Blog

cmsmadesimple.org defacement

September 18th, 2007 by Tatu Wikman

The fastest of you noticed the defacement of cmsmadesimple.org site several days ago. The site had been defaced by a script kiddie. The actual script that had been used was r57shell (google). Its a litlle tool one can use to upload / download and query stuff from the server.

The script had been there for a while and gone unnoticed as it wasn’t used for anything else than removing the log entries from that time :/

One thing is certain, the hole they have used is old, it looks like the FCKEditorX filemanager hole was used, but we cant be sure.

We have checked that the release files are intact, and as far as we know no data has been compromised.

We are still trying to dig more info about this incident, and are in the process of securing the server up a notch.

Sorry about the problems.

This entry was posted on Tuesday, September 18th, 2007 at 1:59 pm and is filed under Sites. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

4 Responses to “cmsmadesimple.org defacement”

  1. Daniel15 Says:
    September 19th, 2007 at 8:45 pm

    Perhaps you should disable commands like exec, shell_exec, system, etc. on the server? This would make problems like this non-existant.

  2. tsw Says:
    September 20th, 2007 at 12:45 am

    Easier said than done, we have lots of custom built scripts (translation center for example) that needs to be able to interact with svn..

  3. Ross Olson Says:
    September 21st, 2007 at 12:10 pm

    http://wiki.cmsmadesimple.org/index.php/Main_Page shows up as dark print on a dark background and cannot be read on my computer. Is that still part of the defacement or is there something I have to do to be able to see it properly?
    Thanks

  4. tsw Says:
    September 23rd, 2007 at 4:00 am

    Wiki looks correct to me.

Leave a Reply