Sorry, wrong category - please delete!
ExpressionEngine 1.6.0 - Build: 20070621
I know the build is older, but I am trying to figure out asap if this loophole (if it is one on the EE side) is still open and how to close it.
Somebody hackt into the site and placed a file into the error directory and than inserted code into all index.php (eval(base64..) and index.html ([removed]) files.
This is from the access.log:
91.224.. - - [08/May/2012:02:53:15 -0400] “POST /index.php/topic/comments/have-you-ever/?-d+allow_url_include=1+-d+auto_prepend_file=php://input HTTP/1.1” 200 115 http://www.domain.com “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MS-RTC LM 8; .NET4.0C; .NET4.0E; Zune 4.7)” “-”
91.224.. - - [08/May/2012:02:53:15 -0400] “POST /error/lmqtrfy.php HTTP/1.1” 200 25 http://www.domain.com “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.813.0 Safari/535.1” “-”
Thanks