[Lazarus] Lazarus Forum seems to be hacked!

Marc Weustink marc.weustink at cuperus.nl
Thu Jan 28 10:29:28 CET 2010

Matt Shaffer wrote:
> Right, but what I meant was if someone manages to upload their own PHP
> file to the lazarus server, they can easily have uploaded a PHP file
> manager which has the capability of deleting files, etc, without ever
> needing ssh/ftp (this assumes the attack was done through a vulnerable
> piece of software, that had write permissions, etc.)
> I don't think this scenario is extremely likely.

This is probably what happened.
As I see now, together with tinyportal comes an outdated FCKeditor. This 
editor has known issues. The file manager in this editor has access to 
some tp subdir where we found a php "filemanager" through which you 
could upload files to the whole site.
This way some "buy-your-software-here" webshop got installed and then 
managed added a piece of encoded php to index.php.
What this encoded piece did was access a remote server, which in its 
turn returned a piece of php which got executed. This piece of php 
accesses our or similar webshops to generate traffic.
This last part made browsing the site slow.

At this moment the FCKeditor is disabled and removed.


More information about the Lazarus mailing list