Go to main content

Navigation menu

Textpattern CMS support forum

You are not logged in. Register | Login | Help

  1. Index
  2. » Core development
  3. » TXP hacked?

Pages: 1

#1 2008-03-26 09:53:40

chebureki22
New Member
Registered: 2004-11-13
Posts: 8

TXP hacked?

Hello,

According to the message on my site, it has been hacked. It’s a small site, but apparently, the hacker has been going around. The message is this: “Hacked By GHoST61 – UyuSsman | HackShow.Us.”

I contacted the host company, they blame the CMS, even though their PHP version appears to be out of date. Would anyone be able to help? Thanks.

Here are the detailed diagnostics:

Textpattern version: 4.0.4 (r1956)
Last Update: 2006-11-27 19:44:09/2006-11-27 19:25:13
Document root: /hsphere/local/home/fireguy5/allaboutlatvia.com
$path_to_site: /hsphere/local/home/fireguy5/allaboutlatvia.com
Textpattern path: /hsphere/local/home/fireguy5/allaboutlatvia.com/textpattern
Permanent link mode: section_id_title
Temporary directory path: /hsphere/local/home/fireguy5/allaboutlatvia.com/textpattern/tmp/
Site URL: www.allaboutlatvia.com
PHP version: 4.3.11
Register globals: 1
Server Local Time: 2008-03-26 04:52:03
MySQL: 4.1.20-max-log
Locale: en_GB.UTF-8
Server: Apache
Apache version: Apache
PHP Server API: apache
RFC 2616 headers:
Server OS: Linux 2.6.14.4
Active plugins: zem_contact-0.6, rss_suparchive-0.17, txp_icio_us-1.4, mdp_calendar-0.4.3, vg_related_articles-0.1, mrh_email_article_link-0.5, jas_popular_articles-0.1, sgb_url_handler-0.1.5, mrw_spamkeywords_urlcount-0.1, asy_captcha-1.0m, tcm_is_this-0.6c

Pre-flight check:
————————————
Your version of PHP has security related risks. Please turn register_globals off or update to a newer PHP version.
clean_url_data_failed: <h1>Hacked By GHoST61 – UyuSsman | HackShow.Us</h1>
————————————

.htaccess file contents:
————————————
#DirectoryIndex index.php index.html
#Options +FollowSymLinks
#RewriteBase /relative/web/path/

<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_FILENAME} -f [OR] RewriteCond %{REQUEST_FILENAME} -d RewriteRule ^(.+) – [PT,L]

RewriteRule ^(.*) index.php </IfModule>

#php_value register_globals 0

————————————

Charset (default/config): latin1/utf8
character_set_client: utf8
character_set_connection: utf8
character_set_database: latin1
character_set_results: utf8
character_set_server: latin1
character_set_system: utf8
character_sets_dir: /usr/share/mysql/charsets/
19 Tables: textpattern is latin1, txp_category is latin1, txp_css is latin1, txp_discuss is latin1, txp_discuss_ipban is latin1, txp_discuss_nonce is latin1, txp_file is latin1, txp_form is latin1, txp_image is latin1, txp_lang is latin1, txp_link is latin1, txp_log is latin1, txp_log_mention is latin1, txp_page is latin1, txp_plugin is latin1, txp_prefs is latin1, txp_priv is latin1, txp_section is latin1, txp_users is latin1

PHP extensions: zip, xslt, xmlrpc/0.51, xml, tokenizer/0.1, standard/4.3.11, sockets, session, pspell, posix, pgsql, pfpro, pdf, pcre, overload, mysql, mnogosearch, mhash, mcrypt, mbstring, imap, iconv, gettext, gd, ftp, exif/1.4 $Id: exif.c,v 1.118.2.37 2005/03/22 22:07:03 edink Exp $, domxml/20020815, dba, curl, ctype, calendar, bz2, bcmath, zlib/1.1, openssl, apache, Zend Optimizer

pretext_data: <h2>Hack Bir Show’dur</h2>
<title>Hacked By HackShow.Us</title><br />

