This project has moved and is read-only. For the latest updates, please go here.

my cms blog hacked, marquee injected

Jun 30, 2010 at 3:38 PM
Edited Jun 30, 2010 at 3:42 PM

Someone noticed on google that my blog shows up with a marquee and links to p*rn sites. :( I cannot for the life of me figure out how/where this is getting injected. Long ago, telligent said to remove filemanager folder from _utility. I did that forever ago. I have looked at templates and I've looked at files in my blog that are newer than the date I isntalled it. Here's what the source looks like:

 

		<div style="padding: 50">		<h1><a href="/blog/" title="Don't Be Iffy">     Don't Be Iffy</a></h1>
						<br><h2>     Julie Lerman's Blog</h2>
		</div></div>
<div id="logo">
	</div>	
 
<MARQUEE scrollAmount=7838 width=5 height=9>NEW Site:<a href="the url for the p*rn site is here"
 title="free p*rn videos">free p*rn videos</a>,<a href="another nasty url" title="s*x cams">s*x cams</a></MARQUEE>
	
	<div id="container">
		<div id="nav">
			<ul>

HEre's what the template for layout.view looks like in that section of the template: 
Jun 30, 2010 at 5:44 PM

Can you provide any other information? Is this a new post keeps getting created? Does it show up on all pages? Did it happen once and done, or is it something that you are able to delete and then comes back?

As much detail as you can provide will help track it down.

Jun 30, 2010 at 5:57 PM
Edited Jun 30, 2010 at 5:58 PM

Turns out it *was* in the layout.view file but somehow it was hidden in the graffiti editor.

When I opened the file up on notepad I could see the marquee tag and delete it.

I do not know how it got there or how long its been there.  As I said above, I removed the filemanager folder quite a long time ago.

Also, devhammer found the same marquee in his layout.view file while he was helping me find mine.

Jun 30, 2010 at 6:50 PM

You may be able to dig into your site's log files and see if you can find any type of injection attach. Looks for nay file access out of the ordinary and possibly even do a search for some of the text which was on the site. Tracking down how this happened may help us lock it down and keep it from happening on other Graffiti sites (of course it is possible this had nothing to do with Graffiti at all).

Jul 1, 2010 at 3:16 AM

Hi Julie,

Sorry to hear that. There was a security vulnerability found in the FCK Editor file manager upload component. Graffiti 1.0 - 1.2 used the FCK Editor as the editor. It didn't use the built-in FCK Editor file manager, but that piece was included in the distro. You are correct - you can fix that issue by deleting the "filemanager" folder inside of the editor folder.

I'm not sure what kind of server you are on, but they might have gotten access to your files via another application instead of your actual blog - including possibly an old unpatched instance of Graffiti. When this issue was first reported, several people I know got hit by this scenario. They (script kiddies) would find an unpatched app and upload an .asp or .php script that would give them access to browse/add/edit/delete files. Then they would hack up different web sites on the same server.  Check your /files/ folder tree for any .asp files - that's where I saw the script put on several instances.

Jul 9, 2010 at 3:43 PM
As I noted to Julie, the layout.view was the file directly affected in my case, as in hers. But your note, Kevin, prompted me to check for other files, and I found a file named 15.aspx in the /files/media/image folder, which appears to be a control panel of sorts uploaded by the attacker. I checked my other Graffiti 1.2-based sites, and didn't find any other files that looked out of place. I went ahead and renamed the file to render it unusable prior to archiving it and removing it. So for any folks who were/are affected by the FCK Editor vulnerability, here are the minimum steps to correct the issue so far: 1. Remove the vulnerability by deleting the "filemanager" folder inside of the "/__utility/Telligent_Editor/editor" folder. 2. Check your .view files in the themes in the "/files/themes" folder for any modifications, and repair/clean them up. Pay particular attention to the theme currently in use on your site. Note the modified date on any files that have been hacked, since this may be a clue to other files that have been modified/uploaded. 3. Check the "/files" folder tree for any .asp/.php/.aspx pages that do not belong. In my case, the file was named 15.aspx, but as Kevin notes, the page could be in any script supported by the server. I wish there was a way to be 100% confident that I've removed all of the offending code, but at this point absent doing a line-by-line review of the entire codebase, I don't think that's possible. Fortunately, it looks like the attacker in this case wasn't trying real hard to hide their tracks, so perhaps the obvious stuff is all that was there. Still, I'm pretty sure at this point that I'm going to retire a number of these sites, since few of them are active, and re-evaluate on a case-by-case basis what to use going forward.
Jul 9, 2010 at 3:50 PM

Thanks.

I just looked in the /files folder tree and didn’t see any weird files but excellent detective work. I might not have noticed it if it *was* in there.

Julie

Jul 9, 2010 at 9:30 PM

Great info seeker. Thank you.