Some kind of WMF exploit.
| Author |
Message |
norbie
Joined: Jun 29, 2004
Posts: 737
Location: Norbie's World
|
 Post subject: Some kind of WMF exploit.
Posted: Wed Sep 27, 2006 5:35 pm |
 |
Here is a copy of a support ticket I just raised to my webhost and their reply.
Quote:
Hi,
I just went on my own website www.norbie.co.uk/index.php and got infected with a virus or some kind of Java exploit!
I looked in the source code and found this in it which I obviously did not put there!
Please view it in this text file, as I do not want it to exploit your computers!
www.norbie.co.uk/exploit.txt
How did that get into my PHP file?
Security is very tight this end, my password is unknown to anyone (I have changed it now though for added security), I do not have keyloggers or such and no-one apart from me has FTP access to that section of my account.
How did this happen?
Quote:
Hello Andrew,
It is hard to say excactly. However in all other cases that I have see in similar cases such exploits has gotten in via unsecure scripts.
I'm most cases via PHP Nuke, phpBB or similar systems. If you use such scripts I would advice you to check if it is fully updated with the newest patches.
I'm not at all blaming Dragonfly, but it's one of the scripts I have installed on that domain - although in a subfolder and does not have FTP access to anything.
Are there any known problems in Dragonfly that could have done this?
_________________
Norbie
www.norbiesworld.co.uk
norbie's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Linux / Apache Custom Version / 4.0.26-standard (client: 5.0.15) / 4.4.4 / 9.1.1 |
|
| Back to top |
|
 |
jeffk
Joined: Jun 21, 2004
Posts: 323
|
Post subject: Re: Some kind of WMF exploit.
Posted: Wed Sep 27, 2006 7:31 pm |
|
i had similar thing , an iframe put itno the index.php . the thread is in this forum
_________________
CMS Version 9.1.2.1
PHP Version 4.4.4
MySQL Version 4.1.22-standard (client: 4.1.22)
jeffk's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
CMS Version 9.1.2.1HP Version 4.4.4MySQL Version 4.1.22-standard (client: 4.1.22 |
|
| Back to top |
|
|
xfsunoles
Joined: Apr 30, 2004
Posts: 2502
Location: Melbourne, Florida
|
Post subject: Re: Some kind of WMF exploit.
Posted: Wed Sep 27, 2006 9:08 pm |
|
i had similar thing, if a hacker got access to root server then they can change many file they want.
_________________
Firefox is my Favorite Browser
xfsunoles's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Apache/1.3.34 (Unix)/4.0.25-standard/4.4.1/CVS |
|
| Back to top |
|
|
norbie
Joined: Jun 29, 2004
Posts: 737
Location: Norbie's World
|
Post subject: Re: Some kind of WMF exploit.
Posted: Wed Sep 27, 2006 10:37 pm |
|
Two replies within a couple of hours lead me to believe this is not a coincidence...
_________________
Norbie
www.norbiesworld.co.uk
norbie's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Linux / Apache Custom Version / 4.0.26-standard (client: 5.0.15) / 4.4.4 / 9.1.1 |
|
| Back to top |
|
|
dormouse
Joined: Aug 31, 2005
Posts: 37
|
|
| Back to top |
|
|
norbie
Joined: Jun 29, 2004
Posts: 737
Location: Norbie's World
|
Post subject: Re: Some kind of WMF exploit.
Posted: Thu Sep 28, 2006 6:35 am |
|
I don't have cPanel installed.
_________________
Norbie
www.norbiesworld.co.uk
norbie's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Linux / Apache Custom Version / 4.0.26-standard (client: 5.0.15) / 4.4.4 / 9.1.1 |
|
| Back to top |
|
|
alva
Joined: May 31, 2005
Posts: 1150
Location: The Netherlands
|
Post subject: Re: Some kind of WMF exploit.
Posted: Thu Sep 28, 2006 12:08 pm |
|
I was wondering...
If it's not a server problem than perhaps a third party module problem. You have a lot of them. Even if 9.1.0.8. has some global input checking mechanisms I really don't know if it will stop all XSS attempts through insecure modules.
Would the $MAIN_CFG['global']['block_frames'] setting stop this kind of iframe code? (What is your block_frames setting?)
EDIT: I was looking at your WWW, and only just checked the defaced one. So they changed your index.php. Hmmm, if through a third party module, then I guess it must have been a module that uses file write...
alva's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Linux/Apache/5.0.24/5/9.1 CVS |
|
| Back to top |
|
|
NanoCaiordo
Joined: Jun 29, 2004
Posts: 3677
Location: Melbourne, AU
|
Post subject: Re: Some kind of WMF exploit.
Posted: Thu Sep 28, 2006 12:22 pm |
|
the main problem reside when your website is on a "shared server". Users from their /home directory can lanuch attacks to other /home/~/*/index.(html|htm|php|asp).
It does not metter if you use cpanel, webmin or nothing at all; permitting access to more then one users needs a dedicated System Administrator with lot of experince to avoid similar exploits.
Sometimes if only one user had installed an not-patched phpbb forums (phpbb.com) it can lead to those kind of problems where lot of website get hacked simultanously.
_________________
.:: I met php the 03 December 2003 :: Unforgettable day! ::.
NanoCaiordo's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
MySQL 5.1 / PHP 5.3 / NextGen() |
|
| Back to top |
|
|
norbie
Joined: Jun 29, 2004
Posts: 737
Location: Norbie's World
|
Post subject: Re: Some kind of WMF exploit.
Posted: Thu Sep 28, 2006 7:41 pm |
|
The file hacked was www.norbie.co.uk/index.php
Dragonfly is hosted at www.norbiesworld.co.uk but on the same server.
_________________
Norbie
www.norbiesworld.co.uk
norbie's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Linux / Apache Custom Version / 4.0.26-standard (client: 5.0.15) / 4.4.4 / 9.1.1 |
|
| Back to top |
|
|
Forum FAQ
Search
Log in to check your private messages
Login
