The secure CMS.

Welcome to Geeklog, Anonymous Saturday, December 28 2024 @ 12:08 am EST

Geeklog Forums

My site was hacked

 New Topic  Post Reply
 07/25/09 11:13pm (Read 1,382 times)  

Hacked

Anonymous
angry
I was told today that my site has been suspended. The reason from my host was: "Your account hosts old / insecure scripts which were used by hackers to upload phishing contents pertaining to a bank in an attempt to get sensitive information from unsuspecting people.
To unsuspend the account you will have to give us permission to remove the contents from /home/xxxxxx/public_html/images/library/File/ directory and once access is given back, you need to check and ensure the integrity of your data and update all your scripts to the latest release by the vendor."

I am running Geeklog 1.6.0 and didn't see anything wierd before I upgraded. What do I do to prevent this from happening again?
 Quote
 07/25/09 11:21pm  

Guest

Anonymous
Quote by: Hacked

I was told today that my site has been suspended. The reason from my host was: "Your account hosts old / insecure scripts which were used by hackers to upload phishing contents pertaining to a bank in an attempt to get sensitive information from unsuspecting people.
To unsuspend the account you will have to give us permission to remove the contents from /home/xxxxxx/public_html/images/library/File/ directory and once access is given back, you need to check and ensure the integrity of your data and update all your scripts to the latest release by the vendor."

I am running Geeklog 1.6.0 and didn't see anything wierd before I upgraded. What do I do to prevent this from happening again?



your nickname so funny, why don't you put your real name or other name than that one. I do believe GL do a better more than any thing. my friend.
 Quote
 07/25/09 11:28pm  

Joey

Anonymous
I'm sorry, I am just upset that my site has been suspended. I need to know how to fix it so I can have them enable it again.
 Quote
 07/25/09 11:32pm  

ironmax

Anonymous
Tell your host provider that you need to get a complete archive of anything they delete, so that you may do an investigation. This includes any creation file dates that are on the files and directories they delete as well. Then start cross-referancing against your logs of the /home/xxxx/logs/*.log and your web server logs. You will also want to verify that the directories are properly secured with the correct permissions. If you are unable to do this yourself, then find someone that can help you.

Michael
 Quote
 07/26/09 02:28am  
Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by: Hacked

To unsuspend the account you will have to give us permission to remove the contents from /home/xxxxxx/public_html/images/library/File/ directory


This points to a problem with FCKeditor. Which Geeklog version were you on before you upgraded to 1.6.0?

It's hard to tell without any more information, but if I had to guess, I'd say someone exploited the recent FCKeditor issue before you upgraded. Could that be it?

Check the contents of the above directory. When were those files uploaded?

For Geeklog, the contents of that directory are not needed. So I'd suggest to make a backup of those files for forensic purposes and let your hosting service remove them, as requested, so that you can get your site back online.

bye, Dirk
 Quote
 New Topic  Post Reply
All times are EST. The time is now 12:08 am.
  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content