Someone trying to hack my blog?

[jwdonal]

I'm getting a lot of errors in my apache log file (from multiple IP addresses too) that look like this:

Code: Select all

[Thu Dec 23 09:01:40 2010] [error] [client 41.100.226.203] PHP Warning:  mkdir(): Permission denied in [path]/xupv2p/htmlarea/plugins/ImageManager/Classes/Files.php on line 82, referer: https://rm-rfroot.net/xupv2p/htmlarea/plugins/ExtendedFileManager/backend.php?__plugin=ExtendedFileManager&&
[Thu Dec 23 09:01:40 2010] [error] [client 41.100.226.203] PHP Warning:  chmod(): No such file or directory in [path]/xupv2p/htmlarea/plugins/ImageManager/Classes/Files.php on line 83, referer: https://rm-rfroot.net/xupv2p/htmlarea/plugins/ExtendedFileManager/backend.php?__plugin=ExtendedFileManager&&
[Thu Dec 23 09:01:40 2010] [error] [client 41.100.226.203] PHP Warning:  mkdir(): Permission denied in [path]/xupv2p/htmlarea/plugins/ImageManager/Classes/Files.php on line 82, referer: https://rm-rfroot.net/xupv2p/htmlarea/plugins/ExtendedFileManager/backend.php?__plugin=ExtendedFileManager&&
[Thu Dec 23 09:01:40 2010] [error] [client 41.100.226.203] PHP Warning:  chmod(): No such file or directory in [path]/xupv2p/htmlarea/plugins/ImageManager/Classes/Files.php on line 83, referer: https://rm-rfroot.net/xupv2p/htmlarea/plugins/ExtendedFileManager/backend.php?__plugin=ExtendedFileManager&&
[Thu Dec 23 09:01:40 2010] [error] [client 41.100.226.203] PHP Warning:  imagejpeg(): Unable to open 'demo_images/t/t_bikerpeep.jpg' for writing: No such file or directory in [path]/xupv2p/htmlarea/plugins/ImageManager/Classes/GD.php on line 550, referer: https://rm-rfroot.net/xupv2p/htmlarea/plugins/ExtendedFileManager/backend.php?__plugin=ExtendedFileManager&&

Is this something that I should worry about? Is there a way that I could better prevent this attack in the future? Is there a way that I can prevent outside users from even attempting to use those above files?

These just started showing up today and I have made no changes to my server in quite a while. I don't think this is normal activity. Would love some insight. I pulled my site down temporarily just in case...

Thanks!

[Timbalu]

It looks like you should do an upgrade soon...

Serendipity 1.5.5 has been released to address a serious security issue.
Please read
http://blog.s9y.org/archives/224-Import ... eased.html

Ian

[jwdonal]

YIKES!! You're totally right!! All the things those guys are talking about in your link match what I'm seeing on my server log.

UPDATE: Okay, I'm all upgraded. Jeez, that was kinda scary. It doesn't look like I was infected. Is there a way that I could have known about this earlier than 2 days after the 0-day exploit? Like, is there a way to sign up for notifications (if s9y even has anything like that?). Thanks for the quick heads up Timbalu!

[onli]

The blog covered the last security-issues. You maybe want to add it to your feedreader.