Recent hacks and vulnerabilities
-
- Support Guru
- Posts: 8169
- Joined: Tue Oct 19, 2004 6:44 pm
- Location: Fernie British Columbia, Canada
Recent hacks and vulnerabilities
Recently, numerous people have been posting numerous threads about being hacked, or getting errors in their admin section, or having strange 16 character messages displayed on their screens etc.
Though we haven't researched ALL of these hacks, we have researched a few, and it seems that some group of people is searching for vulnerable CMS Made Simple websites. That is websites that have not upgraded to take advantage of the latest security fixes.
If you are experiencing these problems here are the steps you must take:
1) Completely delete all database tables used by CMS Made Simple
2) Completely delete all files and directories in your CMS Made Simple installation
3) Completely restore all files and database from a backup that is 'known good'.
4) Change ALL of your CMS Made Simple passwords
5) Upgrade to CMS 1.2.5 ASAP.
Additionally, a safe bet would be to change your database password, or to use another database.
This is because this vulnerability seems to have been exploited in numerous ways, and there is no way of telling exactly what the hacker has done to your system.... and after numerous hours of investigating you still may have to do a complete restore.
CMS 1.2.5 was released on May 12... and we are still getting new reports of people being hacked. This is because people aren't upgrading their CMS installs.
Upgrading your CMS install is your responsibility, and you should do it whenever a new release comes out, particularly if that release is to fix a security problem or a vulnerability. We cannot help you with hacked sites, etc. if you're running a version of the system that is months or years old. Additionally, we cannot and will not answer support requests for ancient versions.
There is a mailing list available to notify you of new versions of CMS Made simple so that you don't have to visit the forums every day, I recommend everybody join it.
Though we haven't researched ALL of these hacks, we have researched a few, and it seems that some group of people is searching for vulnerable CMS Made Simple websites. That is websites that have not upgraded to take advantage of the latest security fixes.
If you are experiencing these problems here are the steps you must take:
1) Completely delete all database tables used by CMS Made Simple
2) Completely delete all files and directories in your CMS Made Simple installation
3) Completely restore all files and database from a backup that is 'known good'.
4) Change ALL of your CMS Made Simple passwords
5) Upgrade to CMS 1.2.5 ASAP.
Additionally, a safe bet would be to change your database password, or to use another database.
This is because this vulnerability seems to have been exploited in numerous ways, and there is no way of telling exactly what the hacker has done to your system.... and after numerous hours of investigating you still may have to do a complete restore.
CMS 1.2.5 was released on May 12... and we are still getting new reports of people being hacked. This is because people aren't upgrading their CMS installs.
Upgrading your CMS install is your responsibility, and you should do it whenever a new release comes out, particularly if that release is to fix a security problem or a vulnerability. We cannot help you with hacked sites, etc. if you're running a version of the system that is months or years old. Additionally, we cannot and will not answer support requests for ancient versions.
There is a mailing list available to notify you of new versions of CMS Made simple so that you don't have to visit the forums every day, I recommend everybody join it.
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
Re: Recent hacks and vulnerabilities
Maybe we should help our users with a (RSS powered) red warning/information inside admin panel like SMF it has ...calguy1000 wrote: CMS 1.2.5 was released on May 12... and we are still getting new reports of people being hacked. This is because people aren't upgrading their CMS installs.
-
- Support Guru
- Posts: 8169
- Joined: Tue Oct 19, 2004 6:44 pm
- Location: Fernie British Columbia, Canada
Re: Recent hacks and vulnerabilities
this is doable, but I don't think it'd be as effective as you think.
CMS is mostly used by developers to roll out websites for other customers..... once the site is rolled out, often the developer doesn't login to the admin panel very often.
The announce list is the best way to handle this I think.
CMS is mostly used by developers to roll out websites for other customers..... once the site is rolled out, often the developer doesn't login to the admin panel very often.
The announce list is the best way to handle this I think.
