Zikula: A Flexible Open Source Content Management System
home | forum | international support | contact us

Support Forum

Start Start search pnForum Search latest posts latest posts RSS RSS Login Login Register Register
to previous topic new topic Print topic to next topic

Start ::  PostNuke 0.7 Support ::  Core Modules & Blocks ::  Postnuke Hacking

Moderated by: Support Team

Bottom
Postnuke Hacking

  • Link to this postingPosted: 19.08.2005, 16:27
    Profile
    nicolas79
    rank:
    Freshman Freshman
    registered:
     August 2002
    Status:
    offline
    last visit:
    22.06.08
    Posts:
    10
    Hello,

    I realized that someone has hacked my PostNuke installation 2 days ago and left some backdoors. I would like to know if some of you have experienced something similar and if someone knows where the security hole is.

    infos about the attack:

    <gallery sub="sub" directory="directory">/menu.php
    <gallery sub="sub" directory="directory">/index_old.php
    <gallery sub="sub" directory="directory">/footer.php
    <gallery sub="sub" directory="directory">/test.php
    <gallery sub="sub" directory="directory">/config_old.php
    <wwwroot>/public_html/modules/ContentExpress/pnclass/ContentExpress.php
    <wwwroot>/public_html/modules/ContentExpress/pnclass/MenuExpress.php
    <wwwroot>/public_html/modules/ContentExpress/pneditor/ie2/wysiwyg_web_edit.php
    <wwwroot>/public_html/modules/EZComments/pnclass/Smarty/Smarty.class.php
    <wwwroot>/public_html/modules/NS-User/admin.php

    the first 5 files have been created newly whith the following content


    to the other files the attacker appended the following code:


    #GUID# is a 128 bit GUID. Always the same in all files

    the new files are owned by www-data.

    all files have been placed or changed on the system in the same second. therefore i guess it was an automatic attack.

    I am using PostNuke 0.7.2.6-Phoenix

    I have the following Modules installed (the rest are custom made)

    ContentExpress/
    EZComments/
    htmlpages/
    phpBB_14/
    pn_bbclick/
    pn_bbcode/
    pn_bbsmile/
    pnFlashGames/

    Additional Software:
    Mediamax manager v0.1.27-RC

    Has anybody experienced something similar?

    I checked all Logfiles, but still dont know how the system was compromised.

    if you want to check if someone has changed files on your system run the following command in the web root

    find -regex .*PHP$ -mtime -5

    it will return all changed PHP files in the last 5 days. if the changes have not been made by you, perhaps they have been made by a hacker.</wwwroot></wwwroot></wwwroot></wwwroot></wwwroot></gallery></gallery></gallery></gallery></gallery>
    Top
    Notify a moderator about a posting notify mod
  • Link to this postingPosted: 19.08.2005, 17:00
    Profile Homepage
    larsneo
    rank:
    Software Foundation Software Foundation
    registered:
     
    Status:
    offline
    last visit:
    20.08.08
    Posts:
    4471
    QuoteI am using PostNuke 0.7.2.6-Phoenix

    please update to .75b and especially take care of PNSA 2005-3

    -----
    regards from germany
    ..::[Zikula Application Framework]::.. ..::[SEO-Blog]::.. ..::[CMS Sicherheit]::..
    Top
    Notify a moderator about a posting notify mod
  • Link to this postingPosted: 19.08.2005, 17:09
    Profile
    nicolas79
    rank:
    Freshman Freshman
    registered:
     August 2002
    Status:
    offline
    last visit:
    22.06.08
    Posts:
    10
    larsneoespecially take care of PNSA 2005-3


    Thank you for the input. I will update.

    The xmlrpc Module has not been the problem since I removed it after PNSA 2005-3 has been puhlished.
    Top
    Notify a moderator about a posting notify mod

Start ::  PostNuke 0.7 Support ::  Core Modules & Blocks ::  Postnuke Hacking

Main Menu

Extensions Database

Documentation

Development

Login





 


 Log in Problems?
 New User? Sign Up!

Donate to Zikula

Donate to the Zikula Foundation