To use this website completely, it is necessary to store cookies on your computer.
 

* Navigator

Expand - Collapse

* Statistic

  • *Total Posts: 16403
  • *Total Topics: 2518
  • *Online Today: 8
  • *Most Online: 292
(12. Nov 2016, 09:37:31)
  • *Users: 0
  • *Guests: 0
  • *Spiders: 2
  • *Total: 2

  • *Yahoo!
  • *Baidu

CAUTION : Hacked Sites !

Started by hartiberlin, 25. Oct 2014, 12:43:45

previous topic - next topic

0 Members and 0 Guests are viewing this topic.

Go Down

hartiberlin

25. Oct 2014, 12:43:45
Attention,
my site overunity.de was hacked with SMF 2.08 and PMX 1.51 ecl

They used the path:
Editor_Uploads
to upload some Ali(1)ASP.JPG
fake pics and then executed them via some
PHP files also uploaded there into the
Images or Media oder File subfolder... !

Pay attention to the Permission that you give these folders !

I have updated now to SMF 2.09 and PMX 1.52 ecl and
hope these security issues are fixed !

It seems they only made traffic, but did not delete any files...

Regards, Stefan.

portamx

#1
26. Oct 2014, 15:37:16
Yes, i'm know that .. same here.
But .. that is not critical, because files in this folder used ONLY from the html editor (on create a html block) and on write out a html block (he read the images in the html from this folder). php files are NOT read or execute from this folder.

Currently whe have no informations how the files are upload, but it's possible that the ftp account is hacked.
So it's better you change the pwd for ftp and use sftp if possible.

hartiberlin

#2
31. Oct 2014, 03:23:05
But it seems it makes a lot of traffic...

Again today there are files like:
ali_asp;ali-1.jpg
to
ali_asp;ali-7.jpg
and
ali_asp;ali.jpg

in the
/editor_uploads/file/
folder

What is the best permission to not permit this anymore ?

Currently the folder was set to 755.

Should I change this to 644 only ?

Many thanks-

Regards. Stefan.

hartiberlin

#3
01. Nov 2014, 11:25:19
Maybe the FSK Editor has a leak so hackers can upload the fake image files and execute them as code ?

hartiberlin

#4
02. Nov 2014, 18:35:41
Hat keiner dazu eine Idee zu diesem Sicherheits Leck ? ?

Nobody has an opinion to this security problem ?

Eclipse16V

#5
04. Nov 2014, 07:14:04
Hallo,

ich war im Urlaub und habe das Problem nun auch festgestellt.
Genau wie bei dir hartiberlin.
Täglich kommen da diese Dateien in den Ordner.
Habe aber auch noch keine Lösung gefunden.
FTP Account habe ich jetzt auch schon 2 mal geändert und das brachte nichts.
I work with SMF 2.0.9:
Tornado Map
Default Theme
German & English Languages

portamx

#6
04. Nov 2014, 12:07:25
wir untersuchen das Problem, aber bisher gibt es keine Lösung.
wir haben von FTP auf  SFTP umgestellt und seither ist Ruhe.

Fisch.666

#7
02. Dec 2014, 15:46:27
Hi,

there are lots of ways to upload files via the FCKEditor so this could be the problem here.

The file names ali_asp;ali.jpg are used to exploit a known vulnerability in IIS 6 and before.

portamx

#8
06. Dec 2014, 13:02:19
We habe updated PortaMx and replace the old Fckeditor / Filemansger with a newer release. With this it's not possible to upload any files outside the ckeditor.

hartiberlin

#9
07. Dec 2014, 17:39:43
Which files / directories can or must be deleted after the update from 1.52 to 1.53 ?

As something went maybe wrong in my update, probably the old directories are this there...

Please tell me, what we can delete.

Many thanks.

Fisch.666

#10
07. Dec 2014, 18:14:00
Hi,

it's the folder "fckeditor" which should be removed. This one was replaced by the folder "ckeditor".

Eclipse16V

#11
07. Dec 2014, 19:19:57
Gestern habe ich mal auf 1.53 geupdatet.
Seit dem sind dit täglichen angriffe erst mal ausgeblieben.
Mal sehen wie lange.
I work with SMF 2.0.9:
Tornado Map
Default Theme
German & English Languages

hartiberlin

#12
07. Dec 2014, 19:23:21
Is the "fckeditor" folder automaticalled removed by installing PortaMC 1.53 or must this be done automatically...

Sorry, as I am not at home right now, where I have all my passwords I can not look it up right now...

Regards, Stefan.

Fisch.666

#13
07. Dec 2014, 19:27:57
Hi,

the fckeditor folder is automatically removed during the update from 1.52 to 1.53:

https://github.com/PortaMx/PortaMx-1.53-ecl/blob/master/package-info.xml#L36

Go Up