Welcome to Geeklog, Anonymous Wednesday, November 27 2024 @ 06:16 pm EST
Geeklog Forums
Static pages hacked
Status: offline
::Ben
Forum User
Full Member
Registered: 01/14/05
Posts: 1569
Location:la rochelle, France
Hi everybody,
4 static pages where hacked on a geeklog 1.4.1 site with:
- static page plugin 1.4.3
- php 4.4.9
- mysql 4.1.22-standard
The hack is the same in each static pages:
sp_id:
<meta http-equiv="refresh" content="0;UR
sp_title:
<meta http-equiv="refresh" content="0;URL=http://***********.us/*******">
sp_content:
<meta http-equiv="refresh" content="0;URL=http://***********.us/*******">
Have you ever seen this before?
::Ben
I'm available to customise your themes or plugins for your Geeklog CMS
4 static pages where hacked on a geeklog 1.4.1 site with:
- static page plugin 1.4.3
- php 4.4.9
- mysql 4.1.22-standard
The hack is the same in each static pages:
Text Formatted Code
sp_id:
<meta http-equiv="refresh" content="0;UR
sp_title:
<meta http-equiv="refresh" content="0;URL=http://***********.us/*******">
sp_content:
<meta http-equiv="refresh" content="0;URL=http://***********.us/*******">
Have you ever seen this before?
::Ben
I'm available to customise your themes or plugins for your Geeklog CMS
8
10
Quote
Status: offline
::Ben
Forum User
Full Member
Registered: 01/14/05
Posts: 1569
Location:la rochelle, France
No one?
So the question is: "Do you think it can be a geeklog vulnerability?"
Install plugins were
calendar 1.0.0-1.4.1
captcha 3.0.2-1.4.1
chameleon 1.0.2-1.4.1
links 1.0.1-1.4.1
polls 1.1.0-1.4.1
spamx 1.1.0-1.4.1
staticpages 1.4.3-1.4.1
FCKEditor Version 2.3.1 on (very old one)
::Ben
I'm available to customise your themes or plugins for your Geeklog CMS
So the question is: "Do you think it can be a geeklog vulnerability?"
Install plugins were
Text Formatted Code
calendar 1.0.0-1.4.1
captcha 3.0.2-1.4.1
chameleon 1.0.2-1.4.1
links 1.0.1-1.4.1
polls 1.1.0-1.4.1
spamx 1.1.0-1.4.1
staticpages 1.4.3-1.4.1
FCKEditor Version 2.3.1 on (very old one)
::Ben
I'm available to customise your themes or plugins for your Geeklog CMS
7
10
Quote
Status: offline
::Ben
Forum User
Full Member
Registered: 01/14/05
Posts: 1569
Location:la rochelle, France
Hi Geeklog community,
Sorry for putting up this post but :banghead: is sql injection was possible on geeklog with this config?
and if it is possible how to prevent us from?
I think the reason to hacked this very small audience site (less than 3 visits a day) was because the site is a politic site.
::Ben
I'm available to customise your themes or plugins for your Geeklog CMS
Sorry for putting up this post but :banghead: is sql injection was possible on geeklog with this config?
and if it is possible how to prevent us from?
I think the reason to hacked this very small audience site (less than 3 visits a day) was because the site is a politic site.
::Ben
I'm available to customise your themes or plugins for your Geeklog CMS
11
9
Quote
Status: offline
suprsidr
Forum User
Full Member
Registered: 12/29/04
Posts: 555
Location:Champaign, Illinois
You should consider upgrading as your issue has probably already been addressed.
And if yoursite is small with little traffic, upgrading should be fairly unobtrusive.
I cannot believe a core dev has not answered you though being a security issue.
-s
FlashYourWeb and Your Gallery with the E2 XML Media Player for Gallery2 - http://www.flashyourweb.com
And if yoursite is small with little traffic, upgrading should be fairly unobtrusive.
I cannot believe a core dev has not answered you though being a security issue.
-s
FlashYourWeb and Your Gallery with the E2 XML Media Player for Gallery2 - http://www.flashyourweb.com
12
9
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by: suprsidr
I cannot believe a core dev has not answered you though being a security issue.
Things tend to get buried in the forums. That's why we have a dedicated security contact address for these issues ...
I did actually have a quick look through the code when it was first posted but couldn't see anything obvious. Sounds odd that only static pages would be modified.
