Loading...
 
Development

Development


Security question

posts: 32

My site has been probed on a more or less daily basis since the 19th looking for php files in one of two directories. There seem to have been 2 forms of probing, the second looking for an enhanced list of php files in the two directories. Fortunately, owing to its configuration I don't seem to have been hacked as the files were 404 or 403 and a rootkit sweep shows nothing.

Looking at my apache logs the script tries to read tiki-index, then looks for tiki-top_bar.tpl, then tiki-contact.php

I've a couple of questions (that seem to have been asked as comments to your security posts on the main page, but I've not seen answered).

What is the mechanism that this script uses to actually upload the php files to the temp dirs?
Is an account necesary ?

Is it possible for you to give a few details about what was altered so that those who've customised their setups can backport the mods? Even a list of the files would be useful.

What is significant in tiki-top_bar.tpl - I can think it might have been version information, from the CVS header, or something to do with the javascript toggle?
It might be worthwhile to ensure your server setup doesn't serve tpl files if requested directly, in addition to the other apache configs. mentioned.

Any answers appreciated - and for all those running TW sites - searching your logs for eg shell.php might be worthwhile.

Cheers

Andrew

posts: 32

Further prods at my box today have resulted in my ))SandBox(( being spammed - the version I was using allowed anonymous edits of the sandbox - which is where I think the problem of server compromise seems to come from. They managed to save some links for the usual viagra type drugs that you see in spam all the time.

I'm guessing, but if the sandbox is edited, a non-image image may be possible to be saved and can be included and uploaded to the temp dir (if you've not put the apache server directives in as warned about) to be exectuted at leisure by the rogues who want your box - which may be their mode of action. I've edited my tiki-editpage.php to make sandbox edits by anonymous users impossible - I don't know if this is implemented in 1.8.5 but I think it should be.

Other files that were poked at today were the tiki-map file - I think they were looking for wiki page names so they could edit them too and include spam, also the slideshow feature had various random numbers fed to it (including negative slides - which it took!) again I think it was searching for names.

Looks to be open season on TW at the moment, so watch out, and keep your system up to date and backed up rigourously.

Cheers

Andrew

posts: 2881 United Kingdom

Yup

Security is a major problem, and a lot of Tiki powered sites are vulvernable sad

These PHP files are web based versions of the bash shell, you can upload a full root kit and then effectively run as "root" on the host system. sad

SECURE YOUR TIKI!

Damian


Upcoming Events

1)  18 Apr 2024 14:00 GMT-0000
Tiki Roundtable Meeting
2)  16 May 2024 14:00 GMT-0000
Tiki Roundtable Meeting
3)  20 Jun 2024 14:00 GMT-0000
Tiki Roundtable Meeting
4)  18 Jul 2024 14:00 GMT-0000
Tiki Roundtable Meeting
5)  15 Aug 2024 14:00 GMT-0000
Tiki Roundtable Meeting
6)  19 Sep 2024 14:00 GMT-0000
Tiki Roundtable Meeting
7) 
Tiki birthday
8)  17 Oct 2024 14:00 GMT-0000
Tiki Roundtable Meeting
9)  21 Nov 2024 14:00 GMT-0000
Tiki Roundtable Meeting
10)  19 Dec 2024 14:00 GMT-0000
Tiki Roundtable Meeting