CiviCRM Community Forums (archive)

I see this in the log and it makes me worry, civicrm\ConfigAndLog\CiviCRM.0df1e6bbfb3eba04b9a452e48155a482.log.201308011200

Is there a way to know if my system is hacked?  Any comments are very appreciated.  Thanks!

Aug 26 20:37:40  [info] $IDS Detector Details = Array
(
   

• => Array

        (
            [name] => gid
            [value] => ../../../../../../../../../../etc/passwd
            [page] => /civicrm/profile/create?gid=../../../../../../../../../../etc/passwd&reset=1
            [userid] =>
            [session] => FKK07OcuWwtiKybay62GCBwuLJXXT_1feA-K5Qj0ndo
            [ip] => 162.166.146.8
            [reaction] => 0
            [impact] => 30
        )

    [1] => Array
        (
            [name] => IDS_request_uri
            [value] => /civicrm/profile/create?gid=../../../../../../../../../../etc/passwd&reset=1
            [page] => /civicrm/profile/create?gid=../../../../../../../../../../etc/passwd&reset=1
            [userid] =>
            [session] => FKK07OcuWwtiKybay62GCBwuLJXXT_1feA-K5Qj0ndo
            [ip] => 162.166.146.8
            [reaction] => 0
            [impact] => 30
        )

)


Aug 26 20:37:40  [info] $Fatal Error Details = Array
(
    [message] => The requested Profile (gid=) is disabled, OR there is no Profile with that ID, OR a valid 'gid=' integer value is missing from the URL. Contact the site administrator if you need assistance.
    =>
)


Aug 26 20:37:40  [info] $backTrace = #0 /home/account2/public_html/d7/sites/all/modules/civicrm/CRM/Core/Error.php(315): CRM_Core_Error::backtrace("backTrace", TRUE)
#1 /home/account2/public_html/d7/sites/all/modules/civicrm/CRM/Profile/Form/Edit.php(117): CRM_Core_Error::fatal("The requested Profile (gid=) is disabled, OR there is no Profile with that ID...")
#2 /home/account2/public_html/d7/sites/all/modules/civicrm/CRM/Core/Form.php(336): CRM_Profile_Form_Edit->preProcess()
#3 /home/account2/public_html/d7/sites/all/modules/civicrm/CRM/Core/QuickForm/Action/Display.php(93): CRM_Core_Form->buildForm()
#4 /home/account2/public_html/d7/sites/all/modules/civicrm/packages/HTML/QuickForm/Controller.php(203): CRM_Core_QuickForm_Action_Display->perform(Object(CRM_Profile_Form_Edit), "display")
#5 /home/account2/public_html/d7/sites/all/modules/civicrm/packages/HTML/QuickForm/Page.php(103): HTML_QuickForm_Controller->handle(Object(CRM_Profile_Form_Edit), "display")
#6 /home/account2/public_html/d7/sites/all/modules/civicrm/CRM/Core/Controller.php(316): HTML_QuickForm_Page->handle("display")
#7 /home/account2/public_html/d7/sites/all/modules/civicrm/CRM/Utils/Wrapper.php(117): CRM_Core_Controller->run()
#8 /home/account2/public_html/d7/sites/all/modules/civicrm/CRM/Core/Invoke.php(424): CRM_Utils_Wrapper->run("CRM_Profile_Form_Edit", "Create Profile", (Array:2))
#9 [internal function](): CRM_Core_Invoke::profile((Array:3))
#10 /home/account2/public_html/d7/sites/all/modules/civicrm/CRM/Core/Invoke.php(258): call_user_func((Array:2), (Array:3))
#11 /home/account2/public_html/d7/sites/all/modules/civicrm/CRM/Core/Invoke.php(70): CRM_Core_Invoke::runItem((Array:14))
#12 /home/account2/public_html/d7/sites/all/modules/civicrm/CRM/Core/Invoke.php(52): CRM_Core_Invoke::_invoke((Array:3))
#13 /home/account2/public_html/d7/sites/all/modules/civicrm/drupal/civicrm.module(436): CRM_Core_Invoke::invoke((Array:3))
#14 [internal function](): civicrm_invoke("profile", "create")
#15 /home/account2/public_html/d7/includes/menu.inc(517): call_user_func_array("civicrm_invoke", (Array:2))
#16 /home/account2/public_html/d7/index.php(21): menu_execute_active_handler()
#17 {main}


Not been hacked, but someone/a bot tried. It happens all the time, trying to put "wrong" params to get extra info not meant to be accessible (in that case, trying to get the list of password)

This was stopped at the first layer of defence, but would have been blocked at plenty of other places. I wouldn't worry about these "scriptkiddie" attacks, it's pretty much part of being online.

X+