Welcome to Geeklog, Anonymous Monday, December 23 2024 @ 04:51 am EST

Geeklog Forums

Site Went Down - Very Curious.


Status: offline

Nightdude

Forum User
Chatty
Registered: 09/15/04
Posts: 61
caffeinated
Ok...
Yesterday my site was just fine and dandy. This morning, went by to check on it.. Just a Blank Page (no errors...just white)
Nothing in Error logs....
Found my index.php and users.php attributes as just ---------- Was unable to change them, deleted both, and uploaded from backups.
What would do this??

Immediately changed my FTP log-in password, just in case...

Ideas??

Night
 Quote

Status: offline

Nightdude

Forum User
Chatty
Registered: 09/15/04
Posts: 61
embarrassed
Over the course of the past three weeks, my server bandwidth jumped to as much as 50GB day. This represented a near increase in excess of 20,000%.

This is what the Security Team where I lease my dedicated server from found when they conducted their investigation:

"Our security team has come to the realization that a couple of scripts on your server related to a version of geeklog (1.3) are vulnerable to remote command execution attacks. These scripts have been disabled:

http://scimatedu.com/gssm/public_html/index.php
http://scimatedu.com/gssm/public_html/users.php

An attacker from Italy used this vulnerability to upload and launch a malicious backdoor process, and then used your server to distribute pornography. Please update to the latest version of Geeklog before re-enabling these scripts"

So folks, a well learned lesson to keep up with latest releases. I been a little slack, as I've been so busy - the slackness cost me $450 in excess bandwidth usage - my budget is 500GB/month which serves me just fine.

While I'm still not sure how this has been done, I know every user except one (probably the one) - (it's a tight community), although I'm not even sure if it was a user, nor do I understand how this could have been uploaded without mt seeing it anywhere on the server.

Perhaps if someone could give me some insight here as to the how, to help me understand.

The site is down, till I do the upgrade on Sunday www.scimatedu.com

Thanks..
Night Embarassed
 Quote

Status: offline

THEMike

Forum User
Moderator
Registered: 07/25/03
Posts: 141
Location:Sheffield, UK
The exploit that was fixed with the recent security releases seems to be a likely candidate. You need to update to 1.4.0sr2 or 1.3.11sr5.
 Quote

All times are EST. The time is now 04:51 am.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content