/include/txp_category.php: r1879 (aee777474b2f67ca07fc25756ba25c15)
/include/txp_plugin.php: r1917 (74184c0d8ed8608f840707a255178617)
/include/txp_auth.php: r1879 (b1dd4072b7daf4e997c6ff65ce3d1b2d)
/include/txp_form.php: r1913 (16ec600b41438b4cca10d2c8a19b2db8)
/include/txp_section.php: r1891 (2959593586ba3e97bc602f369c32e738)
/include/txp_tag.php: r1915 (3b4a7f73d92f9bbbe09985c5aa830d29)
/include/txp_list.php: r1892 (41f4d32fd070234b78f94adefebd5234)
/include/txp_page.php: r1913 (34331a5468bbb18dd9f6a282f3aa11e8)
/include/txp_discuss.php: r1909 (9b9ee934a30f52cd7a4d8cb45c8380ab)
/include/txp_prefs.php: r1946 (05615b6275d8927a2a0d51918d70a896)
/include/txp_log.php: r1919 (ed54d02e865319f2506c642a6bde768b)
/include/txp_preview.php: r1238 (5a4ae3ff0d68f4cb573d6d62a00ce9e8)
/include/txp_image.php: r1955 (20be975e67fa7c4aa9a1a3e51bfaf379)
/include/txp_article.php: r1889 (7749f699c03d0c57e04fafe17dbfa94c)
/include/txp_css.php: r1897 (f5cf1c20badb96a063c7c180e9020359)
/include/txp_admin.php: r1879 (d36dac010d21df7bcf9cf5e242b34d58)
/include/txp_link.php: r1879 (0652287df8bb32c66cfa1b939402404a)
/include/txp_diag.php: r1902 (96697ade63048e517177f4129d47de76)
/include/txp_file.php: r1895 (6ed67b094522e51b028dc88baa07444c)
/include/txp_import.php: r1238 (634e75d1b61958875ff275e3130f23ad)
/lib/admin_config.php: r1747 (1563fcbaffe25b3272b0d85ff9d5571d)
/lib/txplib_misc.php: r1956 (182c50b86195f1abe9dbe15728df3cae)
/lib/taglib.php: r1535 (04806ef864d5b0d2974e0e5f6397a2d7)
/lib/txplib_head.php: r1887 (b110efd071e9a5bb395beea66ced128a)
/lib/classTextile.php: r1943 (2c559991e34738eef1990dc079bd91c4)
/lib/txplib_html.php: r1937 (c206ca9cb9a54a7a95f3355b77fd0fa2)
/lib/txplib_db.php: r1879 (d68b6ea69950e405c4fec23b8641d9c2)
/lib/IXRClass.php: r765 (cbe59b59246dce060a4b4a52b4d448d8)
/lib/txplib_forms.php: r1887 (0049a228dc8eb346f8603478a7c1b2e2)
/lib/class.thumb.php: r1955 (12961180eee3add5096e69e0a154284e)
/lib/constants.php: unknown (0e40251c717c52b2b7fe992b62a3e97a)
/lib/txplib_update.php: r1239 (757f8189fcc53a795d7c807f17b2e788)
/lib/txplib_wrapper.php: unknown (584448787b4a3488200722672c0eee0d)
/publish/taghandlers.php: r1949 (3fa1b9ded18e6074b2495a3f4e3c33b5)
/publish/atom.php: r1864 (50602e2f1c443819a0a60f14f39d3093)
/publish/log.php: r1637 (a4a772567079f18101a1752446f3f6d4)
/publish/comment.php: r1951 (a3f803d744fea80808eb27a3f6b28674)
/publish/search.php: r1748 (b0182abc287055fe0932c263b2a5266d)
/publish/rss.php: r1864 (ae43eaa9ebe6b00e63810ae60ca7c6b6)
/publish.php: r1945 (abff727405efc6c4ec8b1cb403290063)
/index.php: r1948 (adf86f44861797f4969373c708ef48fb)
/css.php: r944 (763fa7658fc19ad23a5b2126fcdf366c)

Offline

#2 2008-03-26 11:43:59

Walker
Plugin Author
From: Boston, MA
Registered: 2004-02-24
Posts: 592
Website

Re: TXP hacked?

Yeah, it’s PHPs fault. Look here at the changes between just 4.3.1 and 4.3.2.

http://www.php.net/ChangeLog-4.php

Me, Myself, and I

Offline

#3 2008-03-26 12:08:39

ruud
Developer Emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: TXP hacked?

And “Register Globals” should really be disabled nowadays if you care about security.

Offline

#4 2008-03-26 22:55:39

Mary
Sock Enthusiast
Registered: 2004-06-27
Posts: 6,236

Re: TXP hacked?

Do your server logs reveal anything about how and where the site was hacked? What are the permissions on your images/files/tmp folders?

Offline

Pages: 1

  1. Index
  2. » Core development
  3. » TXP hacked?

Board footer

Powered by FluxBB