Pixelpost

Authentic Photoblog Flavour


Go Back   Pixelpost Forum > SUPPORT / INFORMATION > Pixelpost Help
Reload this Page Emergency - malicious script detected!

Post Reply
 
Thread Tools
  #1  
Old 05-18-2009, 08:02 PM
-okapi-'s Avatar
-okapi- Offline
pixelpost guru
  
Join Date: Feb 2005
Location: Vienna, Austria
Posts: 252
Emergency - malicious script detected!
Today i visited my photoblog (pixelpost version 1.7.1) and AVG Antivirus detected a malicious script!
Taking a look at the source code of http://www.a-visual-notebook.at i noticed a javascript code at the first line, just before the doctype declaration of pixelpost.

And that was not from the template files! Therefore it must have been generated by pixelpost code. Got my site hacked?

These are the suspicious lines:

EDIT: I have now deleted these lines here for security reasons, because I noticed that this thread was not accessible any more on a PC with the latest AVG updates, even with the javascript tags removed. So if anybody is interested in the expoit, please contact me per PM!

Have anybody actually got a similar problem?

EDIT: Looking deeper at that issue, i found out that the index.php has been altered on april 26th. Comparing that index.php with a clean one from the installation files i found exactly those javascript lines on top of the php script.

I have replaced the infected index.php by the original one.
Just wondering how that attack could have happened...! Of cource, i have not touched the index.php at all since the last update to 1.7.1!


Michael
__________________
a visual notebook
michael singer photography
http://www.a-visual-notebook.at
Last edited by -okapi-; 05-19-2009 at 08:52 AM. Reason: Security
Reply With Quote
  #2  
Old 05-19-2009, 01:03 PM
Dennis's Avatar
Dennis+ Offline
Team Pixelpost
  
Join Date: Jul 2006
Posts: 2,394
Send a message via MSN to Dennis
Depending on your settings it is likely the computer your site runs on was hacked. Only with a CHMOD of 777 on the index file it is actually writable. If that is not the case, the attack originated from somewhere else.

It is likely your server runs several sites (also known as a shared box). Lot's of people use the server and might use outdated or insecure software, vulnerable to exploits. It is also possible the hacker used a well-know exploit in the software used by your hosting company to gain access to the system. If one of these exploits is severe enough the hacker could gain access to the other sites as well, since they are on the same box.

My guess would be an automated script is run, adding malicious code to every file starting with index. These can be HTML, PHP and so on. Could it have been caused by Pixelpost? Yes, there is always a possibility due to the fact you can use addons. We don't know if every addon is safe or if it contains vulnerabilities for these kind of attacks. The Pixelpost core code, which we do have under control, has undergone several independent security based cleanups to ensure the core code is very secure.
__________________
My photoblog, powered by PixelPost 1.9 dev SVN | My Pixelpost Addons | My Cool Photoblog profile
Reply With Quote
  #3  
Old 05-25-2009, 12:09 PM
-okapi-'s Avatar
-okapi- Offline
pixelpost guru
  
Join Date: Feb 2005
Location: Vienna, Austria
Posts: 252
Many thanks for your reply, Dennis!

Michael
__________________
a visual notebook
michael singer photography
http://www.a-visual-notebook.at
Reply With Quote
Post Reply

« Previous Thread | Next Thread »

Thread Tools




All times are GMT. The time now is 08:38 PM.

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd. | Style Design: d3 designs