1 (edited by 2015-05-31 19:38:31)

Topic: Possible Security-Breach?

I have already solved that problem, see next post

Hi there,

I am using CuteNews on my website and was currently informed by Stratos SiteGuard that someone ran a script on my server, in which I only include the "show_news.php" of CuteNews. Literally, the file only consists of (old) HTML-Code and the includes. The hacker seemed to perform some "create" and "rename-to" - "rename-from"-Actions, starting from an unknown file called "online.php-someNumbers.bak". However, the breach doesn't seem to permit him to many permissions as he firstly creates such ".bak"-files an then rename them. Further, those files include code which I interpret as some Brute-Force-Attack:

For instance, there is a file called "users.txt" which consists mysterious code and some random letters (probably encrypted code), but also a "conf.php" with a huge list which is built of the same principle. Moreover, I can see the folders called "users", "news" and "btree", all including those mysterious files and lines of code. Interestingly, the required folder "CDATA" is the only affected folder, as far as I have checked the server.

Thanks and see you soon

2 (edited by 2015-05-31 19:40:22)

Re: Possible Security-Breach?

Those lines of code are just base64-encrypted Code and the reported file is just a logfile of users who visited the website. Hence, the "hacker" is actually the system itself ..and those "Brute-Force-Attack" is only a file consisting the registered users.. The SiteGuard reported some false-positives and I shit myself for no reason I guess