Language: 
To browser these website, it's necessary to store cookies on your computer.
The cookies contain no personal information, they are required for program control.
  the storage of cookies while browsing this website, on Login and Register.

User

Welcome, Guest. Please login or register.
Did you miss your activation email?


Login with username, password and session length

Select language:

Community



Stats

  • *Total Members: 4442
  • *Latest: Argon2

  • *Total Posts: 16406
  • *Total Topics: 2506
  • *Online Today: 14
  • *Most Online: 292
(12.11.16, 09:37:31)
  • *Users: 0
  • *Guests: 0
  • *Spiders: 5
  • *Total: 5

  • *Yahoo!
  • *Google
  • *Baidu (3)

Author Topic: CAUTION : Hacked Sites !  (Read 15097 times)

0 Members and 0 Guests are viewing this topic.

Offline hartiberlin

  • Hero Member
  • *****
  • Posts: 819
  • Gender: Male
    • Free energy research
CAUTION : Hacked Sites !
« on: 25.10.14, 12:43:45 »
Attention,
my site overunity.de was hacked with SMF 2.08 and PMX 1.51 ecl

They used the path:
Editor_Uploads
to upload some Ali(1)ASP.JPG
fake pics and then executed them via some
PHP files also uploaded there into the
Images or Media oder File subfolder... !

Pay attention to the Permission that you give these folders !

I have updated now to SMF 2.09 and PMX 1.52 ecl and
hope these security issues are fixed !

It seems they only made traffic, but did not delete any files...

Regards, Stefan.

Offline portamx

  • Administrator
  • *
  • Posts: 156
Re: CAUTION : Hacked Sites !
« Reply #1 on: 26.10.14, 15:37:16 »
Yes, i'm know that .. same here.
But .. that is not critical, because files in this folder used ONLY from the html editor (on create a html block) and on write out a html block (he read the images in the html from this folder). php files are NOT read or execute from this folder.

Currently whe have no informations how the files are upload, but it's possible that the ftp account is hacked.
So it's better you change the pwd for ftp and use sftp if possible.

Offline hartiberlin

  • Hero Member
  • *****
  • Posts: 819
  • Gender: Male
    • Free energy research
Re: CAUTION : Hacked Sites !
« Reply #2 on: 31.10.14, 03:23:05 »
But it seems it makes a lot of traffic...

Again today there are files like:
ali_asp;ali-1.jpg
to
ali_asp;ali-7.jpg
and
ali_asp;ali.jpg

in the
/editor_uploads/file/
folder

What is the best permission to not permit this anymore ?

Currently the folder was set to 755.

Should I change this to 644 only ?

Many thanks-

Regards. Stefan.

Offline hartiberlin

  • Hero Member
  • *****
  • Posts: 819
  • Gender: Male
    • Free energy research
Re: CAUTION : Hacked Sites !
« Reply #3 on: 01.11.14, 11:25:19 »
Maybe the FSK Editor has a leak so hackers can upload the fake image files and execute them as code ?

Offline hartiberlin

  • Hero Member
  • *****
  • Posts: 819
  • Gender: Male
    • Free energy research
Re: CAUTION : Hacked Sites !
« Reply #4 on: 02.11.14, 18:35:41 »
Hat keiner dazu eine Idee zu diesem Sicherheits Leck ? ?

Nobody has an opinion to this security problem ?

Offline Eclipse16V

  • Full Member
  • ***
  • Posts: 119
  • Gender: Male
    • Tornado Map
Re: CAUTION : Hacked Sites !
« Reply #5 on: 04.11.14, 07:14:04 »
Hallo,

ich war im Urlaub und habe das Problem nun auch festgestellt.
Genau wie bei dir hartiberlin.
Täglich kommen da diese Dateien in den Ordner.
Habe aber auch noch keine Lösung gefunden.
FTP Account habe ich jetzt auch schon 2 mal geändert und das brachte nichts.
I work with SMF 2.0.9:
Tornado Map
Default Theme
German & English Languages

Offline portamx

  • Administrator
  • *
  • Posts: 156
Re: CAUTION : Hacked Sites !
« Reply #6 on: 04.11.14, 12:07:25 »
wir untersuchen das Problem, aber bisher gibt es keine Lösung.
wir haben von FTP auf  SFTP umgestellt und seither ist Ruhe.

Offline Fisch.666

  • Jr. Member
  • **
  • Posts: 56
Re: CAUTION : Hacked Sites !
« Reply #7 on: 02.12.14, 15:46:27 »
Hi,

there are lots of ways to upload files via the FCKEditor so this could be the problem here.

The file names ali_asp;ali.jpg are used to exploit a known vulnerability in IIS 6 and before.

Offline portamx

  • Administrator
  • *
  • Posts: 156
Re: CAUTION : Hacked Sites !
« Reply #8 on: 06.12.14, 13:02:19 »
We habe updated PortaMx and replace the old Fckeditor / Filemansger with a newer release. With this it's not possible to upload any files outside the ckeditor.

Offline hartiberlin

  • Hero Member
  • *****
  • Posts: 819
  • Gender: Male
    • Free energy research
Re: CAUTION : Hacked Sites !
« Reply #9 on: 07.12.14, 17:39:43 »
Which files / directories can or must be deleted after the update from 1.52 to 1.53 ?

As something went maybe wrong in my update, probably the old directories are this there...

Please tell me, what we can delete.

Many thanks.

Offline Fisch.666

  • Jr. Member
  • **
  • Posts: 56
Re: CAUTION : Hacked Sites !
« Reply #10 on: 07.12.14, 18:14:00 »
Hi,

it's the folder "fckeditor" which should be removed. This one was replaced by the folder "ckeditor".

Offline Eclipse16V

  • Full Member
  • ***
  • Posts: 119
  • Gender: Male
    • Tornado Map
Re: CAUTION : Hacked Sites !
« Reply #11 on: 07.12.14, 19:19:57 »
Gestern habe ich mal auf 1.53 geupdatet.
Seit dem sind dit täglichen angriffe erst mal ausgeblieben.
Mal sehen wie lange.
I work with SMF 2.0.9:
Tornado Map
Default Theme
German & English Languages

Offline hartiberlin

  • Hero Member
  • *****
  • Posts: 819
  • Gender: Male
    • Free energy research
Re: CAUTION : Hacked Sites !
« Reply #12 on: 07.12.14, 19:23:21 »
Is the "fckeditor" folder automaticalled removed by installing PortaMC 1.53 or must this be done automatically...

Sorry, as I am not at home right now, where I have all my passwords I can not look it up right now...

Regards, Stefan.

Offline Fisch.666

  • Jr. Member
  • **
  • Posts: 56
Re: CAUTION : Hacked Sites !
« Reply #13 on: 07.12.14, 19:27:57 »
Hi,

the fckeditor folder is automatically removed during the update from 1.52 to 1.53:

https://github.com/PortaMx/PortaMx-1.53-ecl/blob/master/package-info.xml#L36