MOS 4.5.1.07 Hacked

[almambo]

One of my sites running MOS 4.5 version 1.0.7 was hacked yesterday. Many files were uploaded on the site, among them 4843term by Havenard. I did a little research on this and found Nuke sites suffered from this about 1 year ago at the hands of a bunch of Brasiian losers. I have no idea how they gained access to the site or what, if any, MOS vulnerability was used. Heck, I am not even sure it is related to MOS. My ISP has mod_rewrite enabled and that, I have read, could be a weak link. Currently, my ISP disabled the site and I was asked to start all over! It is a nightmare to recreate the site.

Did any one experience something similar?

Thanks for any pointers.

[raetsche]

My site running MOS 4.5.1.0.7 (MamboV4[1].5-Stable-1.0.7.tar.gz) was also hacked yesterday!
Did you also have the message

r00t_System owns your Linux!!!
id
uid=0(root) gid=0(root) groups=33(www-data)

?

Greetz

[idigital]

Sounds pretty serious. You should post over on the official Mamboserver security forum, as this is a community fan forum not an official support forum.

Maybe you could get your ISP to at least backup your database or something? They don't sound very friendly.

[pixelsoul]

Did you install the FCK Editor it has a exploit where people can upload stuff..

[TJay]

I am curious, if you only have specific registered users set with the abililty to publish, in other words only knowns can submit or edit content via the front end, and you use one of the wysiwyg editors that open this vulnerablity can people still get your site?

TJay

[pixelsoul]

Everyone can exploit it even with the 1.6.2 .. so even if you have the editor not published for registered users.

Quote:

Originally Posted by TJay

I am curious, if you only have specific registered users set with the abililty to publish, in other words only knowns can submit or edit content via the front end, and you use one of the wysiwyg editors that open this vulnerablity can people still get your site?

TJay

Btw: Those brasillian guys defaced allot of mos sites, when mos was still on 1.0.5... also allot of the time with htmlarea which had the same problem. So it could also be possible that you did not upgrade correctly..

And remember to make backups <---

[jascha]

For further information on this thread refer to this post:
http://forum.mamboserver.com/viewtopic.php?p=79692

Also refer to follow up for suggestions on what to do if you think your site has been 'hacked'.
http://forum.mamboserver.com/viewtop...?t=14329#79720

-Jascha

[mmx]

Quote:

Originally Posted by almambo

My ISP has mod_rewrite enabled and that, I have read, could be a weak link.

Read the security tutorial posted in a project on mosForge. It includes tips and tricks for securing your site. SEF support is not the only use for mod_rewrite. mod_rewrite can be used to your advantage by restricting directory access rights to selected ip addresses.

[jascha]

Yes, I hear that is a very good paper.
(See my sig for punchline)

-Jascha

[mmx]

Extremely useful tutorial because it minimizes frequently asked security questions to almost nothing. Tony and I need to hook up with you later when we start to work on the security chapter for the MOS 5.0 book.

Quote:

Originally Posted by jascha

Yes, I hear that is a very good paper.
(See my sig for punchline)

-Jascha