Ben, please send us as much information as you can (e.g. when you noticed it and whether there's anything in your logfiles - Geeklog's and the webserver's - for that time).
bye, Dirk
10
9
Quote
richard.bkk
Anonymous
We had the exact same problem, only our problem was that we where running Nextide, which is what we belief based on Geeklog 1.4.1.
We tried to do a clean Geeklog 1.5.1 install and install the Nextide plugins after wards, but we run into problems with one of the core plugins. The plugins Nexlist keeps saying ...
when we try to install it...
We tried to do a clean Geeklog 1.5.1 install and install the Nextide plugins after wards, but we run into problems with one of the core plugins. The plugins Nexlist keeps saying ...
Text Formatted Code
Fatal error: Cannot redeclare plugin_getadminoption_nexlist() (previously declared in /home/account/public_html/domain/plugins/nexfile/functions.inc:51) in /home/account/public_html/domain/plugins/nexlist/functions.inc on line 49when we try to install it...
7
15
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by: richard.bkk
We had the exact same problem
Your static pages have been modified without your knowledge? Then please send us all the information you can give us to our security contact address (see above).
bye, Dirk
11
8
Quote
richard.bkk
Anonymous
Hi Dirk,
One of our “smart” workers had deleted before we could save, the actual static page. On its own was the page nothing impressive it was a black background with a flag of Chili.
It also mentioned something ….software and it showed a gmail.com and a .la email address.
The more interesting part was that the static page was generated and saved from the admin account. This is extra funny as our admin passwords change daily, and are based on several calculations and are entered in 17 hexadecimal number. I cannot imagine how impossible it is to get this right by pure luck.
The accident happened 6 Sepetember, and nothing special happened in our log files. We look in the RAW log file of our server, but could not find anything suspicious also nobody from Chile had visited our website.
After this accident, we directly prepared for the upgrade to GL 1.5.1, which went fine until we encountered the problem with Nexlist plugin. Now the project is a bit to a standstill. Some voices talk about reinstalling Nextide (gl 1.4.1) and disable the static page plugin (as we not use that serious).
On the other hand is it likely that the hacker could do much more, especially if he somehow can get his hand on the admin password.
With kind regards,
Richard
One of our “smart” workers had deleted before we could save, the actual static page. On its own was the page nothing impressive it was a black background with a flag of Chili.
It also mentioned something ….software and it showed a gmail.com and a .la email address.
The more interesting part was that the static page was generated and saved from the admin account. This is extra funny as our admin passwords change daily, and are based on several calculations and are entered in 17 hexadecimal number. I cannot imagine how impossible it is to get this right by pure luck.
The accident happened 6 Sepetember, and nothing special happened in our log files. We look in the RAW log file of our server, but could not find anything suspicious also nobody from Chile had visited our website.
After this accident, we directly prepared for the upgrade to GL 1.5.1, which went fine until we encountered the problem with Nexlist plugin. Now the project is a bit to a standstill. Some voices talk about reinstalling Nextide (gl 1.4.1) and disable the static page plugin (as we not use that serious).
On the other hand is it likely that the hacker could do much more, especially if he somehow can get his hand on the admin password.
With kind regards,
Richard
11
11
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by: richard.bkk
On the other hand is it likely that the hacker could do much more, especially if he somehow can get his hand on the admin password.
Ben sent us an SQL dump from his site. In his case at least, the content of the static page was modified but the timestamp wasn't. Which seems to indicate that this wasn't done using any Geeklog account but through other means, e.g. an SQL injection.
At the moment we don't have enough information to make any educated guesses. We'll go over the code for the static pages plugin in 1.4.1 again (which has since been heavily modified, btw). Another possible attack vector are admin interfaces provided by the hosting service (Webmin, etc.). But it's odd that in both cases only static pages were modified ...
We'll keep you posted.
bye, Dirk
8
6
Quote
Status: offline
richard.bkk
Forum User
Junior
Registered: 09/27/08
Posts: 21
For now as far as possible, we upgraded all Geeklog websites to 1.5.1 and updated all plugins to the latest... Lets see if it happens again...
On the one server were the "hack" happened are we running several Geeklog websites, and it is weird that the hackers selected the one they did, as it is nothing spectacular or popular website.
On the one server were the "hack" happened are we running several Geeklog websites, and it is weird that the hackers selected the one they did, as it is nothing spectacular or popular website.
12
9
Quote
All times are EST. The time is now 06:16 pm.
- Normal Topic
- Sticky Topic
- Locked Topic
- New Post
- Sticky Topic W/ New Post
- Locked Topic W/ New Post
- View Anonymous Posts
- Able to post
- Filtered HTML Allowed
- Censored Content