We just got word from google that there is malicious content on one of our client’s website. We investigated and figured out the issue.
The site runs an older version of EE, 1.6.7, which we will be upgrading for them today. I just wanted to make sure that such an “attack” cannot happen in 1.7.
What the malicious user did was edit their member profile and added in HTML code that would redirect a user to their website. Somehow, they were able to make the whole of http://www.website.com/member/ lead to their profile and then redirect. I had javascript disabled by chance, so it didn’t work and I was able to stay on the page to figure things out.
They edited their user profile and it actually seems like they did this to many other EE sites, because for some reason there are links. Here is a screenshot of how they edited their profile.
Here is the code within the bio:
<h3>Please click <b><a href="http://bit.ly/e5017i">HERE</a></b> to be redirected.</h3>
<p> </p>
<p><br />
<b>oregon trail game for mac, free</b><br />
game my 13 5 00<br />
game called desert rats<br />
game powered by phpbb<br />
the game the dragon tales<br />
game 2007 jelsoft enterprises ltd<br />
game 2010 jelsoft enterprises ltd<br />
game flash cards free<br />
<a href="http://www.macid.eu/member/2050/">brooke roulette</a><br />
game 2009 jelsoft enterprises ltd<br />
game 2007 jelsoft enterprises ltd<br />
<a href="http://www.soheila.org/index.php/member/1572/">play roulette wheel casino</a><br />
game stuffed toy<br />
game powered by vbulletin<br />
game powered by phpbb<br />
game 2009 jelsoft enterprises ltd<br />
game 2007 jelsoft enterprises ltd<br />
game powered by phpbb<br />
<a href="http://www.totalegekte.nl/v2/member/1858/">roulette numbers odds</a><br />
game 2009 jelsoft enterprises ltd<br />
<a href="http://www.thisisnotashop.com/index.php/member/6404/">roulette on-line</a><br />
the game for kids<br />
game listen live<br />
game powered by vbulletin<br />
game and fish<br />
next game is<br />
game logic board rush 2049<br />
game machine hackensack building ord<br />
the game music<br />
<a href="http://ee-space.com/index.php/member/5137/">roulette assistant programs</a><br />
game 2010 jelsoft enterprises ltd<br />
game powered by phpbb<br />
of game theory<br />
game 2009 jelsoft enterprises ltd<br />
game warrenville 60555<br />
game powered by phpbb<br />
game routes how to value<br />
game 2009 jelsoft enterprises ltd<br />
<a href="http://www.uniqueskillspeople.co.uk/index.php/member/805/">roulette tricks</a><br />
game powered by phpbb<br />
game powered by phpbb<br />
game powered by vbulletin<br />
of the game simon<br />
game powered by vbulletin<br />
game powered by vbulletin<br />
s game salon<br />
game download pc free<br />
game 2007 jelsoft enterprises ltd<br />
game powered by phpbb<br />
<a href="http://www.yaal.net/index.php/member/1028/">roulette rental</a><br />
game machine building ord principal<br />
game powered by phpbb<br />
game sales pittsburgh<br />
game that pushes quarers<br />
game in olympia<br />
game 2008 jelsoft enterprises ltd<br />
game september 7 1968<br />
game planet com<br />
game 2010 jelsoft enterprises ltd<br />
game 2008 jelsoft enterprises ltd<br />
game powered by vbulletin<br />
<a href="http://www.shortmotorsports.com/index.php/member/243/">european roulette</a><br />
game south america<br />
game red sox<br />
game powered by phpbb<br />
game powered by vbulletin<br />
of game by donald barthleme<br />
game pocket pc<br />
game powered by vbulletin<br />
game 2008 jelsoft enterprises ltd<br />
game 2008 jelsoft enterprises ltd<br />
game powered by vbulletin<br />
game powered by phpbb<br />
<a href="http://www.warmwelcomegulfcoast.org/member/1054/">how to win roulette</a><br />
game vending ny<br />
game for youth<br />
s game by cory doctorow<br />
game park revealed secret<br />
game powered by vbulletin<br />
game downloads zip file<br />
game 2010 jelsoft enterprises ltd<br />
game in olyimpia<br />
game called word frenzy<br />
<a href="http://www.toniandguy-opticians.co.uk/index.php/member/9400/">pico roulette</a><br />
game powered by vbulletin<br />
game 2008 jelsoft enterprises ltd<br />
game farm long island</p>
<p>game powered by vbulletin<br />
game 2007 jelsoft enterprises ltd<br />
game gta pc san<br />
a game bat pack<br />
game 2010 jelsoft enterprises ltd<br />
game powered by phpbb<br />
game powered by vbulletin<br />
game and code<br />
game powered by vbulletin<br />
game listen live 850<br />
game south america lottery<br />
game book review<br />
game powered by phpbb<br />
game july 4 fireworks<br />
game flash cards<br />
<a href="http://www.east4south.eu/index.php/member/338/">electronic roulette</a><br />
game powered by vbulletin<br />
<a href="http://jaja.be/index.php/member/2071/">roulette money management</a><br />
game hentai cartoon<br />
game of dice india<br />
game powered by vbulletin<br />
<a href="http://www.fpcgermantown.org/index.php/member/7531/">pogo roulette counter</a><br />
<a href="http://www.cgcareers.org/member/1576/">analysis of roulette</a><br />
game powered by phpbb<br />
game breeding download buy trial<br />
game powered by phpbb<br />
<a href="http://www.ansahl.com/eblog/index.php/member/653/">no limit roulette online 01qq</a><br />
game key locks<br />
1 game cheat codesYou can see those other sites there, they seem legitimate EE websites that most likely are also compromised.
So, while we upgrade to EE 1.7, I just wanted to be sure that this cannot happen again. I’m still not sure how they were able to make /member/ go to their profile and where the redirect to their website is though.
Also, for safe measure, is there a way to disable /member/ totally? We never use it and it is almost always used for spam.
Thanks