Hey,
Just curious as to what is going on here or if others are having the same problem. I have been noticing these obscure (warez) type links showing up on my blog.
In the code there is also some obscure javascript, it's happened not only on templates but regular HTML pages that I have uploaded.
This is a fairly recent thing and I have no idea as to how they're being injected, There is nothing else done to the site so I can only assume they're getting pumped into the page via the data-base somehow?
Any tips would be greatly appreciated (note: I'm running the latest MT version).
Thanks,
Shane
Full Version: Suspicious Links And Javascript In Html Files
QUOTE (Shanep @ Dec 19 2005, 01:30 PM)
Hey,
Just curious as to what is going on here or if others are having the same problem. I have been noticing these obscure (warez) type links showing up on my blog.
In the code there is also some obscure javascript, it's happened not only on templates but regular HTML pages that I have uploaded.
This is a fairly recent thing and I have no idea as to how they're being injected, There is nothing else done to the site so I can only assume they're getting pumped into the page via the data-base somehow?
Any tips would be greatly appreciated (note: I'm running the latest MT version).
Thanks,
Shane
Just curious as to what is going on here or if others are having the same problem. I have been noticing these obscure (warez) type links showing up on my blog.
In the code there is also some obscure javascript, it's happened not only on templates but regular HTML pages that I have uploaded.
This is a fairly recent thing and I have no idea as to how they're being injected, There is nothing else done to the site so I can only assume they're getting pumped into the page via the data-base somehow?
Any tips would be greatly appreciated (note: I'm running the latest MT version).
Thanks,
Shane
I'd check your directory permissions. If they're 777, you might want to tweak them to allow less access.
QUOTE (lisa @ Dec 19 2005, 09:42 PM)
I'd check your directory permissions. If they're 777, you might want to tweak them to allow less access.
I had something similar happen a few months ago. I noticed my directories were 777, so I changed them to 755. However, when I rebuilt the site, all of the directory permissions changed back to 777. Any ideas why that happened?
Also, there may be a bigger evil going on with my site. Recently I stumbled upon a subdirectory in my /archives/ that held gigs(!) of bittorrent files. Scattered throughout the top level and archive directories of my blog were wayward .php files that I never placed there. They had names like download.php, update.php, etc.--PHP "control" files that apparently allowed torrent sharing for those unknown-to-me hidden files on my site. I was able to delete the .php files, but I can't delete the actual downloadables or the directories they are within. Am I alone in this problem, or is this some new MT hack technique that I have not heard of until now?
QUOTE (Nobody @ Dec 21 2005, 03:16 PM)
I had something similar happen a few months ago. I noticed my directories were 777, so I changed them to 755. However, when I rebuilt the site, all of the directory permissions changed back to 777. Any ideas why that happened?
In mt-config.cgi, change (and uncomment):
HTMLPerms 0644
UploadPerms 0644
HTMLUmask 0133
DirUmask 0022
Then MT will use those permissions when you rebuild and not revert to 777.
QUOTE
Also, there may be a bigger evil going on with my site. Recently I stumbled upon a subdirectory in my /archives/ that held gigs(!) of bittorrent files. Scattered throughout the top level and archive directories of my blog were wayward .php files that I never placed there. They had names like download.php, update.php, etc.--PHP "control" files that apparently allowed torrent sharing for those unknown-to-me hidden files on my site. I was able to delete the .php files, but I can't delete the actual downloadables or the directories they are within. Am I alone in this problem, or is this some new MT hack technique that I have not heard of until now?
That's pretty scary. I haven't heard anything about it before, but you should post this part in a new thread so we can better track it. (That's my opinion -- you can leave it here if you prefer.)
QUOTE (lisa @ Dec 21 2005, 08:34 PM)
QUOTE (Nobody @ Dec 21 2005, 03:16 PM)
I had something similar happen a few months ago. I noticed my directories were 777, so I changed them to 755. However, when I rebuilt the site, all of the directory permissions changed back to 777. Any ideas why that happened?
In mt-config.cgi, change (and uncomment):
HTMLPerms 0644
UploadPerms 0644
HTMLUmask 0133
DirUmask 0022
Then MT will use those permissions when you rebuild and not revert to 777.
QUOTE
Also, there may be a bigger evil going on with my site. Recently I stumbled upon a subdirectory in my /archives/ that held gigs(!) of bittorrent files. Scattered throughout the top level and archive directories of my blog were wayward .php files that I never placed there. They had names like download.php, update.php, etc.--PHP "control" files that apparently allowed torrent sharing for those unknown-to-me hidden files on my site. I was able to delete the .php files, but I can't delete the actual downloadables or the directories they are within. Am I alone in this problem, or is this some new MT hack technique that I have not heard of until now?
That's pretty scary. I haven't heard anything about it before, but you should post this part in a new thread so we can better track it. (That's my opinion -- you can leave it here if you prefer.)
All of the above here seems to relate to a problem I'm having today. My host has alerted me to the same type of issues, my site being hijacked due to the vulnerabilities of the 777 directories. I too had random links on individual archives pages spread throughout my site. It looks like my entire site has been compromised and they are going to have to implement a backup made months ago to undo what damage has been done. This is new territory for me and I'm not sure exactly what to do to keep it from happening again - but I DO want to make sure it is known that the same things happened on my site due to the 777 vulnerabilities.
So, I'm assuming once I get everything up and running again that you would suggest changing all directory permissions and then changine the .cgi file as mentioned above so it won't reset? Will that keep MT from making archive directories 777 again? I apologize if I don't explain myself well, I don't know the lingo.
Hey Zoot 
Once you make the changes in mt-config.cgi to tighten down the permissions, Movable Type will use those. BUT you'll need to remove your old archive directories so that you can have them recreated with the right permissions. (I can't remember if you post your photos in an /images directory or in your archives.)
Anyway, if you can't remove your old directories, then you can change the permissions to tighten them up.
Lisa
Once you make the changes in mt-config.cgi to tighten down the permissions, Movable Type will use those. BUT you'll need to remove your old archive directories so that you can have them recreated with the right permissions. (I can't remember if you post your photos in an /images directory or in your archives.)
Anyway, if you can't remove your old directories, then you can change the permissions to tighten them up.
Lisa
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.