Serendipity Forums

I went to look at one of my pages.

www.minidator.info

In got the message Error on line 663 index.php
So i went in to take a look and on line 663 a long line of code with links to other pages had bin inserted.

I think the links was to x-x-x sites.
I marked the whole line and deleted it and than saved the index.php.

Now the site is up and running again, i thoug i missed a big patch/upgrade but i i have the newest stable version.

The index.php is in 644 (-rw-r--r--) mode.

I wonder how they could have done it.

To bad when i was in a hurry to remove it so i dident save the line.

Edit:

Isint it bad to have the version in plain text?
<meta name="Powered-By" content="Serendipity v.1.3.1" />

Hi!

Do you use any other tools on your page? Did you check your server access log to see if there was suspicious activity, strange requests?

If it happens again, remember the timestamp when your index.php file was last changed and compare that to you rserver access logs or FTP access logs.

In the last time, there are many trojans and viri on the way that use stolen FTP account data (gathered through a trojan on Client PCs) and use that to connect to those sites and simply insert their code into the index.php - this would then be not related to serendipity itself, those Trojans simply pick any index.php or index.html they can find.

You can turn off the meta-Tag by setting a $serendipity['expose_s9y'] = false variable, but we do this for advertisement purposes and easier debugging.

Regards,
Garvin

garvinhicking wrote:Hi!

Do you use any other tools on your page? Did you check your server access log to see if there was suspicious activity, strange requests?

If it happens again, remember the timestamp when your index.php file was last changed and compare that to you rserver access logs or FTP access logs.

In the last time, there are many trojans and viri on the way that use stolen FTP account data (gathered through a trojan on Client PCs) and use that to connect to those sites and simply insert their code into the index.php - this would then be not related to serendipity itself, those Trojans simply pick any index.php or index.html they can find.

You can turn off the meta-Tag by setting a $serendipity['expose_s9y'] = false variable, but we do this for advertisement purposes and easier debugging.

Regards,
Garvin

Plugins:
Categorizes
Top Referrers
Syndication
History
Adsense

Hmm Swedish lang pack, and template.
Nothing else.

To bad the host dont have any error reporting, log files or access files.

I host about 15 other sites on the same host and none of them had the same problem.

Hi!

You only listed the sidebar plugins. The event plugins are much more important!

Hmm Swedish lang pack, and template.

What do you mean with lang pack? Did you download any language pack frmo a foreign site? Swedish already comes with serendipity. Which template exactly did you use?

Regards,
Garvin

garvinhicking wrote:Hi!

You only listed the sidebar plugins. The event plugins are much more important!

Hmm Swedish lang pack, and template.

What do you mean with lang pack? Did you download any language pack frmo a foreign site? Swedish already comes with serendipity. Which template exactly did you use?

Regards,
Garvin

Aeros Theme.
http://thebuckmaker.com/aeros

Havent done any big changes from original.
By lang i ment language.

I got "hijacked once more".

I saved the line.
http://hosten.se/index.php?download=hijaced.txt

Edit: here comes event plugins.
Markup: Serendipity
Markup: Emoticate
Markup: NL2BR
Browser Compatibility
Spam Protector
Google Analytics
Sitemap Generator (for Crawlers)

Hi!

You ported that Aeros theme on your own? Because it's for Wordpress, not Serendipity.

And again, where did you get a "swedish language pack"? It comes with serendipity already.

And again: The event plugins are important. Also which other applications you run on your host. Chance are VERY HIGH that it is not serendipity that's your problem.The "hack" looks very generic, any program with FTP access could do it.

You did change all your FTP and SQL passwords after you got hacked first time, right?

Regards,
Garvin

garvinhicking wrote:Hi!

You ported that Aeros theme on your own? Because it's for Wordpress, not Serendipity.

And again, where did you get a "swedish language pack"? It comes with serendipity already.

And again: The event plugins are important. Also which other applications you run on your host. Chance are VERY HIGH that it is not serendipity that's your problem.The "hack" looks very generic, any program with FTP access could do it.

You did change all your FTP and SQL passwords after you got hacked first time, right?

Regards,
Garvin

Sorry, i got confused, not the aeros.

The name of the template is "i3theme"

Sorry again for that.
And no about the Swedish, my bad again, its default one in Serendipity.

Edit: I dident change the sql pw before, will do it asap.

Your site is being cracked. You need to figure out how the cracker is modifying your files. There are two possibilities: the cracker has file access, or the cracker is using malformed browser requests to overwrite your files.

If the cracker is using bad browser requests, you should be able to see what he did in your webserver logs. You'll see requests that try to access system drives and files, requests with very long URLs trying to overwrite the webserver's memory, or requests that include executable scripts, SQL, or even binary programs.

The requests need not be made through Serendipity's index.php: once any script processes a malicious request, your entire website is compromised. The webserver may even be at fault: a buggy webserver could process a malicious request and write a file it wasn't supposed to, and then (once again) your entire website is compromised.

If the cracker has file access, you must change your FTP, database, ssh, and all other passwords to completely new, unguessable passwords. Then the system log is your only hope of finding how the cracker obtained access. Unfortunately, the system log is often a cracker's first target, to prevent you from discovering the malicious compromise. Worse yet, most website publishers don't have access to the system logs: they are at the mercy of their hosting provider.

Serendipity has been carefully designed and programmed to avoid processing any malicious input. All input is treated with suspicion, checked and validated. Therefore it is unlikely that the compromise originated with Serendipity, but we are interested in any evidence you discover that indicates a problem, and we will work to immediately fix any such deficiency.

Fist i don't have access to the system or access log.
I have askt the hosting if i could get it, i have changed the sql password now also.

Before i had time to change it the index got changed again.