Page 1 of 1
[NeverMind] Root Kit in the FIleManager(1.4.1-full.tar.gz)
Posted: Sun Aug 31, 2008 3:35 pm
by Pisti
Hi I just downloded this file:
http://dev.cmsmadesimple.org/frs/downlo ... ull.tar.gz
But there is a root kit!
In the FIleManager diretory:
modules/FileManager/postlet/config.php
Don't use it!
Re: !!!!! Root Kit in the FIleManager(1.4.1-full.tar.gz) !!!!!
Posted: Sun Aug 31, 2008 3:41 pm
by calguy1000
Must be your problem. I just downloaded both the full and base packages, AND checked their contents and there is no config.php in that directory.
I've attached a history of my extracting the file, changing to the appropriate directory and showing a listing
there is no config.php
wrong alert
Posted: Sun Aug 31, 2008 4:43 pm
by Pisti
Very sorry. You are absolute right!
Only my website was infected by the "config.php" and the "postlet" directory is not the part of the rootkit. This was my very big mistake.
I don't know how could it happend. This is the first time when somebody hacked up my site.
This "config.php" was a complete shell and file manager kit tool "C99Shell v. 1.0 pre-release build #16" by the "RootShell Security Group".
And it was accessable for the entire world. This kit was installed to this place maybe in 2008 may.(as I see in the backups)
And the attacker today made some modification in my webpages: The attacker published hidden spam links to all pages,by the include.php int the root dir. (this hidden links made some problems in the style sheets, and the font sizes in the main pages was bigger than before. That was the reason why I opened the main page html code, and I was shocked... )
By the apache log files: The attacker used an american located server (with russian language web page).
Due legal issues I don't write IP-s, and provider names.
Cmsmadesimple forever!