[TYPO3-dev] Hacked TYPO3 Sites

[Wolfgang Klinger]

*hiya!*

On Jul 31, 2007, at 12:06 PM, Stefan Beylen wrote:
> one runs on 3.8.1, the other one on 4.1
>
> apparently system commands are executed to add javascript/php/whatever
> to files (.js,.php). last time code was injected into localconf.php  
> that
> echoed some weird text and a link and turned error_reporting off,  
> before
> that javascript was added to a typo3temp js file that output an iframe
> to some weird site (this site was throwing a 404)

Yes, I had such a case two days or so ago,
the attacker managed to add something like
---
echo base64_decode 
("ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC 
AgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC 
AgICAgICAgICAgICAgICAgICAgICAgICAgPHNwYW4gc3R5bGU9InBvc2l0aW9uOmFic29sdX 
RlO2xlZnQ6LTk5OTlweDt0b3A6LTk5OTlweCI 
+QXMgdGhlIGNsaW1hdGUgb24gdmlhZ3JhIGluZmx1ZW5jZXMuIEluIENhbmFkYSBpdCBpbiB 
nZW5lcmFsIGFueSBlZmZlY3QhIFNvIHRoZSBiZXN0IGNob2ljZSBpcyB0byA8YSBocmVmPSJ 
odHRwOi8vd3d3LnZpYWdyYS1mcm9tLWNhbmFkYS5jb20vIiBhbHQ9InZpYWdyYSIgdGl0bGU 
9InZpYWdyYSI+YnV5IHZpYWdyYSBpbiBjYW5hZGE8L2E 
+LiBBbmQgdGhlbiB5b3Ugd2lsbCBub3QgaGF2ZSBhbnkgcHJvYmxlbXMgd2l0aCBoZWFsdGg 
sIGFuZCBlc3BlY2lhbGx5IHdpdGggYSBjbGltYXRlLCBhZnRlciBhbGwgY2hhbmdlIGEgY2x 
pbWF0ZSBkb2VzIG5vdCBpbmZsdWVuY2UgaW4gYW55IHdheSB5b3VyIHBoeXNpY2FsIGNvbmR 
pdGlvbiB3aGVuIHRoZXJlIGlzIGEgdmlhZ3JhPC9zcGFuPg0K");
---
to ./typo3conf/temp_CACHED_ps53be_ext_data.php

No backend login was possible and the website had problems too.
All extensions where up-to-date, maybe phpmyadmin was not, but I'm  
not sure right now.

TYPO3 3.8.1


bye
Wolfgang