[TYPO3-dev] Hacked TYPO3 Sites
Martin Kutschker
martin.kutschker-n0spam at no5pam-blackbox.net
Tue Jul 31 20:53:44 CEST 2007
Wolfgang Klinger schrieb:
>
> *hiya!*
>
> On Jul 31, 2007, at 12:06 PM, Stefan Beylen wrote:
>> one runs on 3.8.1, the other one on 4.1
>>
>> apparently system commands are executed to add javascript/php/whatever
>> to files (.js,.php). last time code was injected into localconf.php that
>> echoed some weird text and a link and turned error_reporting off, before
>> that javascript was added to a typo3temp js file that output an iframe
>> to some weird site (this site was throwing a 404)
>
> Yes, I had such a case two days or so ago,
> the attacker managed to add something like
> ---
> echo
> base64_decode("ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHNwYW4gc3R5bGU9InBvc2l0aW9uOmFic29sdXRlO2xlZnQ6LTk5OTlweDt0b3A6LTk5OTlweCI+QXMgdGhlIGNsaW1hdGUgb24gdmlhZ3JhIGluZmx1ZW5jZXMuIEluIENhbmFkYSBpdCBpbiBnZW5lcmFsIGFueSBlZmZlY3QhIFNvIHRoZSBiZXN0IGNob2ljZSBpcyB0byA8YSBocmVmPSJodHRwOi8vd3d3LnZpYWdyYS1mcm9tLWNhbmFkYS5jb20vIiBhbHQ9InZpYWdyYSIgdGl0bGU9InZpYWdyYSI+YnV5IHZpYWdyYSBpbiBjYW5hZGE8L2E+LiBBbmQgdGhlbiB5b3Ugd2lsbCBub3QgaGF2ZSBhbnkgcHJvYmxlbXMgd2l0aCBoZWFsdGgsIGFuZCBlc3BlY2lhbGx5IHdpdGggYSBjbGltYXRlLCBhZnRlciBhbGwgY2hhbmdlIGEgY2xpbWF0ZSBkb2VzIG5vdCBpbmZsdWVuY2UgaW4gYW55IHdheSB5b3VyIHBoeXNpY2FsIGNvbmRpdGlvbiB3aGVuIHRoZXJlIGlzIGEgdmlhZ3JhPC9zcGFuPg0K");
>
> ---
> to ./typo3conf/temp_CACHED_ps53be_ext_data.php
Would it be securitywise better to remove PHP config files in favour of
XML files (with XML-CASE-constructs and PHP post-processing hooks) and
caching with serialized arrays?
Masi
More information about the TYPO3-dev
mailing list