[Lazarus] Lazarus Forum seems to be hacked!
Marc Weustink
marc.weustink at cuperus.nl
Thu Jan 28 10:29:28 CET 2010
Matt Shaffer wrote:
> Right, but what I meant was if someone manages to upload their own PHP
> file to the lazarus server, they can easily have uploaded a PHP file
> manager which has the capability of deleting files, etc, without ever
> needing ssh/ftp (this assumes the attack was done through a vulnerable
> piece of software, that had write permissions, etc.)
>
> I don't think this scenario is extremely likely.
This is probably what happened.
As I see now, together with tinyportal comes an outdated FCKeditor. This
editor has known issues. The file manager in this editor has access to
some tp subdir where we found a php "filemanager" through which you
could upload files to the whole site.
This way some "buy-your-software-here" webshop got installed and then
managed added a piece of encoded php to index.php.
What this encoded piece did was access a remote server, which in its
turn returned a piece of php which got executed. This piece of php
accesses our or similar webshops to generate traffic.
This last part made browsing the site slow.
At this moment the FCKeditor is disabled and removed.
Marc
More information about the Lazarus
mailing list