I could never imagined having to make such an announcement with many years using postnuke with out trouble. Someone has hacked my site. At this stage I have not established what has happerned but what looks like a vunrability in the Xanthia and PN render. At least they have been changed. My IT guy will hopefully shine more light on this hack shortly.
The result of the hack every postnuke page is transfered to a porn site after a few seconds. I have had to close the site because I am unable to establish imediately how the exploit has been achieved.
I will add more information later today
Watch
GitHub Core
Show your support for Zikula! Sign up at Github account and watch the Core project!
GitHub Modules
Forum Activity
- michiel responded to »password problem« 10:01 AM
- mazdev responded to »Hide "Register new account" and change template to 3 col« 07:50 AM
- mesteele101 created topic »Zikula 1.3.3 - Site Search 1.5.2 - Unable to turn off plug-ins« 07:48 AM
- mesteele101 responded to »ERR (3): E_USER_ERROR: Smarty error: [in pagesvar:pagesitem2en line XXX]…« 25. May
- mazdev responded to »Pages 2.5.0 and updating - Page not found« 25. May
- mesteele101 responded to »Zikula 1.3.3 - Selecting a category in Pages not working« 25. May
- mdee created topic »How to implement returnpage ?« 25. May
Zikula Blog
- Anatomy of Open Source Projects on Mar 07
- Continuous Review on Mar 01
- Not Invented Here on Feb 24
- How to Contribute Your Code at Github on Jan 13
- 10 Steps to Coding-Nirvana: Tips for Successful Module Writing on Nov 12
- Submitting Bug Report Tickets That Get Results on Aug 17
- Cozi Tricks #1: Syntax Highlighting on Aug 07
Login
Exploit uncovered - had to close 0,764 version of my site
-
- Rank: Freshman
- Registered: Dec 31, 1969
- Last visit: Oct 21, 2009
- Posts: 93
Posted: Jan 22, 2008 - 03:14 AM
-
- Rank: Software Foundation
- Registered: Dec 31, 1969
- Last visit: Oct 21, 2009
- Posts: 3814
Posted: Jan 22, 2008 - 05:20 AM
please drop some more information about the enviroment (postnuke version, third-party-addons) and especially the serverlogs from the time of attack to larsneo@postnuke.com for further analyze.
right now there are no known issues with the .764 core and all hacks i've analyzed so far were based on third-party-addons (mostly outdated pnphpbb installations). various enviroment settings might help to improve the overall security (e.g. register_globals). the 'baseline analyzer' within the .76x administration gives some basic hints, tools like phpsecinfo add some further checks.
--
regards from germany
..::[Zikula Application Framework]::.. ..::[SEO-Blog]::.. ..::[CMS Sicherheit]::.. -
- Rank: Freshman
- Registered: Dec 31, 1969
- Last visit: Oct 21, 2009
- Posts: 93
Posted: Jan 26, 2008 - 01:58 PM
Looks like a false alarm - Different computer the problem of re-direction disapears. For some strange reason the attack was via my browser could be my computer. Still not sure. More information to follow. I have changed the admin password as a precaution.
-
- Rank: Team Member
- Registered: Dec 07, 2003
- Last visit: May 09, 2010
- Posts: 2703
Posted: Jan 26, 2008 - 02:24 PM
LOL, this is how I made my living the last year... fixing this sort of thing. Browser hijacking is a huge problem. Sometimes it is easy to fix... if you have the latest and greatest malware it can be almost impossible to snuff out. My partner and I had one computer we worked on for 3 days and could not 'fix' it. We spent the time trying to improve our skills, but never defeated it. We of course did a data backup-OS reinstall, and set up a strict-but user-friendly security policies. We admitted defeat... this time... gave him a discounted rate and thanked him for the experience. But most issues are easy(ier) to resolve. If it is a Windows OS, drop me a PM... maybe I can give you some pointers to fix it.
--
David Pahl
Zikula Support Team -
- Rank: Freshman
- Registered: Dec 31, 1969
- Last visit: Oct 21, 2009
- Posts: 93
Posted: Jan 27, 2008 - 05:59 PM
Found out the cause!
McAfee picked it up viewing the site with explorer warning came up http://www.traffic.biz/
Quote
this iframe script src="http://ltraffic.biz/....." width=1 height=1 style="display:none
modified so it wont trigger on this forum.
The code was placed in the one of the right column HTML blocks I was using to advertise a google banner and firefox browser allowed this to kick off.
The question is now how did they hack the admin or maybe changed their account to admin status.
How can I check which user has admin status? say via phpMyAdmin
-
- Rank: Team Member
- Registered: Mar 18, 2002
- Last visit: Oct 21, 2009
- Posts: 6606
Posted: Jan 27, 2008 - 10:28 PM
dp2,
Can you provide larsneo with the requested information (see above post) so that the attack can be analyzed.
-Mark
--
Visit My homepage and Zikula themes.
- Moderated by:
- Support
