To use this website completely, it is necessary to store cookies on your computer.
 

* Navigator

Expand - Collapse

* Statistic

  • *Total Posts: 14944
  • *Total Topics: 2271
  • *Online Today: 14
  • *Most Online: 292
(2016 November 12, 09:37:31 am)

CAUTION : Hacked Sites !

Started by hartiberlin, 2014 October 25, 12:43:45 pm

previous topic - next topic

0 Members and 0 Guests are viewing this topic.

hartiberlin

2014 October 25, 12:43:45 pm
Attention,
my site overunity.de was hacked with SMF 2.08 and PMX 1.51 ecl

They used the path:
Editor_Uploads
to upload some Ali(1)ASP.JPG
fake pics and then executed them via some
PHP files also uploaded there into the
Images or Media oder File subfolder... !

Pay attention to the Permission that you give these folders !

I have updated now to SMF 2.09 and PMX 1.52 ecl and
hope these security issues are fixed !

It seems they only made traffic, but did not delete any files...

Regards, Stefan.

portamx

#1
2014 October 26, 03:37:16 pm
Yes, i'm know that .. same here.
But .. that is not critical, because files in this folder used ONLY from the html editor (on create a html block) and on write out a html block (he read the images in the html from this folder). php files are NOT read or execute from this folder.

Currently whe have no informations how the files are upload, but it's possible that the ftp account is hacked.
So it's better you change the pwd for ftp and use sftp if possible.
The best comes last

hartiberlin

#2
2014 October 31, 03:23:05 am
But it seems it makes a lot of traffic...

Again today there are files like:
ali_asp;ali-1.jpg
to
ali_asp;ali-7.jpg
and
ali_asp;ali.jpg

in the
/editor_uploads/file/
folder

What is the best permission to not permit this anymore ?

Currently the folder was set to 755.

Should I change this to 644 only ?

Many thanks-

Regards. Stefan.

hartiberlin

#3
2014 November 01, 11:25:19 am
Maybe the FSK Editor has a leak so hackers can upload the fake image files and execute them as code ?

hartiberlin

#4
2014 November 02, 06:35:41 pm
Hat keiner dazu eine Idee zu diesem Sicherheits Leck ? ?

Nobody has an opinion to this security problem ?

Eclipse16V

#5
2014 November 04, 07:14:04 am
Hallo,

ich war im Urlaub und habe das Problem nun auch festgestellt.
Genau wie bei dir hartiberlin.
Täglich kommen da diese Dateien in den Ordner.
Habe aber auch noch keine Lösung gefunden.
FTP Account habe ich jetzt auch schon 2 mal geändert und das brachte nichts.

portamx

#6
2014 November 04, 12:07:25 pm
wir untersuchen das Problem, aber bisher gibt es keine Lösung.
wir haben von FTP auf  SFTP umgestellt und seither ist Ruhe.
The best comes last

Fisch.666

#7
2014 December 02, 03:46:27 pm
Hi,

there are lots of ways to upload files via the FCKEditor so this could be the problem here.

The file names ali_asp;ali.jpg are used to exploit a known vulnerability in IIS 6 and before.

portamx

#8
2014 December 06, 01:02:19 pm
We habe updated PortaMx and replace the old Fckeditor / Filemansger with a newer release. With this it's not possible to upload any files outside the ckeditor.
The best comes last

hartiberlin

#9
2014 December 07, 05:39:43 pm
Which files / directories can or must be deleted after the update from 1.52 to 1.53 ?

As something went maybe wrong in my update, probably the old directories are this there...

Please tell me, what we can delete.

Many thanks.

Fisch.666

#10
2014 December 07, 06:14:00 pm
Hi,

it's the folder "fckeditor" which should be removed. This one was replaced by the folder "ckeditor".

Eclipse16V

#11
2014 December 07, 07:19:57 pm
Gestern habe ich mal auf 1.53 geupdatet.
Seit dem sind dit täglichen angriffe erst mal ausgeblieben.
Mal sehen wie lange.

hartiberlin

#12
2014 December 07, 07:23:21 pm
Is the "fckeditor" folder automaticalled removed by installing PortaMC 1.53 or must this be done automatically...

Sorry, as I am not at home right now, where I have all my passwords I can not look it up right now...

Regards, Stefan.

Fisch.666

#13
2014 December 07, 07:27:57 pm
Hi,

the fckeditor folder is automatically removed during the update from 1.52 to 1.53:

https://github.com/PortaMx/PortaMx-1.53-ecl/blob/master/package-info.xml#L36