[Tfug] Hackers Attack House Web Sites hosted on Linux
    Eric Gearhart 
    eric at nixwizard.net
       
    Fri Jan 29 13:47:47 MST 2010
    
    
  
On Fri, Jan 29, 2010 at 1:03 PM, Choprboy <choprboy at dakotacom.net> wrote:
> "All of them" being the same single server "dcserver1.house.gov" at
> 143.228.239.211. All the sites have the same templated format.. so it looks
> like a standard CMS of some sort. They seem to have scrubbed the standard
> HTML source comments though... Dig dig dig.. Hmm, yep they are running Joomla
> (possibly Mambo, they share some of the same backend modules)...
>
> My guess is yet-another-<CMS> exploit. There seems to only be one input source
> on the publically linked pages, an email signup, so it could an input
> filtering issue there, but I would guess not. Its probably an exploitable
> module left running (though not linked to anywhere so forgotten about),
> probably something stupid like a forum module or shopping cart that has never
> been updated.
If you view source on http://charliewilson.house.gov you can see this meta tag:
 "<meta name="Generator" content="Joomla! - Copyright (C) 2005 - 2007
Open Source Matters. All rights reserved." />"
Joomla split FROM the Mambo project, so it's very likely the CMS in
question is Joomla, and not some tag that the Mambo folks forgot to
update (the Mambo folks wouldn't update the generator tag to be
Joomla, but Joomla might have forgotten to fix the tag after the split
from Mambo, but this isn't the case)
Just sayin'
--
Eric
    
    
More information about the tfug
mailing list