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
Re: Recent hacks and vulnerabilities
What about the people with the latest 1.2.5 version and be hacked ?
http://forum.cmsmadesimple.org/index.ph ... .html Version 1.2.5
http://forum.cmsmadesimple.org/index.ph ... .html Version 1.2.5
http://forum.cmsmadesimple.org/index.ph ... .html Version 1.2.5
http://forum.cmsmadesimple.org/index.ph ... .html Version 1.2.5
-
- Support Guru
- Posts: 8169
- Joined: Tue Oct 19, 2004 6:44 pm
- Location: Fernie British Columbia, Canada
Re: Recent hacks and vulnerabilities
These sites existed before 1.2.5 came out, and were hacked before the upgrade to CMS 1.2.5
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
Re: Recent hacks and vulnerabilities
Since a new release is incoming, what about putting a page about security (with a link to the mailing list and the security tips on the wiki/forums) in the default content? Or, even better, show it during the install process? It would probably make people more aware of this problems and the need to keep things up to date.calguy1000 wrote: There is a mailing list available to notify you of new versions of CMS Made simple so that you don't have to visit the forums every day, I recommend everybody join it.
A dedicated RSS feed for important announces IMHO would be a great idea, mailing lists are a hassle in a number of ways. I mean something outside the admin panel.
-
- Support Guru
- Posts: 8169
- Joined: Tue Oct 19, 2004 6:44 pm
- Location: Fernie British Columbia, Canada
Re: Recent hacks and vulnerabilities
a) there is a page called 'mailing lists' under the 'support' menu above
b) there is an rss feed on blog.cmsmadesimple.org
c) if a link was shown during the intall process, maybe 5% of people would see it, and 5% of those would even remember to link to it, it'd be more effort than it's worth
d) please help and contribute to the site and the package... we'd appreciate the help. you have lots of great ideas, can you spare some time?
b) there is an rss feed on blog.cmsmadesimple.org
c) if a link was shown during the intall process, maybe 5% of people would see it, and 5% of those would even remember to link to it, it'd be more effort than it's worth
d) please help and contribute to the site and the package... we'd appreciate the help. you have lots of great ideas, can you spare some time?
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
Re: Recent hacks and vulnerabilities
Maybe the customers are cannier and make a request to the developer if they get a red warning about security risks ...calguy1000 wrote: CMS is mostly used by developers to roll out websites for other customers..... once the site is rolled out, often the developer doesn't login to the admin panel very often.
And there could be problems powered by contract too if the customer book only a CMS website and not the service thereafter.
And requests are good for developer to make money .
Re: Recent hacks and vulnerabilities
I know. While I believe that the term "blog" can be misleading for most people (that expect a different kind of content) it is true that 90% of the posts are just announcements of new releases. I just proposed to make this resources more evident to those that install CMSms for the first time.calguy1000 wrote: a) there is a page called 'mailing lists' under the 'support' menu above
b) there is an rss feed on blog.cmsmadesimple.org
If I make a proportion between the number of downloads and the number of people that have read this thread (or the forum in general) we are way below 5%. But it still is a worthwile thread.calguy1000 wrote: c) if a link was shown during the intall process, maybe 5% of people would see it, and 5% of those would even remember to link to it, it'd be more effort than it's worth
Actually no, I don't have any spare time. I'm posting while having a sandwich at work, but this should change after summer... I hope.calguy1000 wrote: d) please help and contribute to the site and the package... we'd appreciate the help. you have lots of great ideas, can you spare some time?
Anyway there isn't really a lot to do. Just put a paragraph like this, with some evidence, in the first page of the default content and be done (note that half of that is from your post):
About security.
We do our best to write secure software, but bugs are always possible. Security fixes are realeased as soon as they are available, and it is important to upgrade. Upgrading your CMS install is your responsibility, and you should do it whenever a new release comes out, particularly if that release is to fix a security problem or a vulnerability. We cannot help you with hacked sites, etc. if you're running a version of the system that is months or years old.
There is a mailing list available to notify you of new versions of CMS Made simple at http://www.cmsmadesimple.org/support/mailing-lists so that you don't have to visit the forums every day, we recommend everybody join it. Or you can subscribe to the low trafic blog at http://blog.cmsmadesimple.org/
It would also be wise to follow the tips and guidelines outlined in the forum thread http://forum.cmsmadesimple.org/index.php/topic,19660.0.html to make your server and CMSms installation even more robust.
If someone knowledgeable has the time to do it, a wiki page could be extracted from the linked thread (I wrongly remembered that it was already done) and/or incorporated in the default content. However I'm not sure if eventually it would be any good, linking a "live" source is probably better to keep things up to date an prevent content replication.
