[Typo3] our webserver hacked, is typo3 the reason?
Peter Niederlag
niederlag at ikd01.de
Sat Apr 16 11:23:13 CEST 2005
Hi,
Diederik van Veen schrieb:
> I can assure you this is not an 'howto' hack typo3 related question, i'm
> just a student who develop a site using typo3 and against whishes of our
> universties system administrator decided to use an apache webser with
> typo3, instead of their own windows iss/asp cms. So before I get 'this
> is all because of this crappy open source software' remarks from these
> guys i wanted to make sure that their is nothing related to typo3 that
> could be the reason.
>
> But let me start what happened. Yesterday at 12:00 I login at the BE and
> after login typo3 didn't repond to any actions (so clicks had no
> effect). So I though, well lets try it again tomorrow. When checking the
> site today I geot an error page (404), and ask the system admin of the
> webserver park whats going on. He check the server and said it had been
> hacked at 21.15, and that he wil try to find out the who/when/how/where
> of this hack (i cannot give to more info, cause i just don't know)
>
> To answer your questions:
> - Symptoms of the attack : ? don't know
> - datetime of the attack : 21.15
> - type of attack: don't know yet
> - System information : see below
> - OS of the server : win serevr 2003
> - what services where running : only apache / php /mysql / typo3 +
> winserver 2003 related services
> - patchlevel : ?
> - typo3 extensions : see below for entire list
>
> I run OS: winserver 2003 fully updated and secured by our system admin.
> The server itself is in a secure location (university network)
>
> In run typo3 3.6.2 now and my webserver software is:
> + Apache 2.0.48.0
> + MySQL 4.0.15
> + PHP 4.3.4.4 + PEAR
> + Perl 5.8.0 (mini)
> + mod_php 4.3.4
> + SQLite 2.8.6
> + mod_auth_mysql (only experimental)
>
> I have these extensions installed:
> $TYPO3_CONF_VARS['EXT']['extList'] =
> 'tsconfig_help,context_help,extra_page_cm_options,impexp,sys_note,tstemplate,tstemplate_ceditor,tstemplate_info,tstemplate_objbrowser,tstemplate_analyzer,tstemplate_styler,func_wizards,wizard_crpages,wizard_sortpages,lowlevel,install,belog,beuser,phpmyadmin,aboutmodules,imagelist,setup,taskcenter,sys_notepad,taskcenter_recent,taskcenter_rootlist,info_pagetsconfig,viewpage,tt_board,sys_todos,sys_workflows,conf_userts,tt_news,indexed_search,sys_stat,feuser_admin,lz_table,lz_gallery,dropdown_sitemap,julle_navpath,macina_searchbox,dir_listing,danp_documentdirs,sr_iframe,dkd_feuser_belogin,ve_guestbook,cc_ipauth,cc_iplogin_fe,tt_address,sp_directory,t3quixplorer,ingmar_admpanelwrap,gst_topcontent,rtehtmlarea,jw_calendar,newloginbox,dkd_redirect_at_login,swg_tca_ext_10mb,overlib,static_info_tables,pt_lib,pt_payment,pt_html2pdf,sg_zfelib,jp_staff,bf_xml_for_flash,ingmar_xmlmenu';
Well, first aof all I seriously doubt there is a general flaw in AMP or
TYPO3.
So big chances are:
* are you *really* sure you have removed/changed default
accounts/passwords from TYPO3 and TYPO3-Install? [I find this disclosure
every once in a while]
* apache version seems to be OK, all later security flaws might not to
be critical or exploitable in your environment.
http://www.apacheweek.com/features/security-20
* PHP-version *might be critical*, since 4.3.4.4 seems outdated to me.
http://de3.php.net/manual/en/security.current.php
* some other misconfiguration that leads into vulnerability. I've
noticed you have cc_ipauth and cc_iplogin. Don't know but are you sure,
they were set up correct and didn't wllow some not wanted IP to gain access?
And it is *definitly not*(!) Open Source Software to blame. As siad
already runnning a server in the internet needs good knowledge and
attention and following the security related issues and updating
software whenever needed.
I can assure you I just had to fix a windows(TM) machine that was
infected by about 100 Trojans/browser-hijackers/keyloggers etc., which
nobody even noticed for a long time. ;)
Be sure to analyze the situation in depth(you, or your "server-guys") so
it won't happen again.
Good luck,
Peter
--
Peter Niederlag
http://www.niekom.de * TYPO3 & EDV Dienstleistungen *
http://www.typo3partner.net * professional services network *
More information about the TYPO3-english
mailing list