Page 1 of 1
Please remove
Posted: Wed Jul 02, 2008 11:47 am
by Ziggywigged
-deleted-
Re: Hacked
Posted: Wed Jul 02, 2008 12:35 pm
by cb2004
Do you have any other scripts installed? Like Coppermine or something?
Re: Hacked
Posted: Wed Jul 02, 2008 12:48 pm
by cb2004
What modules do you have installed?
Re: Hacked
Posted: Wed Jul 02, 2008 2:27 pm
by Pierre M.
mikeim wrote:
...the access log file is over 1GB (is that normal) but what in particular should I be looking for?
Look for strange query strings (junk after '?'). The first ones. It is even easier when pretty URLs are activated.
Kind request to a pretty URL :
Code: Select all
"GET /aboutus/locations.html HTTP/1.1" 200
Strange request :
Code: Select all
/some/path/to/page.html?evil_parameter=1bad&some=http://junk...
Search for double slash, stars or path to /lib, /admin etc.
Filtering bad requests I get :
Code: Select all
"GET /cmsmsfolder/ HTTP/1.1" 200
"GETorHEADorPUTorPOST /cmsmsfolder/?// HTTP/1.1" 403
"GETorHEADorPUTorPOST /cmsmsfolder/?* HTTP/1.1" 403
Remember the "small security guide".
Pierre M.
Re: Hacked
Posted: Wed Jul 02, 2008 9:17 pm
by Dr.CSS
If this was an upgrade then they might have loaded something before the upgrade that allows them to get back in, you may want to delete all folders, except your images making sure nothing untoward is in Uploads etc., then reupload fresh set of folders/files, check config.php for bad entries...