Dragonfly CMS v9 ⇒ Security v9 :: Archives ⇒ Some kind of WMF exploit. :: Archived ⇒ Community Forums ⇒ CPG Dragonfly™ CMS
Forum IndexSecurity v9

Archived ⇒ Some kind of WMF exploit.


Here is a copy of a support ticket I just raised to my webhost and their reply.

Hi,

I just went on my own website www.norbie.co.uk/index.php and got infected with a virus or some kind of Java exploit!

I looked in the source code and found this in it which I obviously did not put there!

Please view it in this text file, as I do not want it to exploit your computers!

www.norbie.co.uk/exploit.txt

How did that get into my PHP file?
Security is very tight this end, my password is unknown to anyone (I have changed it now though for added security), I do not have keyloggers or such and no-one apart from me has FTP access to that section of my account.

How did this happen?


Hello Andrew,

It is hard to say excactly. However in all other cases that I have see in similar cases such exploits has gotten in via unsecure scripts.

I'm most cases via PHP Nuke, phpBB or similar systems. If you use such scripts I would advice you to check if it is fully updated with the newest patches.


I'm not at all blaming Dragonfly, but it's one of the scripts I have installed on that domain - although in a subfolder and does not have FTP access to anything.

Are there any known problems in Dragonfly that could have done this?

Norbie

www.norbiesworld.co.uk

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux / Apache Custom Version / 4.0.26-standard (client: 5.0.15) / 4.4.4 / 9.1.1


i had similar thing , an iframe put itno the index.php . the thread is in this forum

CMS Version 9.1.2.1
PHP Version 4.4.4
MySQL Version 4.1.22-standard (client: 4.1.22)

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
CMS Version 9.1.2.1HP Version 4.4.4MySQL Version 4.1.22-standard (client: 4.1.22


i had similar thing, if a hacker got access to root server then they can change many file they want.

Firefox is my Favorite Browser

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Apache/1.3.34 (Unix)/4.0.25-standard/4.4.1/CVS


Two replies within a couple of hours lead me to believe this is not a coincidence...

Norbie

www.norbiesworld.co.uk

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux / Apache Custom Version / 4.0.26-standard (client: 5.0.15) / 4.4.4 / 9.1.1


www.webhostingtalk.com...p?t=549291
www.webhostingtalk.com...p?t=549458
www.webhostingtalk.com...p?t=549708
www.webhostingtalk.com...p?t=549803

Major cpanel exploit; servers compromised for long time before hackers activated their virues etc; unknown number of compromised servers exist even if cpanel has bolted the stable door.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux/1.3.39/4.1.22/4.4.7/9.2.0


I don't have cPanel installed.

Norbie

www.norbiesworld.co.uk

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux / Apache Custom Version / 4.0.26-standard (client: 5.0.15) / 4.4.4 / 9.1.1


I was wondering...

If it's not a server problem than perhaps a third party module problem. You have a lot of them. Even if 9.1.0.8. has some global input checking mechanisms I really don't know if it will stop all XSS attempts through insecure modules.

Would the $MAIN_CFG['global']['block_frames'] setting stop this kind of iframe code? (What is your block_frames setting?)

EDIT: I was looking at your WWW, and only just checked the defaced one. So they changed your index.php. Hmmm, if through a third party module, then I guess it must have been a module that uses file write...

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux/Apache/5.0.24/5/9.1 CVS


the main problem reside when your website is on a "shared server". Users from their /home directory can lanuch attacks to other /home/~/*/index.(html|htm|php|asp).

It does not metter if you use cpanel, webmin or nothing at all; permitting access to more then one users needs a dedicated System Administrator with lot of experince to avoid similar exploits.

Sometimes if only one user had installed an not-patched phpbb forums (phpbb.com) it can lead to those kind of problems where lot of website get hacked simultanously.

.:: I met php the 03 December 2003 :: Unforgettable day! ::.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
CloudLinux / Apache 2.4 LSAPI / MySQLi 5.7 / PHP 7.3 / head


The file hacked was www.norbie.co.uk/index.php

Dragonfly is hosted at www.norbiesworld.co.uk but on the same server.

Norbie

www.norbiesworld.co.uk

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux / Apache Custom Version / 4.0.26-standard (client: 5.0.15) / 4.4.4 / 9.1.1

All times are UTC