Welcome to Geeklog, Anonymous Tuesday, November 26 2024 @ 11:34 pm EST
Geeklog Forums
site hacked
ismael
Anonymous
Hi,
i have a question, i use geeklog 1.4.1, can anybody upload a file to my server via fckeditor?
i have been hacked, and i have 3 files uploaded by anybody to my images directory (public_html/images). One of this files is an php spy script. This directory had 777 permisions.
Thank you,
ismael
i have a question, i use geeklog 1.4.1, can anybody upload a file to my server via fckeditor?
i have been hacked, and i have 3 files uploaded by anybody to my images directory (public_html/images). One of this files is an php spy script. This directory had 777 permisions.
Thank you,
ismael
17
13
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by: ismael
i have a question, i use geeklog 1.4.1, can anybody upload a file to my server via fckeditor?
There was an issue a while back regarding uploads through FCKeditor. But even then FCKeditor won't let you upload .php files. You would still need a second security to do anything evil.
bye, Dirk
13
12
Quote
ismael
Anonymous
i've found this:
http://secunia.com/advisories/27123/
http://secunia.com/advisories/27123/
12
15
Quote
ismael
Anonymous
Do you know if the uploaded files only can be uploaded to the public_html/images directory or it is possible to upload to any other directory?
12
17
Quote
iam
Anonymous
Quote by: ismael
Do you know if the uploaded files only can be uploaded to the public_html/images directory or it is possible to upload to any other directory?
when the hacker can create a folder call "images" in your main public directory with the permission of 777 than they can change your site code and every thing. latter on your site will not show your index page but it will show the attacker home index page.
now I guess attacker still practice to hack the small site first, than the big next target site we don't know.
thanks.
PS. your situation same as me.
14
16
Quote
Status: offline
::Ben
Forum User
Full Member
Registered: 01/14/05
Posts: 1569
Location:la rochelle, France
777 permisions are very big holes in the security. If you don't want to loose too much, make backups everyday (db and cms).
::Ben
I'm available to customise your themes or plugins for your Geeklog CMS
::Ben
I'm available to customise your themes or plugins for your Geeklog CMS
14
17
Quote
iam
Anonymous
hello my friends, just want to show you guys. in my spamx logs have to many difference IP post as USER 1 at my site, but delete as spam link: here......
alot of difference IP with the user 1.
thanks.
Text Formatted Code
Found Spam Post matching Spam Link Verification (SLV) posted by user 1 from IP 194.8.75.155 alot of difference IP with the user 1.
thanks.
12
16
Quote
Status: offline
hfd
Forum User
Junior
Registered: 06/19/08
Posts: 16
more USER 1 IP here:
Thu 02 Apr 2009 07:59:18 MDT - SLV: spam detected
Thu 02 Apr 2009 07:59:18 MDT - Found Spam Post matching Spam Link Verification (SLV) posted by user 1 from IP 194.8.75.155
Thu 02 Apr 2009 07:59:18 MDT - Deleted Spam Post
Fri 03 Apr 2009 06:07:12 MDT - Deleted Spam Post
Sat 04 Apr 2009 23:03:31 MDT - SLV: spam detected
Sat 04 Apr 2009 23:03:31 MDT - Found Spam Post matching Spam Link Verification (SLV) posted by user 1 from IP 87.118.90.189
Sat 04 Apr 2009 23:03:31 MDT - Deleted Spam Post
Sun 05 Apr 2009 06:05:23 MDT - SLV: spam detected
Sun 05 Apr 2009 06:05:23 MDT - Found Spam Post matching Spam Link Verification (SLV) posted by user 1 from IP 92.112.116.128
Sun 05 Apr 2009 06:05:23 MDT - Deleted Spam Post
Mon 06 Apr 2009 03:22:17 MDT - SLV: spam detected
Mon 06 Apr 2009 03:22:17 MDT - Found Spam Post matching Spam Link Verification (SLV) posted by user 1 from IP 195.2.240.126
Mon 06 Apr 2009 03:22:17 MDT - Deleted Spam Post
this is a normal or ........?
thanks
Text Formatted Code
Thu 02 Apr 2009 00:01:08 MDT - Deleted Spam Post Thu 02 Apr 2009 07:59:18 MDT - SLV: spam detected
Thu 02 Apr 2009 07:59:18 MDT - Found Spam Post matching Spam Link Verification (SLV) posted by user 1 from IP 194.8.75.155
Thu 02 Apr 2009 07:59:18 MDT - Deleted Spam Post
Fri 03 Apr 2009 06:07:12 MDT - Deleted Spam Post
Sat 04 Apr 2009 23:03:31 MDT - SLV: spam detected
Sat 04 Apr 2009 23:03:31 MDT - Found Spam Post matching Spam Link Verification (SLV) posted by user 1 from IP 87.118.90.189
Sat 04 Apr 2009 23:03:31 MDT - Deleted Spam Post
Sun 05 Apr 2009 06:05:23 MDT - SLV: spam detected
Sun 05 Apr 2009 06:05:23 MDT - Found Spam Post matching Spam Link Verification (SLV) posted by user 1 from IP 92.112.116.128
Sun 05 Apr 2009 06:05:23 MDT - Deleted Spam Post
Mon 06 Apr 2009 03:22:17 MDT - SLV: spam detected
Mon 06 Apr 2009 03:22:17 MDT - Found Spam Post matching Spam Link Verification (SLV) posted by user 1 from IP 195.2.240.126
Mon 06 Apr 2009 03:22:17 MDT - Deleted Spam Post
this is a normal or ........?
thanks
18
14
Quote
Status: offline
1000ideen
Forum User
Full Member
Registered: 08/04/03
Posts: 1298
Quote by: ismael
PS. your situation same as me.
No I don`t think so, every web account is different and the quality of your hoster may vary strongly. I don`t have any subdirectory with 777.
Unfortunately you did not reply if you read Dirk`s hint and if you had used it before the hacking: http://www.geeklog.net/article.php/file-uploads
16
13
Quote
All times are EST. The time is now 11:34 pm.
- Normal Topic
- Sticky Topic
- Locked Topic
- New Post
- Sticky Topic W/ New Post
- Locked Topic W/ New Post
- View Anonymous Posts
- Able to post
- Filtered HTML Allowed
- Censored Content