[pLog-svn] hacked...

Jon Daley plogworld at jon.limedaley.com
Tue Feb 21 22:03:17 EST 2012

 	Hi all.  I noticed today that one of my lifetype installations was 
hacked.  I narrowed it down to a four minute window (the hacker was nice 
enough to include bad javascript in the template file he edited, so the 
error.log started spewing errors immediately.
 	Unfortunately, apache didn't log enough data to let me know what 
happened, but even suhosin wasn't enough to protect me from this hack.

 	There are two requests that appear to be the problems: - - [15/Feb/2012:14:37:21 -0500] "GET /post/wp-cache-rss-feeds HTTP/1.1" 400 763 "" "Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.229 Version/11.60" - - [15/Feb/2012:14:37:28 -0500] "GET /post/wp-cache-rss-feeds HTTP/1.1" 400 1133 "" "Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.229 Version/11.60"

I originally didn't even see them since they look pretty innocuous.

But, as best as I can tell, some data was included in the headers of the 
GET request that enabled LifeType to write to a template file.  Seems 
pretty crazy to me, but I don't see any other signs of entry.

The user that the blog runs on ran nothing but php the entire week 
proceeding when I discovered it, so that means that anything he did should 
be in the apache log files.  I see nothing interesting in the logs.

It seems that there must be something added in the Content-Accept or other 
header that LifeType isn't being careful about.

I am running PHP 5.2.6, and have been meaning to upgrade, but have been 
worried that I might have old PHP that might not work on 5.3, so haven't 
gotten around to upgrading yet.

Any ideas?

Jon Daley
Joy is the infallible sign of the presence of God.
-- Leon Bloy

More information about the pLog-svn mailing list