Geeklog Forums

Hi;

It was made known to me by ebay, and other financial institutions, that we had our geeklog hacked and all kinds of crap added into our geeklog file structure - mainly pages phishing for ebay, paypal, barclays bank info and more... I've been blocking the files and stuff via chmod, so I can keep them to forward to the FBI if needed to avoid trouble with some of these companies if it comes to that, but what I'm hoping someone can help me with is this:

Is there somewhere, or could someone tell me, a list of the full file structure of geeklog... I need to figure out what I can delete and or block out of the files that have been added that aren't supposed to be there?

Thanks in advance for any assistance!!

Best,
j

Oh; also, don't know if it helps or not but the install I have was done through cpanel

Go to the download section and download the full geeklog install. If it isn't in there and it isn't in a directory called plugin, it doesn't belong.

Mostly. If you have the filemngt plugin, somewhere will be your files. Same with media gallery and similar plugins. But for the most part, if it isn't in the tar file, you don't need it.

Also, what version of Geeklog are you running? Make sure you are up to date.

If you don't know what is what, I'd suggest you simply back up everything and start over fresh.

Also: Which Geeklog version were you on? Did you have any plugins installed and were those up to date?

bye, Dirk

I am on an old version and have been fighting these bastards daily... they keep dropping shell scripts into my site.
I tried to upgrade the install but it didn't work right and apparently I am running everything out of the root as well. I really need to find someone to help me with this, as I'm just lame, and just looked in elance with no luck - any ideas? Obviously I have some issues with granting just anyone access into the server.

start a new topic ...

Need more info to help you.
whats your httpd server, apache? IIS ? other?
whats your version of php, mysql?
whats your version of geeklog

what version info nobody can help you. We can all say "upgrade" and yes, you should upgrade
immediately or pull the site offline till you can fix it, alas I am not here to lecture you on what you should or shouldnt do.

instead, find out the info on versions, as THAT Helps everyone go ": ah ha thats Bug X" and maybe offer a limited by quick work around in the time being

as for upgrades failing.. try to upgrade on a test box, you can download xamp or build your own test enviroment using cygwin, an old pc or vmware.

second check your logs. You should have the highest level of logging set if you are being hacked (debug) you should be able to trace the ipaddresses and strings input / output from your server

you then could block the strings using mod_rewrite, referers, or even their networks using the ban plugin.

That's why I suggested you start over fresh - they may have left a backdoor on your site. Once you've been hacked, you can't really trust any file any more.

Other than that: More information, please! It's impossible to give any helpful advise based on what you posted so far. If you don't want to post it here, use our security contact address.

bye, Dirk

Thanks for the help here; sorry for the vagueness.

Initially we installed geeklog through the cpanel of our linux server.
We've been running v 1.33.? I can't actually see it right now as 3/4 of our site, powered by geeklog, has had to be shut down due to the hacks.
This has been such a nightmare... the hackers have placed numerous shell drop in scripts (PHP Script injection), placed phishing pages against paypal/ebay/barclays/and more... they've also been running spam through the deepest darkest corners of our geeklog install.

According to my server techs - they most likely have gained root access to the server and at this point we have no choise but to kill the whole server and start over as it's likely they have made back doors into the server.

I had started to block out the IPs of the people trying to get in but they apparently went in and removed my IP block list.

I had tried to install the most current version of geeklog, which the server tells me is installed yet it still appears to be the old install on this main account that was hacked. in act the install now seems like perhaps it's a merger of the old version and the new; I don't know what's up with that.

I'm not sure which files to keep, from the old install, so that I can try to salvage the few hundreds of pages of 'stuff' that we had posted in geeklog - if someone could please tell me specifically which folders I can keep, go through to try and eliminate any backdoors or files that should not be, in hopes of salvaging something; that would be awesome.

All of this has really taken a toll - wasting time, caused loss of money, is really going to harm my site that has been worked on/optimized for years within the search engines, and I really need to connect with someone that can help me with a new geeklog install once I get a new server - I've been a big geeklog fan and recommender of geeklog for the past couple of years since we first started using it and would like to continue using it if we can get a version that is secure/safe and not going to kill another server. If you could please tell me the name of someone that I can get to help out that would be awesome... it'll be a week or two before I would need the help as I now have 200+ sites to move to a new server.

Thanks in advance for any assistance,

best,
john

Is it your own physical server? Is it a managed server? Who are those "server techs"? Are you 100% familiar with running an own server and doing things like intruder detection and so on?

the server is actually a VPS, a large one, that shares the real server with 1-2 other VPS accounts. the techs are the actual NOC support/server owners.
I, in fact, am not 100% familiar with running my own server though we've actually been hosting sites since 2001 - this is actually the first bout of real problems I've ever had to deal with - I usually figure stuff out as it comes along.

You said there is money involved with you site being down. The point is that a very good server administration plus all the security stuff is extremely complicated. It is only worthwhile from something like 5+ servers. Below that I`d advice you to take a managed server. I know a few programmers who repent having booked a server only without management. It is so time consuming.

Maybe compare these discussions here: http://www.webhostingtalk.com/forumdisplay.php?f=82

I`m afraid that all the nightmare might happen to you again if you don`t have experienced server management support. Managed servers are not that expensive, especially not if it is a business you are runing. To say it frankly, people having non managed servers either play around in their leisure time or simply underestimate the problems (also legal implications with downtimes etc.)

I`d try to get server administration support to repair the damage and then slowly move to a new managed server. It is not so much Geeklog support you need.

I had been on a hosting service run by amateurs and my webspace had been hacked too or rather all files with 777 or owned by the server had been deleted. It was definitely the permission settings and not geeklog.

Do not let them beat you if its any consolation I run 1.4.1 and was hacked 4 times in 2 weeks the server had to be condemmed and I am still trying to reinstall everything on a new server.

The police IT forensics told us that the server was tight as was the firewall but still access was made to the /backend directory (which was not set at 777) and not in the normal place and renamed but there it sat on three GL sites was a directory for a: Nationwide Bank, Citibank and others for the purpose of phishing. (We do know how access was made but have been asked by the police not to make it public because of sub-judice).

The police discovered the problem originated from Romania and I understand in that country scripts are available to access any version of any CMS.

I think its a case that no matter how good your security how well you are patched and how up to date your software someone somewhere will find a crack.

For me examining the server each morning no longer a joy - moving software makes no sense as it has been shown to me there are similar vulnabilities in each other.

So do let them beat us just put the problems right and try and make sure there are no cracks.

If you can provide some more information on that, then please send them to our security contact address. I'd be interested to learn if that is a problem with Geeklog or something else.

bye, Dirk

Dirk

I am working closley with the police and our server managers on this one I understand arrests are imminent and have been asked by the police forensics to keep tight lipped on the how's and why's of this incident.

As soon as I am allowed I will report all the findings - all I will say is access is through GL but not without a script - I have been given a demonstration by the police on our own sites and access is simplicity itself.

Whilst this is the first time I have mentioned it to Geeklog.net I have been in contact with a developer and know the importance of trying to stop this sooner rather than later.

The police say our site was chosen because of it high profile, high number of visitors and the fact it runs its own server - we also had 12 installations of GL in various guises making it easy to 'hide' something.