[Lazarus] Lazarus Forum seems to be hacked!

Marc Weustink marc at dommelstein.net
Wed Jan 27 23:04:17 CET 2010

Matt Shaffer wrote:
> On Wed, Jan 27, 2010 at 10:37 AM, Marc Weustink 
> <marc.weustink at cuperus.nl <mailto:marc.weustink at cuperus.nl>> wrote:
>     The "infection" is removed. We're currently investigating where it
>     came from.
>     The smf forum was  uptodate (1.1.11). Unfortunately when restoring
>     things, a previous index.php was used, which reports the older
>     version. (which is the only diff of the file)
>     I fear the ease of the update process made it also possible to write
>     new contents.
>     Marc
> I don't see how the ease of the update process would give hackers an 
> advantage... after all, you still have to have an admin account to 
> perform that activity.

It requires the smf dir and file to be writable for the user the forum 
is runnng on. Which means that any leak can write to these files.

> Keep in mind:
> 1. An outdated index.php could be a possible culprit, if it had any 
> security vulnerabilities with it (although I highly doubt this)

Is up to date

> 2. Any  mods installed may have vulnerabilities

We don't have many mods

> 3. If the person updating the forum to 1.1.11 ignored warning messages 
> about files not being writable, etc, there may still be an outdated file 
> with a vulnerability from 1.1.10

We were up to date without any warning.

> 4. SMF doesn't necessarily have to be the culprit. Exploits in other 
> software may have given the intruder file/ftp access, allowing him to 
> change any files anywhere.

there is no public external access to that machine. No shell, no ftp. 
only web.


More information about the Lazarus mailing list