Recent hacks and vulnerabilities

[calguy1000]

Recently, numerous people have been posting numerous threads about being hacked, or getting errors in their admin section, or having strange 16 character messages displayed on their screens etc.

Though we haven't researched ALL of these hacks, we have researched a few, and it seems that some group of people is searching for vulnerable CMS Made Simple websites.  That is websites that have not upgraded to take advantage of the latest security fixes.

If you are experiencing these problems here are the steps you must take:

1) Completely delete all database tables used by CMS Made Simple
2) Completely delete all files and directories in your CMS Made Simple installation
3) Completely restore all files and database from a backup that is 'known good'.
4) Change ALL of your CMS Made Simple passwords
5) Upgrade to CMS 1.2.5 ASAP.

Additionally, a safe bet would be to change your database password, or to use another database.

This is because this vulnerability seems to have been exploited in numerous ways, and there is no way of telling exactly what the hacker has done to your system.... and after numerous hours of investigating you still may have to do a complete restore.

CMS 1.2.5 was released on May 12... and we are still getting new reports of people being hacked.  This is because people aren't upgrading their CMS installs.

Upgrading your CMS install is your responsibility, and you should do it whenever a new release comes out, particularly if that release is to fix a security problem or a vulnerability.  We cannot help you with hacked sites, etc. if you're running a version of the system that is months or years old.  Additionally, we cannot and will not answer support requests for ancient versions.

There is a mailing list available to notify you of new versions of CMS Made simple so that you don't have to visit the forums every day, I recommend everybody join it.

[cyberman]

CMS 1.2.5 was released on May 12... and we are still getting new reports of people being hacked.  This is because people aren't upgrading their CMS installs.

Maybe we should help our users with a (RSS powered) red warning/information inside admin panel like SMF it has ...

[calguy1000]

this is doable, but I don't think it'd be as effective as you think.

CMS is mostly used by developers to roll out websites for other customers..... once the site is rolled out, often the developer doesn't login to the admin panel very often.

The announce list is the best way to handle this I think.

[pb]

What about the people with the latest 1.2.5 version and be hacked ?

http://forum.cmsmadesimple.org/index.ph ... .html    Version 1.2.5

http://forum.cmsmadesimple.org/index.ph ... .html  Version 1.2.5

[calguy1000]

These sites existed before 1.2.5 came out, and were hacked before the upgrade to CMS 1.2.5

[Maki]

There is a mailing list available to notify you of new versions of CMS Made simple so that you don't have to visit the forums every day, I recommend everybody join it.

Since a new release is incoming, what about putting a page about security (with a link to the mailing list and the security tips on the wiki/forums) in the default content? Or, even better, show it during the install process? It would probably make people more aware of this problems and the need to keep things up to date.

A dedicated RSS feed for important announces IMHO would be a great idea, mailing lists are a hassle in a number of ways. I mean something outside the admin panel.

[calguy1000]

a) there is a page called 'mailing lists' under the 'support' menu above
b) there is an rss feed on blog.cmsmadesimple.org
c) if a link was shown during the intall process, maybe 5% of people would see it, and 5% of those would even remember to link to it, it'd be more effort than it's worth
d) please help and contribute to the site and the package... we'd appreciate the help.  you have lots of great ideas, can you spare some time?

[cyberman]

CMS is mostly used by developers to roll out websites for other customers..... once the site is rolled out, often the developer doesn't login to the admin panel very often.

Maybe the customers are cannier and make a request to the developer if they get a red warning about security risks ...

And there could be problems powered by contract too if the customer book only a CMS website and not the service thereafter.

And requests are good for developer to make money .

[Maki]

a) there is a page called 'mailing lists' under the 'support' menu above
b) there is an rss feed on blog.cmsmadesimple.org

I know. While I believe that the term "blog" can be misleading for most people (that expect a different kind of content) it is true that 90% of the posts are just announcements of new releases. I just proposed to make this resources more evident to those that install CMSms for the first time.

c) if a link was shown during the intall process, maybe 5% of people would see it, and 5% of those would even remember to link to it, it'd be more effort than it's worth

If I make a proportion between the number of downloads and the number of people that have read this thread (or the forum in general) we are way below 5%. But it still is a worthwile thread.

d) please help and contribute to the site and the package... we'd appreciate the help.  you have lots of great ideas, can you spare some time?

