Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Lussumo Server Hacked
Mark
Vanilla Staff
This morning a Lussumo software user emailed me to tell me that he saw a "strange" file on the files.lussumo.com Filebrowser demo site. The file was named indsx.php and contained an "r57shell" script which allowed the user to execute commands directly on my server through the web browser.
I have absolutely no idea how the file got there. I did some investigation online about the exploit, and it may have been created through a PHP security hole in my particular version of PHP. So, as far as I know right now, there are still no big security holes in the Filebrowser script.
If anyone else notices their Filebrowser coming up with extra PHP files, please post about it here or on the community forum. If this *does* turn out to be a Filebrowser vulnerability, I will want to release a patch ASAP.
http://lussumo.com/swell/131/Server-Hacked/
I have absolutely no idea how the file got there. I did some investigation online about the exploit, and it may have been created through a PHP security hole in my particular version of PHP. So, as far as I know right now, there are still no big security holes in the Filebrowser script.
If anyone else notices their Filebrowser coming up with extra PHP files, please post about it here or on the community forum. If this *does* turn out to be a Filebrowser vulnerability, I will want to release a patch ASAP.
http://lussumo.com/swell/131/Server-Hacked/
0
This discussion has been closed.
Comments
(Easy for me to say, with only hundreds of hits a month--nothing compared to 1.2 million)
What exactly allow r57shell to do? Get access to the shell access with the apache or php user permission?
I've been on with tech support of my hosting company (who are awesome, btw). We've run chkrootkit on the server and found nothing compromised. We found a few dodgy files here and there, but as far as we can tell, the attacker didn't get very far. The file had apache:apache group/user access. It could do anything apache could do. The commands could be executed from right within the web browser. For example, before the file was disabled, I used the script to browse through my entire server's directory tree.
UPDATE
After a lot of digging through logs, I identified the IP of the person who did the hacking, and tracked his/her activity. Turns out he/she gained access to the server through an exploit in DokuWiki, the wiki we use to do our documentation here at lussumo.com/docs.I'm in the process of upgrading the dokuwiki code (something I should have done a while ago, apparently), and trying to identify any other damage this person may have done to the server.
My thoughts exactly. I breathed a huge sigh of relief when I found the hole.
@MySchizobuddy - I didn't know there were problems with it. I'll see what I can do.