Zikula: A Flexible Open Source Content Management System
home | forum | contact us

Dizkus

Bottom
Postnuke Hacking
  • Posted: 19.08.2005, 16:27
     
    nicolas79
    rank:
    Freshman Freshman
    registered:
     August 2002
    Status:
    offline
    last visit:
    22.06.08
    Posts:
    10
    Hello,

    I realized that someone has hacked my PostNuke installation 2 days ago and left some backdoors. I would like to know if some of you have experienced something similar and if someone knows where the security hole is.

    infos about the attack:

    <gallery sub="sub" directory="directory">/menu.php
    <gallery sub="sub" directory="directory">/index_old.php
    <gallery sub="sub" directory="directory">/footer.php
    <gallery sub="sub" directory="directory">/test.php
    <gallery sub="sub" directory="directory">/config_old.php
    <wwwroot>/public_html/modules/ContentExpress/pnclass/ContentExpress.php
    <wwwroot>/public_html/modules/ContentExpress/pnclass/MenuExpress.php
    <wwwroot>/public_html/modules/ContentExpress/pneditor/ie2/wysiwyg_web_edit.php
    <wwwroot>/public_html/modules/EZComments/pnclass/Smarty/Smarty.class.php
    <wwwroot>/public_html/modules/NS-User/admin.php

    the first 5 files have been created newly whith the following content


    to the other files the attacker appended the following code:


    #GUID# is a 128 bit GUID. Always the same in all files

    the new files are owned by www-data.

    all files have been placed or changed on the system in the same second. therefore i guess it was an automatic attack.

    I am using PostNuke 0.7.2.6-Phoenix

    I have the following Modules installed (the rest are custom made)

    ContentExpress/
    EZComments/
    htmlpages/
    phpBB_14/
    pn_bbclick/
    pn_bbcode/
    pn_bbsmile/
    pnFlashGames/

    Additional Software:
    Mediamax manager v0.1.27-RC

    Has anybody experienced something similar?

    I checked all Logfiles, but still dont know how the system was compromised.

    if you want to check if someone has changed files on your system run the following command in the web root

    find -regex .*PHP$ -mtime -5

    it will return all changed PHP files in the last 5 days. if the changes have not been made by you, perhaps they have been made by a hacker.</wwwroot></wwwroot></wwwroot></wwwroot></wwwroot></gallery></gallery></gallery></gallery></gallery>
    Top
  • Posted: 19.08.2005, 17:00
     
    larsneo
    rank:
    Software Foundation Software Foundation
    registered:
     December 1969
    Status:
    offline
    last visit:
    15.11.08
    Posts:
    4481

    Quote

    I am using PostNuke 0.7.2.6-Phoenix

    please update to .75b and especially take care of PNSA 2005-3

    --
    regards from germany
    ..::[Zikula Application Framework]::.. ..::[SEO-Blog]::.. ..::[CMS Sicherheit]::..
    Top
  • Posted: 19.08.2005, 17:09
     
    nicolas79
    rank:
    Freshman Freshman
    registered:
     August 2002
    Status:
    offline
    last visit:
    22.06.08
    Posts:
    10

    larsneo

    especially take care of PNSA 2005-3


    Thank you for the input. I will update.

    The xmlrpc Module has not been the problem since I removed it after PNSA 2005-3 has been puhlished.
    Top

Extensions Moderation

Main Menu

Extensions Database

Documentation

Development

Login

Donate to Zikula

Donate to the Zikula Foundation