Weird code in security.log.php Weird code in security.log.php
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

Weird code in security.log.php

Started by isajade, February 20, 2009, 02:07:51 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

isajade

February 20, 2009, 02:07:51 PM
Hi,

I am upgrading today and found a weird code in security.log.php (in logs folder). It is located just after a short list of failed login attempts, then the list continues.
I was hacked a couple of years ago, and had sanitized the whole gallery. Maybe I missed this?

My gallery http://gallery.angel-us.com/ I have put it offline

QuoteFailed login attempt with Username: into5603@gallery.angel-us.com from IP 140.115.117.6 on Oct 15, 2006 at 01:39 AM
Failed login attempt with Username: g
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain
X-Mailer: Calypso Version 3.30.00.00 (4)
Subject: sweet, delicately flavoured moist
cc: burto131@aol.com
cc: xxjosh29xx@aol.com
cc: wernerjerneizig@aol.com
cc: jean73210@aol.com
cc: chumki100@aol.com
cc: topcopl2@aol.com

in the regulations for the production of ayonne am. he meat itself does not=
have to come from

isajade

#1
February 21, 2009, 01:52:32 PM
I noticed that the file was not in the original package, so felt it was generated when the first failed login happened. so I have deleted the file and entered a wrong login and the gallery generated a fresh file. Please let me know if I did the right thing.

Is there a place where I can see all the files that should be on the FTP? (including the ones the gallery generated itself) thank you

Joachim Müller

#2
February 25, 2009, 08:55:36 AM
Quote from: isajade on February 21, 2009, 01:52:32 PM
I noticed that the file was not in the original package, so felt it was generated when the first failed login happened. so I have deleted the file and entered a wrong login and the gallery generated a fresh file. Please let me know if I did the right thing.

Is there a place where I can see all the files that should be on the FTP?
Just download a vanilla package and then perform a comparison. You probably have been hacked. Do as suggested in Yikes, I've been hacked! Now what?

isajade

#3
February 25, 2009, 10:36:51 AM
Thank you. By vanilla package you mean a new one?

Some files are generated by the gallery itself, like security.log.php. so If I delete a file that is not in a new package, it's ok? I have deleted the .DS_Store file when I updated, as this one wasn't in the new package. I've checked the board before, and read in a message that it wasn't a problem to delete it.

Joachim Müller

#4
February 25, 2009, 05:36:14 PM
Quote from: isajade on February 25, 2009, 10:36:51 AM
Thank you. By vanilla package you mean a new one?
Yes.

Quote from: isajade on February 25, 2009, 10:36:51 AMSome files are generated by the gallery itself, like security.log.php. so If I delete a file that is not in a new package, it's ok?
Yes
Quote from: isajade on February 25, 2009, 10:36:51 AMI have deleted the .DS_Store file when I updated, as this one wasn't in the new package.
That's fine - this is a Mac file that doesn't have any impact on a webserver.

isajade

#5
February 25, 2009, 06:07:39 PM
Thank you.
Print
Go Up Pages1
User actions