I posted today a question about my opening screen going blank.

I've tried to play around, and the only way to get the opening screen was to set the "Module for your start page" to "None". However, the page still looked a little bit changed, with some of the graphics (e.g. lines around the blocks having different sizes than they should). Still, didn't pay much attention.

Since I had Protector 2.52 installed, I didn't think that there would be any problem caused by hacking. My FireFox didn't report anything unusual.

Then I switched to IE, and it asked me if I want to download a file. Since I don't have any files to download on my opening screen, that caught my attention. I looked at the file properties and it was something like "expl_tank.wmf" and was coming from "trust4free[dot]ws".

I went over there and the Website looked suspicious.

I did google search on it and found a posting on: http://www.mackenty.org/ posted on Dec. 20th stating that his website, (powered by ExpressionEngine) has been hacked.

Somebody injected on the top of his index.php, the following code:
Quote:

I looked into my index.php file and the same code was there.

I removed it, and my Website is again working properly.

The question is: how did they do it, and how can we prevent it from happening again. Also, what information did they try to collect? I hope that since I didn't download the file from their Webserver, they were not able to collect anything.

Any inside and/or advise on this?

i am sure the dev team will be all over this, and thanks for the info

most likely another site hosted on the same server was used to gain access. there are a fair few topics regarding this if you search.

it most likely boils down to a server config and file/group permissions and user accounts in apache.. i should speak to your host.

and just because protector is installed doesn't mean you should drop your guard.. it doesn't prevent hacking, all it does is makes it harder. never presume anything is 100% secure.. anybody or company that says they guarantee 100% protection is delusional. banks get hacked every week, they just don't admit it.

however in this case there are many factors to consider, and protector module will not protect you from a server side attack on a vulnerable server.

Looks to me like Mamba's site has been used for distribution of some exploit for that WMF vulnerability mess that seems to have the potential to become quite a nightmare for Windows users. So, my question would be: How can we obtain maximum protection against people placing one of those nasty images in, say, the image galleries that are on our sites? Or any other module that lets people upload something. Restricting extensions and mime types may not be enough

Mamba, I hope you didn't look at your compromised site from a Windows box. In any case, it may be a very good idea to update virus defs and do a full system scan on your own machine. But that you probably did already.

Quote:

They didn't put any pictures on my site. What they did is somehow modified my "index.php" file. Since then, I've changed it read only. And I was lucky enough to figure the whole mess within couple of hours at night when my users are asleep, so I hope that nobody got impacted by that.

Quote:

Unfortunately, I did go there, but I hope that nothing happened since I didn't download the file. I have virus checking software with latest updates and I didn't get any alerts so I hope, everything is OK. But just in case, I am also checking as we speak all my files with Windows OneCare. So far so good....

Mamba, Windows OneCare seems to be a good choice in this case as they say they can detect attempts at exploiting the vulnerability. Also good, of course, you didn't download the .wmf file. There might be some other avenues into your system, though. This one's quite nasty and comes through quite a choice of open doors. Also, it's not one particular virus or worm, but a gateway for people to install all different sorts of #OOPS# on our systems. I'm sure you're on top of it, but I think it's important to keep an eye on it, also to protect visitors to our sites from falling prey...

There's some good information at the Internet Storm Center (http://isc1.sans.org/), many other sites, of course. And MS on the issue at http://www.microsoft.com/technet/security/advisory/912840.mspx. Stay safe!

Oh! And I think m0nty is right when it comes to what has happened at your site. But the next attacker possibly wouldn't have to go through the server, but could just upload a file to a gallery or something. I was referring to the more general threat I see in this .wmf thing. Btw.: If they're on the server, "read only" may not make much of a difference. Depends.

Is there any way site owners can tell if an image file that has been uploaded to our galleries is infected - particularly if the site has an open gallery with a significant amount of uploads? Is it just a matter of restricting the file types that can be uploaded to .gif & .jpg files? Or is there more to it?

I would be lying if I said I knew. Restricting extensions is not enough. Could easily come with any extension. Mime types may be more effective, but perhaps still not enough... Looks to me like this might become a real problem. Others know better...

As for telling whether an image file is malicious: You'd probably have to rely on your AV software. So, if you look at it and your AV balks, then it's malicious. If not, it may still be malicious and just not yet recognized by the AV.