Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Lussumo Server Hacked

MarkMark Vanilla Staff
edited November 2006 in Vanilla 1.0 Help
This morning a Lussumo software user emailed me to tell me that he saw a "strange" file on the files.lussumo.com Filebrowser demo site. The file was named indsx.php and contained an "r57shell" script which allowed the user to execute commands directly on my server through the web browser.

I have absolutely no idea how the file got there. I did some investigation online about the exploit, and it may have been created through a PHP security hole in my particular version of PHP. So, as far as I know right now, there are still no big security holes in the Filebrowser script.

If anyone else notices their Filebrowser coming up with extra PHP files, please post about it here or on the community forum. If this *does* turn out to be a Filebrowser vulnerability, I will want to release a patch ASAP.

http://lussumo.com/swell/131/Server-Hacked/

Comments

  • Wow, freaky, I wonder how long it's been there...
  • Yeah, there must be a way of telling right?
  • Server access logs reveal anything?

    (Easy for me to say, with only hundreds of hits a month--nothing compared to 1.2 million)
  • If the guy can gain right on the log, you can't beleive the log.

    What exactly allow r57shell to do? Get access to the shell access with the apache or php user permission?
  • MarkMark Vanilla Staff
    The file was created on September 21st. So it's been there for a while.

    I've been on with tech support of my hosting company (who are awesome, btw). We've run chkrootkit on the server and found nothing compromised. We found a few dodgy files here and there, but as far as we can tell, the attacker didn't get very far. The file had apache:apache group/user access. It could do anything apache could do. The commands could be executed from right within the web browser. For example, before the file was disabled, I used the script to browse through my entire server's directory tree.
  • Man i go away for a weekend and this place falls apart?! They're fanatical about support you know, Mark? Theyre pretty damn well paid too so it's hardly surprising. Good to see your money is being well spent.
  • MarkMark Vanilla Staff
    edited November 2006

    UPDATE

    After a lot of digging through logs, I identified the IP of the person who did the hacking, and tracked his/her activity. Turns out he/she gained access to the server through an exploit in DokuWiki, the wiki we use to do our documentation here at lussumo.com/docs.

    I'm in the process of upgrading the dokuwiki code (something I should have done a while ago, apparently), and trying to identify any other damage this person may have done to the server.
  • interesting ;>
  • Mark while u at it. can u fix the errors it generates when i'm trying to register.
  • Well on the bright side at least it wasn't a flaw in one of your pieces of software which was exploited, Mark :-P
  • How true, SirNot. How true. Definitely not a pleasant feeling being taken advantage of, but it could have been far worse. And at least there doesn't appear to be any damage done yet. Script kiddies... Their mommies should spank their asses red and send em to bed without supper.
  • I bet it was one of them thar neo-cons. They want to monitor Vanilla folks.
  • MarkMark Vanilla Staff
    Well on the bright side at least it wasn't a flaw in one of your pieces of software which was exploited

    My thoughts exactly. I breathed a huge sigh of relief when I found the hole.

    @MySchizobuddy - I didn't know there were problems with it. I'll see what I can do.
  • MarkMark Vanilla Staff
    @MySchizzoBuddy - I've fixed the wiki - thanks for the heads up :)
This discussion has been closed.