Was the php shell C99madshell?
It seems many sites have been recently compromised via this shell. The
ways the shell is uploaded depends on the vulnerabilities of the forum
software.
Marc Weustink wrote:
Matt Shaffer wrote:
Right, but what I meant was if someone manages to upload their own PHP
file to the lazarus server, they can easily have uploaded a PHP file
manager which has the capability of deleting files, etc, without ever
needing ssh/ftp (this assumes the attack was done through a vulnerable
piece of software, that had write permissions, etc.)
I don't think this scenario is extremely likely.
This is probably what happened.
As I see now, together with tinyportal comes an outdated FCKeditor.
This editor has known issues. The file manager in this editor has
access to some tp subdir where we found a php "filemanager" through
which you could upload files to the whole site.
This way some "buy-your-software-here" webshop got installed and then
managed added a piece of encoded php to index.php.
What this encoded piece did was access a remote server, which in its
turn returned a piece of php which got executed. This piece of php
accesses our or similar webshops to generate traffic.
This last part made browsing the site slow.
At this moment the FCKeditor is disabled and removed.
Marc
--
_______________________________________________
Lazarus mailing list
[email protected]
http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus
.
--
_______________________________________________
Lazarus mailing list
[email protected]
http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus
