CMSB install hacked

7 posts by 5 authors in: Forums > CMS Builder
Last Post: April 16, 2012 (RSS)

Archived
Reply
Reply

By rjbathgate - March 16, 2012

Hello,

One of my CMSB installs was recently compromised, with code injection into /data/settings.dat.php and a schema file.

The injection was base64 code, directly onto the files - so when I pulled them from FTP the code is physically on the file.

The top of settings.dat.php (and a schema file) looked like this:

<?php                                                                                eval(base64_decode(
"ZXZhbChiYXNlNjRfZGVjb2RlK.... (and continued string like this for 30 odd lines)
"));  ?>

The host gave us this:

I have reviewed some other data in the account, and it looks like the issue may be happening because of insecure file permissions on your folder at /public_html/cmsAdmin/data/ -- Please note that if a folder is writable by anyone other than the primary user for the account, our server will not allow php scripts to run from the folder. Your data folder is currently set at 777 permissions, meaning any user on the server can write changes to files within that folder.

In addition, there is a suspicious line of code at the beginning of the file at /public_html/cmsAdmin/data/settings.dat.php encoded in base64 -- I suspect that your account may have been compromised, and this code is hacked code that has been placed on your account, which isn't functioning as the hacker intended. I would highly recommend replacing the files in your account with a clean copy of your local backup.

What would allow this to happen? settings.dat.php and /schema/ is chmod 777, which is required by CMSB, but then would that not allow the above to occur?

I know little about this type of thing and what would allow it to happen so any advice so we can prevent it from happening again would be most appreciated.

Thanks all

Re: [rjbathgate] CMSB install hacked

Archived
Reply
Reply

By (Deleted User) - March 16, 2012

Hi rjbathgate,

A couple of things come to mind:

1 - Check all your files for malicious code and note the locations of any files that have it (if it's not just the two mentioned)
2 - Make a note of the last modified date of each affected file (this may help isolate the injection event)
3 - Zip up and send the affected files to us (so we can explore the code and see what it was intended to do and help create a defense against it)
4 - Change all your ftp usernames/passwords, database usernames/passwords etc where possible (just in case)

We've never had a security issue with our software, but have heard of lots of hacked site reports. The culprit is often common open-source scripts. These are so popular that hackers spend the time to write automated scanners that check thousands of sites for known vulnerable scripts.

Once we've got a copy of the malicious code we can be more certain of what it is and what it's intent was, meanwhile the changing of your usernames and passwords is always a good security measure (once you've replaced the affected files with known good copies!).

Hope this helps,

Tom

Re: [Tom P] CMSB install hacked

Archived
Reply
Reply

By rjbathgate - March 18, 2012 - edited: March 19, 2012

Hi Tom,

Thanks for the help and reply.

Have sent to support@interactivetools.com

Thanks :)
Rob

Re: [rjbathgate] CMSB install hacked

Archived
Reply
Reply

By Damon - March 19, 2012

Thanks Rob for emailing in the details and link.

I will forward that to Dave to look into.

Cheers,
Damon Edis - interactivetools.com

Hire me! Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/

Re: [Damon] CMSB install hacked

Archived
Reply
Reply

By Toledoh - April 16, 2012

Hi Guys,

I've got a similar issue with one of my sites. Temporarily I've removed the injected code and re-loaded the files, but periodically the injected code returns and I just upload the "clean" versions again.

The site is hosted on a cheapest-they-can-find host, they also have 2 other CMSB (not effected) on the same host.

Any ideas on what I can tell them?

Cheers,

Tim (toledoh.com.au)

Re: [Toledoh] CMSB install hacked

Archived
Reply
Reply

By Dave - April 16, 2012

Hi Tim,

We've seen this a number of times and can also offer security auditing services through consulting.

The entry point is typically an outdated open-source script installed on the site (wordpress, email forms, galleries, etc). Even if the script isn't being used, or installed by default by the host, hackers use automated scanners to find known paths to old vulnerable software. Check for anything like that.

Another possibility is that the hackers have compromised another account on the shared hosting server and are attacking the client's site after gaining access through another shared hosting account. If this is the case, there's nothing you can do but switch hosting.

One of the ways we detect entry points when we do security audits is to check the web server logs to see who accessed the exploited files. Once we determine the IP of the attacker we can then check the logs to see what other files that user accessed, check modified timestamps on files, etc.

So, the short and simple answer is to go through all the folders on FTP and remove any software you don't need, upgrade any other software in use, then if it happens again switch hosts.

Also, I have a scanner in development which might help. If you email me direct I can tell you more about that.

Hope that helps!

Dave Edis - Senior Developer
interactivetools.com

Re: [Dave] CMSB install hacked

Archived
Reply
Reply

By Toledoh - April 16, 2012

Thanks Dave!

Cheers,

Tim (toledoh.com.au)