP/1.1" 404 300 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4"
twistedlibrarian.com 84.161.2.204 - - [16/Jul/2006:16:24:01 +0100] "GET /fckeditor/ HTTP/1.1" 403 303 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4"
twistedlibrarian.com 84.161.2.204 - - [16/Jul/2006:16:24:28 +0100] "GET /fckeditor/editor HTTP/1.1" 301 348 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4"
twistedlibrarian.com 84.161.2.204 - - [16/Jul/2006:16:24:28 +0100] "GET /fckeditor/editor/ HTTP/1.1" 403 310 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4"
twistedlibrarian.com 84.161.2.204 - - [16/Jul/2006:16:24:41 +0100] "GET /fckeditor/editor/filemanager HTTP/1.1" 301 360 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4"
twistedlibrarian.com 84.161.2.204 - - [16/Jul/2006:16:24:41 +0100] "GET /fckeditor/editor/filemanager/ HTTP/1.1" 403 322 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4"

Some nasty piece of work in Amsterdam. Reported.

Thanks for all your help, Dirk - and keep up the good work, GeekLog is still my favourite CMS system ever.
 07/16/06 01:00pm  
Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Quote by Caveman Joe: Some nasty piece of work in Amsterdam. Reported.

LOL. Thanks for reporting me

You should learn how to read the WHOIS output. All European IP addresses are managed by RIPE in Amsterdam. The actual owner follows that initial information (in this case: Deutsche Telekom).

Also, you should have checked last night's logfiles, not the current ones.

bye, Dirk
 07/16/06 01:47pm  

Caveman Joe

Anonymous
Ah. Whoops.

Sorry about that, mate.