[pLog-svn] hacked...

Mark Wu markplace at gmail.com
Tue Feb 21 23:46:06 EST 2012 

Do you installed Template Editor?

Is that possible they used CSRF attack to modify the template through
template editor?

BTW, my sites hacked several times before, but all of them came from the
security holes of SMF. Especially, from the avatar upload. :(

Mark

2012/2/22 Jon Daley <plogworld at jon.limedaley.com>

>        Hi all.  I noticed today that one of my lifetype installations was
> hacked.  I narrowed it down to a four minute window (the hacker was nice
> enough to include bad javascript in the template file he edited, so the
> error.log started spewing errors immediately.
>        Unfortunately, apache didn't log enough data to let me know what
> happened, but even suhosin wasn't enough to protect me from this hack.
>
>        There are two requests that appear to be the problems:
> 41.236.172.114 - - [15/Feb/2012:14:37:21 -0500] "GET
> /post/wp-cache-rss-feeds HTTP/1.1" 400 763 "" "Opera/9.80 (Windows NT 5.1;
> U; en) Presto/2.10.229 Version/11.60"
> 41.236.172.114 - - [15/Feb/2012:14:37:28 -0500] "GET
> /post/wp-cache-rss-feeds HTTP/1.1" 400 1133 "" "Opera/9.80 (Windows NT 5.1;
> U; en) Presto/2.10.229 Version/11.60"
>
> I originally didn't even see them since they look pretty innocuous.
>
> But, as best as I can tell, some data was included in the headers of the
> GET request that enabled LifeType to write to a template file.  Seems
> pretty crazy to me, but I don't see any other signs of entry.
>
> The user that the blog runs on ran nothing but php the entire week
> proceeding when I discovered it, so that means that anything he did should
> be in the apache log files.  I see nothing interesting in the logs.
>
> It seems that there must be something added in the Content-Accept or other
> header that LifeType isn't being careful about.
>
> I am running PHP 5.2.6, and have been meaning to upgrade, but have been
> worried that I might have old PHP that might not work on 5.3, so haven't
> gotten around to upgrading yet.
>
> Any ideas?
>
> --
> Jon Daley
> http://jon.limedaley.com
> ~~
> Joy is the infallible sign of the presence of God.
> -- Leon Bloy
> ______________________________**_________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/**listinfo/plog-svn<http://limedaley.com/mailman/listinfo/plog-svn>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://limedaley.com/pipermail/plog-svn/attachments/20120222/ef7d6cf2/attachment.html>

More information about the pLog-svn mailing list