[Typo3] our webserver hacked, is typo3 the reason?

Fri Apr 15 21:35:06 CEST 2005

I can assure you this is not an 'howto' hack typo3 related question, i'm 
just a student who develop a site using typo3 and against whishes of our 
universties system administrator decided to use an apache webser with typo3, 
instead of their own windows iss/asp cms. So before I get 'this is all 
because of this crappy open source software' remarks from these guys i 
wanted to make sure that their is nothing related to typo3 that could be the 
reason.

But let me start what happened. Yesterday at 12:00 I login at the BE and 
after login typo3 didn't repond to any actions (so clicks had no effect). So 
I though, well lets try it again tomorrow. When checking the site today I 
geot an error page (404), and ask the system admin of the webserver park 
whats going on. He check the server and said it had been hacked at 21.15, 
and that he wil try to find out the who/when/how/where of this hack (i 
cannot give to more info, cause i just don't know)

To answer your questions:
- Symptoms of the attack : ? don't know
- datetime of the attack : 21.15
- type of attack: don't know yet
- System information : see below
- OS of the server : win serevr 2003
- what services where running : only apache / php /mysql / typo3 + winserver 
2003 related services
- patchlevel : ?
- typo3 extensions : see below for entire list

I run OS: winserver 2003 fully updated and secured by our system admin. The 
server itself is in a secure location (university network)

In run typo3 3.6.2 now and my webserver software is:
+ Apache 2.0.48.0
+ MySQL 4.0.15
+ PHP 4.3.4.4 + PEAR
+ Perl 5.8.0 (mini)
+ mod_php 4.3.4
+ SQLite 2.8.6
+ mod_auth_mysql (only experimental)

I have these extensions installed:
$TYPO3_CONF_VARS['EXT']['extList'] = 
'tsconfig_help,context_help,extra_page_cm_options,impexp,sys_note,tstemplate,tstemplate_ceditor,tstemplate_info,tstemplate_objbrowser,tstemplate_analyzer,tstemplate_styler,func_wizards,wizard_crpages,wizard_sortpages,lowlevel,install,belog,beuser,phpmyadmin,aboutmodules,imagelist,setup,taskcenter,sys_notepad,taskcenter_recent,taskcenter_rootlist,info_pagetsconfig,viewpage,tt_board,sys_todos,sys_workflows,conf_userts,tt_news,indexed_search,sys_stat,feuser_admin,lz_table,lz_gallery,dropdown_sitemap,julle_navpath,macina_searchbox,dir_listing,danp_documentdirs,sr_iframe,dkd_feuser_belogin,ve_guestbook,cc_ipauth,cc_iplogin_fe,tt_address,sp_directory,t3quixplorer,ingmar_admpanelwrap,gst_topcontent,rtehtmlarea,jw_calendar,newloginbox,dkd_redirect_at_login,swg_tca_ext_10mb,overlib,static_info_tables,pt_lib,pt_payment,pt_html2pdf,sg_zfelib,jp_staff,bf_xml_for_flash,ingmar_xmlmenu';

>From: "Mathias Schreiber [wmdb]" <mathias.schreiber at wmdb.de>
>Reply-To: TYPO3 English <typo3-english at lists.netfielders.de>
>To: typo3-english at lists.netfielders.de
>Subject: Re: [Typo3] our webserver hacked, is typo3 the reason?
>Date: Fri, 15 Apr 2005 19:04:55 +0200
>
>Joe Frontman wrote:
>>Nevertheless it sounds very rude to me blaming someone on first sight.
>>Asking for more details about that server hack (server logs, etc.) seems 
>>to be more appropriate.
>
>agreed.
>I apologize officially (for real).
>In this case I need the following infos:
>------------------------------------------
>- Symptoms of the attack
>   - datetime of the attack
>   - type of attack
>- System information
>   - OS of the server
>   - what services where running
>   - patchlevel
>   - typo3 extensions
>
>
>--
>No Subject - No Realname - No Service!
>Respect the List/Newsgroup Rules!
>  >> http://typo3.org/1438.0.html <<
>--------------------------------------
>if ($GLOBALS['TSFE']->feuser->data['ahnung'] == 0) {
>	$this->fresseHalten = 1;
>}
>_______________________________________________
>Typo3-english mailing list
>Typo3-english at lists.netfielders.de
>http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-english

_________________________________________________________________
Don’t just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/