Do you installed Template Editor?<br><br>Is that possible they used CSRF attack to modify the template through template editor?<br><br>BTW, my sites hacked several times before, but all of them came from the security holes of SMF. Especially, from the avatar upload. :(<br>
<br>Mark<br><br><div class="gmail_quote">2012/2/22 Jon Daley <span dir="ltr"><<a href="mailto:plogworld@jon.limedaley.com" target="_blank">plogworld@jon.limedaley.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi all. I noticed today that one of my lifetype installations was hacked. I narrowed it down to a four minute window (the hacker was nice enough to include bad javascript in the template file he edited, so the error.log started spewing errors immediately.<br>
Unfortunately, apache didn't log enough data to let me know what happened, but even suhosin wasn't enough to protect me from this hack.<br>
<br>
There are two requests that appear to be the problems:<br>
41.236.172.114 - - [15/Feb/2012:14:37:21 -0500] "GET /post/wp-cache-rss-feeds HTTP/1.1" 400 763 "" "Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.229 Version/11.60"<br>
41.236.172.114 - - [15/Feb/2012:14:37:28 -0500] "GET /post/wp-cache-rss-feeds HTTP/1.1" 400 1133 "" "Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.229 Version/11.60"<br>
<br>
I originally didn't even see them since they look pretty innocuous.<br>
<br>
But, as best as I can tell, some data was included in the headers of the GET request that enabled LifeType to write to a template file. Seems pretty crazy to me, but I don't see any other signs of entry.<br>
<br>
The user that the blog runs on ran nothing but php the entire week proceeding when I discovered it, so that means that anything he did should be in the apache log files. I see nothing interesting in the logs.<br>
<br>
It seems that there must be something added in the Content-Accept or other header that LifeType isn't being careful about.<br>
<br>
I am running PHP 5.2.6, and have been meaning to upgrade, but have been worried that I might have old PHP that might not work on 5.3, so haven't gotten around to upgrading yet.<br>
<br>
Any ideas?<span><font color="#888888"><br>
<br>
-- <br>
Jon Daley<br>
<a href="http://jon.limedaley.com" target="_blank">http://jon.limedaley.com</a><br>
~~<br>
Joy is the infallible sign of the presence of God.<br>
-- Leon Bloy<br>
______________________________<u></u>_________________<br>
pLog-svn mailing list<br>
<a href="mailto:pLog-svn@devel.lifetype.net" target="_blank">pLog-svn@devel.lifetype.net</a><br>
<a href="http://limedaley.com/mailman/listinfo/plog-svn" target="_blank">http://limedaley.com/mailman/<u></u>listinfo/plog-svn</a><br>
</font></span></blockquote></div><br>