Administrator User hacked

Next topic

Author	Message
Peter Meyer-Delius	Friday 13 February 2009 5:25:31 am Yesterday we received this mail: -------------------------------------------- A new user has registered. Account information. Username: xxxx Email: xxxx@gmx.net Link to user information: http://www.xxx.de/ger/content/view/full/15 -------------------------------------------- 15 is the Node-ID of the Default Administrator User that is created during the installation-process. Indeed the Username, Password and Email-Adress of this User was changed, but the user was deactivated. We checked the server log-file and noticed that the page http://www.xxx.de/site_admin/user/activate/3b61b269963793693cbdd42ee4c9088b was requested 300 Times with different hash-keys. We suggest that the attacker somehow managed to change the Administrator User via the registration function and after that tried to activate it with a script which generated the hash-keys. Has anyone similar experiences or any hints?? Best regards, Peter
Gaetano Giunta	Friday 13 February 2009 5:50:35 am Could you please post an issue in the bug tracker, tagged as 'security issue' and add as much information as possible in there (it will be kept private)? If your analysis is correct, an attacker somehow managed to change an existing user email/password, but not to activate it by clicking on the correct activation code. This means that either he did not received the email with the validation code because your site is configured not to send those emails, or because the action of modifying the users config did not trigger a generation of a new user-activation key... It would especially be interesting to get the access logs of the server. Plus the eZP version you are running, of course, and any configuration details. Principal Consultant International Business Member of the Community Project Board
Steven E. Bailey	Friday 13 February 2009 6:34:18 am I don't know if the user activate stuff in your logs is something new or if it is unrelated but for the administrator user, depending on what version of ezpublish you are running and if you have user register enabled, it can be hacked using: http://packetstormsecurity.org/0812-exploits/ezpublish-escalate.txt It is important to upgrade. Certified eZPublish developer http://ez.no/certification/verify/396111 Available for ezpublish troubleshooting, hosting and custom extension development: http://www.leidentech.com
Peter Meyer-Delius	Wednesday 18 February 2009 6:24:10 am Thank you for your fast feedback. We disabled the user-registration and deleted the default admin, so that the ID of the Administrator User is not obvious. We did not have any attacks again. We will wait and see. Best regards, Peter

eZ debug

Timing:	Jan 18 2025 19:21:31
Script start
Timing:	Jan 18 2025 19:21:31
Module start 'layout'
Timing:	Jan 18 2025 19:21:31
Module start 'content'
Timing:	Jan 18 2025 19:21:32
Module end 'content'
Timing:	Jan 18 2025 19:21:32
Script end

Main resources:

Total runtime	1.0736 sec
Peak memory usage	4,096.0000 KB
Database Queries	62

Timing points:

Checkpoint	Start (sec)	Duration (sec)	Memory at start (KB)	Memory used (KB)
Script start	0.0000	0.0047	587.9063	152.6250
Module start 'layout'	0.0047	0.0027	740.5313	39.4453
Module start 'content'	0.0074	1.0648	779.9766	597.6094
Module end 'content'	1.0722	0.0014	1,377.5859	12.1641
Script end	1.0736		1,389.7500

Time accumulators:

Accumulator	Duration (sec)	Duration (%)	Count	Average (sec)
Ini load
Load cache	0.0035	0.3262	16	0.0002
Check MTime	0.0013	0.1217	16	0.0001
Mysql Total
Database connection	0.0004	0.0418	1	0.0004
Mysqli_queries	1.0234	95.3299	62	0.0165
Looping result	0.0005	0.0505	60	0.0000
Template Total	1.0440	97.2	2	0.5220
Template load	0.0021	0.1955	2	0.0010
Template processing	1.0419	97.0450	2	0.5209
Template load and register function	0.0001	0.0130	1	0.0001
states
state_id_array	0.0009	0.0843	1	0.0009
state_identifier_array	0.0016	0.1483	2	0.0008
Override
Cache load	0.0018	0.1691	37	0.0000
Sytem overhead
Fetch class attribute can translate value	0.0006	0.0516	3	0.0002
Fetch class attribute name	0.0012	0.1121	6	0.0002
XML
Image XML parsing	0.0010	0.0972	3	0.0003
class_abstraction
Instantiating content class attribute	0.0000	0.0011	6	0.0000
General
dbfile	0.0008	0.0780	23	0.0000
String conversion	0.0000	0.0005	4	0.0000
Note: percentages do not add up to 100% because some accumulators overlap

Templates used to render the page:

Usage	Requested template	Template	Template loaded
1	node/view/full.tpl	full/forum_topic.tpl	extension/sevenx/design/simple/override/templates/full/forum_topic.tpl
4	content/datatype/view/ezxmltext.tpl	<No override>	extension/community_design/design/suncana/templates/content/datatype/view/ezxmltext.tpl
5	content/datatype/view/ezxmltags/line.tpl	<No override>	design/standard/templates/content/datatype/view/ezxmltags/line.tpl
7	content/datatype/view/ezxmltags/paragraph.tpl	<No override>	extension/ezwebin/design/ezwebin/templates/content/datatype/view/ezxmltags/paragraph.tpl
2	content/datatype/view/ezimage.tpl	<No override>	extension/sevenx/design/simple/templates/content/datatype/view/ezimage.tpl
1	print_pagelayout.tpl	<No override>	extension/community/design/community/templates/print_pagelayout.tpl
Number of times templates used: 20 Number of unique templates used: 6

Time used to render debug report: 0.0001 secs