Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - nunoleite

Pages: [1]
1
Feng Office 3 / Re: Feng Office 3.1.2.2 hacked
« on: May 22, 2015, 06:47:31 am »
Hi!

So far so good with version 3.1.5.1.

What is strange is that i have lots of other sub-domains and none of them was hacked. And in the case of Feng Office every single file was overwritten.

As this is very easy to do with a simple script, if the attack came from another account inside the server or even the server it self, it would happened to all accounts, and all php files. I even have other users with Feng Office 3.1.2.2 installed in their sub-domains and none where hacked. Only this one was hacked. This is why i thing this is very strange.

This Feng Office is used by only 2 users and has almost no content. It has some tasks and documents and 2 email accounts. Could it be from a bad email? This is the only thing that i think it could be the cause of this.
Has i don't those email accounts in Feng Office, i just deleted all the emails and the accounts.

So, now let's wait and see if it happens again.

Thank you.

2
Feng Office 3 / Re: Feng Office 3.1.2.2 hacked
« on: May 19, 2015, 03:59:01 pm »
Hi!

I always use your official downloads, from SourceForge.

I had replaced today for a backup that was good, and updated to 3.1.5.1.

Let's see the next days....

It was very strange as this is one of my sub-domains, and i have some with other scripts, and only this one was hacked.....

3
Feng Office 3 / Re: After update to 3.1.3 permissions problem
« on: April 13, 2015, 11:50:02 am »
Hi!

Changed the users from External Collaborator to Executive, and now i can give them permissions to use the Tasks as read/write.

Was any change in this kind of permissions?

Thanks
Nuno Leite

4
Feng Office 3 / After update to 3.1.3 permissions problem
« on: April 12, 2015, 08:04:12 am »
Hi!

After the update from 3.1.2.2 to 3.1.3 all my external colaborators lost access to tasks.

Ad as i can see i can only give permissions read/write to documents and time.

Please advise.

Thanks
Nuno Leite

5
Feng Office 3 / Feng Office 3.1.2.2 hacked
« on: April 10, 2015, 03:37:28 am »
Hi!

Tonight my sub domain with Feng Office 3.1.2.2 was hacked. This comunitty version is not very used, it's almost never used. The last thing done was 2 weeks ago when i updated to 3.1.2.2

These files where instroduced:
help.htm   75bytes
help.html   67bytes
info.htm   75bytes
info.html   67bytes
info.php   21.135bytes (i think this is the bad file)
tmp/sh.php   68bytes
tmp/systemscash.php   68bytes

All the content of the sub domain where feng office is where overrided...
Files php and html where written with the content:
<?php
header('Location: xxxxx');
exit;
?>

In my logs the first lines of the attack are these:
5.61.37.14 - - [09/Apr/2015:20:21:56 +0100] "GET /tmp/systemscash.php HTTP/1.1" 200 120 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.1.8) Gecko/20060728 Firefox/3.5.8"
5.61.37.14 - - [09/Apr/2015:20:21:56 +0100] "POST /tmp/systemscash.php HTTP/1.1" 200 24131 "/tmp/systemscash.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.1.8) Gecko/20060728 Firefox/3.5.8"
5.61.37.14 - - [09/Apr/2015:20:21:57 +0100] "POST /tmp/systemscash.php HTTP/1.1" 200 28977 "/tmp/systemscash.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.1.8) Gecko/20060728 Firefox/3.5.8"
5.61.37.14 - - [09/Apr/2015:20:21:57 +0100] "POST /tmp/systemscash.php HTTP/1.1" 200 29611 "/tmp/systemscash.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.1.8) Gecko/20060728 Firefox/3.5.8"
5.61.37.14 - - [09/Apr/2015:20:23:54 +0100] "GET /info.php HTTP/1.1" 200 120 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.1.8) Gecko/20060728 Firefox/3.5.8"
5.61.37.14 - - [09/Apr/2015:20:23:54 +0100] "POST /info.php HTTP/1.1" 200 29586 "/info.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.1.8) Gecko/20060728 Firefox/3.5.8"
5.61.37.14 - - [09/Apr/2015:20:24:06 +0100] "GET /info.php HTTP/1.1" 200 120 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.1.8) Gecko/20060728 Firefox/3.5.8"
5.61.37.14 - - [09/Apr/2015:20:24:06 +0100] "POST /info.php HTTP/1.1" 200 29586 "info.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.1.8) Gecko/20060728 Firefox/3.5.8"
5.61.37.14 - - [09/Apr/2015:20:24:07 +0100] "POST /info.php HTTP/1.1" 200 29586 "info.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.1.8) Gecko/20060728 Firefox/3.5.8"
5.61.37.14 - - [09/Apr/2015:20:24:10 +0100] "POST /info.php HTTP/1.1" 200 9791 "/info.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.1.8) Gecko/20060728 Firefox/3.5.8"
5.61.37.14 - - [09/Apr/2015:20:24:11 +0100] "POST /info.php HTTP/1.1" 200 15635 "/info.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.1.8) Gecko/20060728 Firefox/3.5.8"

And then, continues with the same data for about 5000 lines.

It's weird that it starts with a GET to a file that doesn't existed before.

Do you know anything about this?

Thanks
Nuno Leite

Pages: [1]