Actually no, I don't have any spare time. I'm posting while having a sandwich at work, but this should change after summer... I hope.

Anyway there isn't really a lot to do. Just put a paragraph like this, with some evidence, in the first page of the default content and be done (note that half of that is from your post):

About security.
We do our best to write secure software, but bugs are always possible. Security fixes are realeased as soon as they are available, and it is important to upgrade. Upgrading your CMS install is your responsibility, and you should do it whenever a new release comes out, particularly if that release is to fix a security problem or a vulnerability.   We cannot help you with hacked sites, etc. if you're running a version of the system that is months or years old.

There is a mailing list available to notify you of new versions of CMS Made simple at http://www.cmsmadesimple.org/support/mailing-lists so that you don't have to visit the forums every day, we recommend everybody join it. Or you can subscribe to the low trafic blog at http://blog.cmsmadesimple.org/

It would also be wise to follow the tips and guidelines outlined in the forum thread http://forum.cmsmadesimple.org/index.php/topic,19660.0.html to make your server and CMSms installation even more robust.

If someone knowledgeable has the time to do it, a wiki page could be extracted from the linked thread (I wrongly remembered that it was already done) and/or incorporated in the default content. However I'm not sure if eventually it would be any good, linking a "live" source is probably better to keep things up to date an prevent content replication.

[Ziggywigged]

A couple things I've noticed that may be contradictory to security advice given vs the default install of CMSMS:

1. It's advised that you NOT make your admin username/login public. However, it is shown by default in the news templates - 'posted by:..."

2. It's advised that you NOT make the CMSMS version you're running public. However, this is a default in the footer of the install. Maybe it would be best to change: This site is powered by CMS Made Simple version 1.2.5
to: This site is powered by CMS Made Simple

3. Perhaps this recommended htaccess file: http://wiki.cmsmadesimple.org/index.php ... tings  should replace the default htaccess.txt file in the default install.

Just some suggestions. Thx.

[calguy1000]

A couple things I've noticed that may be contradictory to security advice given vs the default install of CMSMS:

1. It's advised that you NOT make your admin username/login public. However, it is shown by default in the news templates - 'posted by:..."

The news templates are just examples, you're encouraged to change them.

2. It's advised that you NOT make the CMSMS version you're running public. However, this is a default in the footer of the install. Maybe it would be best to change: This site is powered by CMS Made Simple version 1.2.5
to: This site is powered by CMS Made Simple

You're supposed to delete the install directory after installation, and it's useful during installation to be able to see the version.

3. Perhaps this recommended htaccess file: http://wiki.cmsmadesimple.org/index.php ... tings  should replace the default htaccess.txt file in the default install.

Just some suggestions. Thx.
[/quote]

[xmas3]

Hi all,
I am not sure where to post it.
Last week a few of my sites based on CMS MS 1.2.x were hacked.
My provider found an r57shell script in upload folder (as config.inc.php) and it looks that this script
is used for accessing the server and hacking the CMS.
I can send you the script if needed. Im convinced that you know about that, but I just wanted to be sure!
Of course, I upgraded all my websites to 1.3.1 and followed the security how-to for improving the security of my
websites.

Thanks, By Miro

[cyberman]

Have you deleted /postlet folder (inside FileManager folder)?

Java postlet is never supported yet ...  in cause of some security problems.

[xmas3]

Hi,
yes, I found postlet folder. But this folder is included in an official 131 MLE package. Why?

I found also another 2 files

action.postletupload.php
postletupload.php

in FileManager folder.

Should I delete them too?

Thanks, Miro

[cyberman]

Hmm, maybe a mistake on creating archive - will contact Robert/Ted.

Yes, you should delete them ...