[TYPO3-dev] typo3.org login

[Erik Svendsen]

Hello Dmitry,

> Hi!
> 
> Erik Svendsen wrote:
> 
>> If it's an "intrusion" with an admin account and password you may be
>> in deep shit, so guys - take extremly good care of admin accounts and
>> their passwords. An intruder may have had access for months, without
>> doing other things than putting in small pieces of backdoors and so
>> on. As admin, you may change pretty much code in the system. And as
>> he/her are using an official account, maybe no one will notive until
>> you find some signs like people trying to login to other websites.
>> 
>> So the "leak" of userdata and password, are probably the part which
>> are easiest to recover from.
>> 
> Well, I never had Backend access to typo3.org, so I cannot tell if
> they have correct file permissions there. But if they do, the admin
> user will never be able to modify core files. Only files in
> typo3temp/, typo3conf/ and uploads/ will be accessible for writing. I
> hope that typo3.org set up was properly supervised by the security
> team.
> 

I suppose the setup was OK, but even with only access to local extensions, 
uploads and fileadmin there are some damage which can be done, and some cleanup 
to do, depending on the content and number of extension.

An other community I'm member of had an intrusion with admin account about 
two years ago, and we used about 5 days to clean up and secure the system. 
The timeconsuming part was the need to check every possibility for "malware" 
code, even in the database. Use of for instance 1 pixels iframes in content 
wasn't such a problem then,  but you have to check every possibilty, and 
it takes time. It also has to be done correct, and in a proper way.

Thats why such an incident should enhance people to make a short security 
review of their own installations.

I do it regulary at all the installations I support.

WBR,
Erik Svendsen
www.linnearad.no