-
- Power Poster
- Posts: 424
- Joined: Sat Feb 02, 2008 12:42 am
- Location: USA
Re: Recent hacks and vulnerabilities
A couple things I've noticed that may be contradictory to security advice given vs the default install of CMSMS:
1. It's advised that you NOT make your admin username/login public. However, it is shown by default in the news templates - 'posted by:..."
2. It's advised that you NOT make the CMSMS version you're running public. However, this is a default in the footer of the install. Maybe it would be best to change: This site is powered by CMS Made Simple version 1.2.5
to: This site is powered by CMS Made Simple
3. Perhaps this recommended htaccess file: http://wiki.cmsmadesimple.org/index.php ... tings should replace the default htaccess.txt file in the default install.
Just some suggestions. Thx.
1. It's advised that you NOT make your admin username/login public. However, it is shown by default in the news templates - 'posted by:..."
2. It's advised that you NOT make the CMSMS version you're running public. However, this is a default in the footer of the install. Maybe it would be best to change: This site is powered by CMS Made Simple version 1.2.5
to: This site is powered by CMS Made Simple
3. Perhaps this recommended htaccess file: http://wiki.cmsmadesimple.org/index.php ... tings should replace the default htaccess.txt file in the default install.
Just some suggestions. Thx.
Take a penny, leave a penny.
-
- Support Guru
- Posts: 8169
- Joined: Tue Oct 19, 2004 6:44 pm
- Location: Fernie British Columbia, Canada
Re: Recent hacks and vulnerabilities
The news templates are just examples, you're encouraged to change them.mikeiam wrote: A couple things I've noticed that may be contradictory to security advice given vs the default install of CMSMS:
1. It's advised that you NOT make your admin username/login public. However, it is shown by default in the news templates - 'posted by:..."
You're supposed to delete the install directory after installation, and it's useful during installation to be able to see the version.2. It's advised that you NOT make the CMSMS version you're running public. However, this is a default in the footer of the install. Maybe it would be best to change: This site is powered by CMS Made Simple version 1.2.5
to: This site is powered by CMS Made Simple
3. Perhaps this recommended htaccess file: http://wiki.cmsmadesimple.org/index.php ... tings should replace the default htaccess.txt file in the default install.
Just some suggestions. Thx.
[/quote]
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
Re: Recent hacks and vulnerabilities
Hi all,
I am not sure where to post it.
Last week a few of my sites based on CMS MS 1.2.x were hacked.
My provider found an r57shell script in upload folder (as config.inc.php) and it looks that this script
is used for accessing the server and hacking the CMS.
I can send you the script if needed. Im convinced that you know about that, but I just wanted to be sure!
Of course, I upgraded all my websites to 1.3.1 and followed the security how-to for improving the security of my
websites.
Thanks, By Miro
I am not sure where to post it.
Last week a few of my sites based on CMS MS 1.2.x were hacked.
My provider found an r57shell script in upload folder (as config.inc.php) and it looks that this script
is used for accessing the server and hacking the CMS.
I can send you the script if needed. Im convinced that you know about that, but I just wanted to be sure!
Of course, I upgraded all my websites to 1.3.1 and followed the security how-to for improving the security of my
websites.
Thanks, By Miro
Re: Recent hacks and vulnerabilities
Have you deleted /postlet folder (inside FileManager folder)?
Java postlet is never supported yet ... in cause of some security problems.
Java postlet is never supported yet ... in cause of some security problems.
Re: Recent hacks and vulnerabilities
Hi,
yes, I found postlet folder. But this folder is included in an official 131 MLE package. Why?
I found also another 2 files
action.postletupload.php
postletupload.php
in FileManager folder.
Should I delete them too?
Thanks, Miro
yes, I found postlet folder. But this folder is included in an official 131 MLE package. Why?
I found also another 2 files
action.postletupload.php
postletupload.php
in FileManager folder.
Should I delete them too?
Thanks, Miro
Last edited by xmas3 on Fri Jun 27, 2008 7:32 am, edited 1 time in total.
Re: Recent hacks and vulnerabilities
Hmm, maybe a mistake on creating archive - will contact Robert/Ted.
Yes, you should delete them ...
Yes, you should delete them ...