I recently noticed somebody uploaded malicious content onto one of my sites.
It was running TYPOlight Version 2.6.2 (2008-11-01).
I searched all logs to try to figure out how did it happen but I see no evidence of breaking into the site. All I can see is some malicious scripts in site's DocumentRoot directory and Apache access log records related to executing them by an attacker.
I did some research on any vulnerabilities of all software running on that server.
I found out that there was serious vulnerability in this version of TYPOlight (http://www.contao.org/news/items/maj...tall-tool.html) so I bet this could be an attack vector.
I'm going to have TYPOlight upgraded to latest version on this site anyway but I would like to be sure that it was in fact the weak point attacker exploited.
Could you guys please point out how can I make sure of it?
Any particular place in TL db or correlation between db and Apache log entries?
Any details on the issue so I can at least try to reproduce the attack to make sure it was possible?
Thanks,
Mike
Bookmarks