[pLog-svn] hacked...

Jon Daley plogworld at jon.limedaley.com
Tue Feb 21 23:48:37 EST 2012 

The templateeditor is installed, and that makes the most sense, but there 
isn't anything in the apache logs, which there would have to be if that 
was the attack vector.

I checked the apache logs, and no one has used the templateditor plugin in 
6 months.

On Wed, 22 Feb 2012, Mark Wu wrote:

> Do you installed Template Editor?
>
> Is that possible they used CSRF attack to modify the template through
> template editor?
>
> BTW, my sites hacked several times before, but all of them came from the
> security holes of SMF. Especially, from the avatar upload. :(
>
> Mark
>
> 2012/2/22 Jon Daley <plogworld at jon.limedaley.com>
>
>>        Hi all.  I noticed today that one of my lifetype installations was
>> hacked.  I narrowed it down to a four minute window (the hacker was nice
>> enough to include bad javascript in the template file he edited, so the
>> error.log started spewing errors immediately.
>>        Unfortunately, apache didn't log enough data to let me know what
>> happened, but even suhosin wasn't enough to protect me from this hack.
>>
>>        There are two requests that appear to be the problems:
>> 41.236.172.114 - - [15/Feb/2012:14:37:21 -0500] "GET
>> /post/wp-cache-rss-feeds HTTP/1.1" 400 763 "" "Opera/9.80 (Windows NT 5.1;
>> U; en) Presto/2.10.229 Version/11.60"
>> 41.236.172.114 - - [15/Feb/2012:14:37:28 -0500] "GET
>> /post/wp-cache-rss-feeds HTTP/1.1" 400 1133 "" "Opera/9.80 (Windows NT 5.1;
>> U; en) Presto/2.10.229 Version/11.60"
>>
>> I originally didn't even see them since they look pretty innocuous.
>>
>> But, as best as I can tell, some data was included in the headers of the
>> GET request that enabled LifeType to write to a template file.  Seems
>> pretty crazy to me, but I don't see any other signs of entry.
>>
>> The user that the blog runs on ran nothing but php the entire week
>> proceeding when I discovered it, so that means that anything he did should
>> be in the apache log files.  I see nothing interesting in the logs.
>>
>> It seems that there must be something added in the Content-Accept or other
>> header that LifeType isn't being careful about.
>>
>> I am running PHP 5.2.6, and have been meaning to upgrade, but have been
>> worried that I might have old PHP that might not work on 5.3, so haven't
>> gotten around to upgrading yet.
>>
>> Any ideas?
>>
>> --
>> Jon Daley
>> http://jon.limedaley.com
>> ~~
>> Joy is the infallible sign of the presence of God.
>> -- Leon Bloy
>> ______________________________**_________________
>> pLog-svn mailing list
>> pLog-svn at devel.lifetype.net
>> http://limedaley.com/mailman/**listinfo/plog-svn<http://limedaley.com/mailman/listinfo/plog-svn>
>>
>

-- 
Jon Daley
http://jon.limedaley.com
~~
Truth is beautiful, without doubt; but so are lies.
-- Ralph Waldo Emerson

More information about the pLog-svn mailing list