HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Please upgrade here. These earlier versions are no longer being updated and have security issues.

Config File Hacked?

ShadowdareShadowdare Moderator
edited February 2011 in Vanilla 2.0 - 2.8
My config file was either hacked or there was some glitch with Vanilla. On my Vanilla config.php file all that it says now is:
<?php if (!defined('APPLICATION')) exit(); // Garden $Configuration['Garden']['Analytics']['LastSentDate'] = '20110127'; // Last edited by THEUSERNAME (his IP)2011-02-05 07:12:21

My Vanilla index only displays the installation page. Is this a bug with Vanilla or has it actually been hacked? I managed to get my forum back up though. Seems to be an urgent Vanilla problem, @Mark. If so, I wonder how it can be replicated.

I notice that when I edit a setting in the dashboard by being an admin myself, that it leaves a last edited by comment at the bottom of the config.php file. How can the user have did this and where did all the other variables go to?

The user said that he was submitting a post before this happened.

Add Pages to Vanilla with the Basic Pages app

Comments

  • It is a really interesting problem, yes. Did you save the config file that was overwritten by THEUSERNAME? Maybe there's something you can see in there that he did.

    Maybe it's also time to start discussing taking some config files outside the document root :-)
  • ShadowdareShadowdare Moderator
    edited February 2011
    Yes, I replaced his username with THEUSERNAME to indicate who he was. I think that the "// Last Edited" line is generated by Vanilla when a setting in the dashboard is modified by an admin. This user doesn't have access to that but it just happened when he was posting a reply. The config file is in the /conf folder. This whole problem is weird.

    I saved the config.php file that was overwritten by the user. I already copied and pasted all of the text into my first post here in the yellow highlighted text. I'm not sure what posting a reply has to do with the config file, though.

    Add Pages to Vanilla with the Basic Pages app

  • whu606whu606 I'm not a SuperHero; I just like wearing tights... MVP
    edited February 2011
    The same thing happened to me twice yesterday, and once today.

    The most recent instance left this in my config file:

    <?php if (!defined('APPLICATION')) exit();

    // Garden
    $Configuration['Garden']['Analytics']['LastSentDate'] = '20110117';

    // Last edited by Don'tShowAUserName (NEVERshowIP'sInForumThreads)2011-02-06 04:53:14

    There's no way the user involved would have intentionally tried to cause this behaviour.

    As far as I can tell, the user had no activity beyond browsing the forum when the file was rewritten.

    I thought it related to the WhoIs plugin, but now know that it doesn't.

    I've removed all write permissions from config for the meantime.
  • ShadowdareShadowdare Moderator
    edited February 2011
    If it is related to plugins then I might as well list the ones I'm using: Emotify (which keeps getting disabled at random times, but now it's good), Flagging, Mark All Viewed, Minify, Tagging, Vanilla ProxyConnect, and Vanilla Statistics.

    I'm guessing the Analytics variable is related to Vanilla Statistics. If so, then maybe there is something wrong with the plugin. I don't use the WhosOnline plugin so it may be something else.

    Add Pages to Vanilla with the Basic Pages app

  • It wouldn't have to be the stats plugin because it must auto write every so often when it updates. However that is the only new addition I see to the vanilla codebase. I will have a try at bug hunting but vanilla guys will know best.
  • It's very weird. Like you said, I guess only the Vanilla guys will know.

    Add Pages to Vanilla with the Basic Pages app

  • @mark @tim @lincoln - highlighting this again. It just happened to me to. I upgraded to latest Vanilla about a day ago. I think shows this is not an isolated server or host issue.

    Any news on this?
  • Thanks.

    Add Pages to Vanilla with the Basic Pages app

  • martzmartz New
    edited February 2011
    Omg, it now happened to me too last night! I am glad that I read this topic and could fix it really fast.

    Unfortunately the forum has been offline for quite some time during peak hours, my mailbox was filled with a lot of confused user e-mails.

    The quick fix for me is to chmod the config.php to 555 - this would disallow the www-data user to write the file. I guess this should work.
  • smoigecomsmoigecom New
    edited May 2011
    // Last edited by Unknown (ip)2011-05-20 00:04:31

    The config.php file should only be edited by the admin right?
  • AoleeAolee Hobbyist & Coder ✭✭
    // Last edited by Unknown (ip)2011-05-20 00:04:31

    The config.php file should only be edited by the admin right?
    i had experienced this one tooo. i was just lucky i made a backup 5mins early before my config.php got changed by "unknown".
  • smoigecomsmoigecom New
    edited May 2011
    Everything still works. This sucks! I ll just chmod it to 555 like martz said. Would a htaccess file that allows just one ip access to the conf folder work?
  • LincLinc Detroit Admin
    No, it would not.
  • Just had the same issue with 2.0.17.10 - config.php edited by some random IP.
Sign In or Register to comment.