To use this website completely, it is necessary to store cookies on your computer.
 

* Statistic

  • *Total Posts: 16422
  • *Total Topics: 2551
  • *Online Today: 10
  • *Most Online: 292
(8 months ago)
  • *Users: 0
  • *Guests: 0
  • *Spiders: 5
  • *Total: 5

  • *Yahoo!
  • *Google (3)
  • *Baidu

CAUTION : Hacked Sites !

Started by hartiberlin, 2 years ago

previous topic - next topic

0 Members and 0 Guests are viewing this topic.

hartiberlin

2 years ago
Attention,
my site overunity.de was hacked with SMF 2.08 and PMX 1.51 ecl

They used the path:
Editor_Uploads
to upload some Ali(1)ASP.JPG
fake pics and then executed them via some
PHP files also uploaded there into the
Images or Media oder File subfolder... !

Pay attention to the Permission that you give these folders !

I have updated now to SMF 2.09 and PMX 1.52 ecl and
hope these security issues are fixed !

It seems they only made traffic, but did not delete any files...

Regards, Stefan.

portamx

#1
2 years ago
Yes, i'm know that .. same here.
But .. that is not critical, because files in this folder used ONLY from the html editor (on create a html block) and on write out a html block (he read the images in the html from this folder). php files are NOT read or execute from this folder.

Currently whe have no informations how the files are upload, but it's possible that the ftp account is hacked.
So it's better you change the pwd for ftp and use sftp if possible.

hartiberlin

#2
2 years ago
But it seems it makes a lot of traffic...

Again today there are files like:
ali_asp;ali-1.jpg
to
ali_asp;ali-7.jpg
and
ali_asp;ali.jpg

in the
/editor_uploads/file/
folder

What is the best permission to not permit this anymore ?

Currently the folder was set to 755.

Should I change this to 644 only ?

Many thanks-

Regards. Stefan.

hartiberlin

#3
2 years ago
Maybe the FSK Editor has a leak so hackers can upload the fake image files and execute them as code ?

hartiberlin

#4
2 years ago
Hat keiner dazu eine Idee zu diesem Sicherheits Leck ? ?

Nobody has an opinion to this security problem ?

Eclipse16V

#5
2 years ago
Hallo,

ich war im Urlaub und habe das Problem nun auch festgestellt.
Genau wie bei dir hartiberlin.
Täglich kommen da diese Dateien in den Ordner.
Habe aber auch noch keine Lösung gefunden.
FTP Account habe ich jetzt auch schon 2 mal geändert und das brachte nichts.
I work with SMF 2.0.9:
Tornado Map
Default Theme
German & English Languages

portamx

#6
2 years ago
wir untersuchen das Problem, aber bisher gibt es keine Lösung.
wir haben von FTP auf  SFTP umgestellt und seither ist Ruhe.

Fisch.666

#7
2 years ago
Hi,

there are lots of ways to upload files via the FCKEditor so this could be the problem here.

The file names ali_asp;ali.jpg are used to exploit a known vulnerability in IIS 6 and before.

portamx

#8
2 years ago
We habe updated PortaMx and replace the old Fckeditor / Filemansger with a newer release. With this it's not possible to upload any files outside the ckeditor.

hartiberlin

#9
2 years ago
Which files / directories can or must be deleted after the update from 1.52 to 1.53 ?

As something went maybe wrong in my update, probably the old directories are this there...

Please tell me, what we can delete.

Many thanks.

Fisch.666

#10
2 years ago
Hi,

it's the folder "fckeditor" which should be removed. This one was replaced by the folder "ckeditor".

Eclipse16V

#11
2 years ago
Gestern habe ich mal auf 1.53 geupdatet.
Seit dem sind dit täglichen angriffe erst mal ausgeblieben.
Mal sehen wie lange.
I work with SMF 2.0.9:
Tornado Map
Default Theme
German & English Languages

hartiberlin

#12
2 years ago
Is the "fckeditor" folder automaticalled removed by installing PortaMC 1.53 or must this be done automatically...

Sorry, as I am not at home right now, where I have all my passwords I can not look it up right now...

Regards, Stefan.

Fisch.666

#13
2 years ago
Hi,

the fckeditor folder is automatically removed during the update from 1.52 to 1.53:

https://github.com/PortaMx/PortaMx-1.53-ecl/blob/master/package-info.xml#L36