• twitter image
  • facebook image
  • youtube image
  • linkedin image
Language: CMS Made Simple Czech CMS Made Simple France CMS Made Simple Spain CMS Made Simple Hungary CMS Made Simple Russia CMS Made Simple Netherlands

All times are UTC




Post new topic Reply to topic  [ 14 posts ] 
Author Message
 Post subject: I have been hacked
PostPosted: Tue Jul 23, 2019 4:21 pm 
Offline
Forum Members
Forum Members

Joined: Tue Sep 08, 2015 10:41 am
Posts: 118
Browsing FTP I saw an unusual file: img1.txt

I downloaded it and Windows Defender immediately fired off a virus warning.

I logged into CMSMS admin and I could see it was uploaded via File Manager.

Apache showed the login attempts from a German IP address, Deutsche Telekom AG (I'm in UK). User-agent shows "Windows NT 6.1" (Vista) so almost certainly a virus bot at work.

First login attempt in admin log failed, Apache said:

\$1:
www.m.co.uk 79.199.215.??? - - [23/Jul/2019:15:17:19 +0100] "POST /admin/login.php HTTP/1.1" 200 5067 "https://www.m.co.uk/admin/login.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36" 79.199.215.???

Two further login attempts performed simultaneously correspond with two authentication successes in CMSMS admin log:

\$1:
www.m.co.uk 79.199.215.??? - - [23/Jul/2019:15:18:28 +0100] "POST /admin/login.php HTTP/1.1" 302 - "https://www.m.co.uk/admin/login.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36" 79.199.215.???

www.m.co.uk 79.199.215.??? - - [23/Jul/2019:15:18:28 +0100] "POST /admin/login.php HTTP/1.1" 302 - "https://www.m.co.uk/admin/login.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36" 79.199.215.???

A few minutes later, img1.txt shows in Admin log as uploaded via File Manager.

My password is very strong, so any ideas how they got in?


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: I have been hacked
PostPosted: Tue Jul 23, 2019 4:25 pm 
Offline
Dev Team Member
Dev Team Member
User avatar

Joined: Wed Feb 25, 2009 4:25 am
Posts: 813
Location: Victoria, BC
Which version of CMSMS?

How do you know it was uploaded via file manager, was it in the admin log or something?

You'd need to check your server access logs and do some real digging to find out how they got in, but if you're using an old version of CMSMS there are known exploits.

_________________
Not getting the answer you need? CMSMS support options


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: I have been hacked
PostPosted: Tue Jul 23, 2019 4:32 pm 
Offline
Forum Members
Forum Members

Joined: Tue Sep 08, 2015 10:41 am
Posts: 118
Latest version of CMSMS and all the modules.

The virus was uploaded via File Manager, it was in the CMSMS Admin Log.


----------------------------------------------

Cms Version: 2.2.10

Installed Modules:

AdminSearch: 1.0.4
Banners: 2.10
CGBetterForms: 1.9.9.1
CGBlog: 1.15.11
CGExtensions: 1.63.3
CGSimpleSmarty: 2.2.1
CMSContentManager: 1.1.7
Captcha: 1.0
CmsJobManager: 0.1.3
DesignManager: 1.1.6
FileManager: 1.6.8
FilePicker: 1.0.4
Gallery: 2.3.3
JQueryTools: 1.4.2
MicroTiny: 2.2.4
ModuleManager: 2.1.6
NMS: 2.13.3
Navigator: 1.0.9
News: 2.51.6
Search: 1.51.6
Showtime2: 3.6.3
ThemeManager: 1.1.8

Config Information:

php_memory_limit:
max_upload_size: 100000000
url_rewriting: none
page_extension:
query_var: page
auto_alias_content: true
locale:
set_names: true
timezone: Europe/London
permissive_smarty: false

Php Information:

phpversion: 7.3.3
md5_function: On (True)
json_function: On (True)
gd_version: 2
tempnam_function: On (True)
magic_quotes_runtime: Off (False)
E_ALL: 32767
E_STRICT: 2048
E_DEPRECATED: 8192
test_file_timedifference: No time difference found
test_db_timedifference: No time difference found
create_dir_and_file: 1
memory_limit: 128M
max_execution_time: 60
register_globals: Off (False)
output_buffering: On
disable_functions:
open_basedir:
test_remote_url: Success
file_uploads: On (True)
post_max_size: 100M
upload_max_filesize: 100M
session_save_path: No check because OS path
session_use_cookies: On (True)
xml_function: On (True)
xmlreader_class: On (True)
check_ini_set: On (True)
curl: On

Performance Information:

allow_browser_cache: On (True)
browser_cache_expiry: 60
php_opcache: On (True)
smarty_cache: Off (False)
smarty_compilecheck: Off (False)
auto_clear_cache_age: On (True)
Server Information:

Server Software: Apache
Server Api: cgi-fcgi
Server Os: Linux 4.19.44 On x86_64
Server Db Type: MySQL (mysqli)
Server Db Version: 5.7.16
Server Db Grants: Found a "GRANT ALL" statement that appears to be suitable

Permission Information:

tmp: /var/sites/m/m.co.uk/public_html/tmp (0755)
tmp_cache: /var/sites/m/m.co.uk/public_html/tmp/cache (0755)
templates_c: /var/sites/m/m.co.uk/public_html/tmp/templates_c (0755)
modules: /var/sites/m/m.co.uk/public_html/modules (0755)
uploads: /var/sites/m/m.co.uk/public_html/uploads (0755)
File Creation Mask (umask): /var/sites/m/m.co.uk/public_html/tmp/cache (0755)
config_file: 0444
----------------------------------------------


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: I have been hacked
PostPosted: Tue Jul 23, 2019 4:36 pm 
Offline
Dev Team Member
Dev Team Member
User avatar

Joined: Wed Feb 25, 2009 4:25 am
Posts: 813
Location: Victoria, BC
Yeah that's not going to be an easy one to track down. It's possible they got in before an upgrade, so simply changing your password (make sure it's the user account they used) may stop it. You'll also need to carefully check every file on the system for anything that shouldn't be there. Shell access is best for this so you can search by modified date, etc. Using CMSMS's system verification may help too.

_________________
Not getting the answer you need? CMSMS support options


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: I have been hacked
PostPosted: Tue Jul 23, 2019 4:38 pm 
Offline
Forum Members
Forum Members

Joined: Tue Sep 08, 2015 10:41 am
Posts: 118
I thought I'd flag this up in case there's a potential vulnerability in CMSMS.

I find it odd they had a failed attempt just before the success, obviously without seeing the POST data which they sent it's impossible to see if they found an exploit and used it.


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: I have been hacked
PostPosted: Tue Jul 23, 2019 5:01 pm 
Offline
Forum Members
Forum Members

Joined: Tue Sep 08, 2015 10:41 am
Posts: 118
Just to add, I've changed my CMSMS password and deleted the virus file from the server.

The only files which failed the checksum are those in the News module, but I think that's because it was updated post-release via Module Manager due to an issue with 2.3 Beta.

If I see any further occurrences of a bot logging in as me I'll report back. Thanks for the replies.


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: I have been hacked
PostPosted: Thu Jul 25, 2019 6:28 pm 
Offline
Dev Team Member
Dev Team Member
User avatar

Joined: Wed Apr 23, 2008 7:53 am
Posts: 7699
Location: The Netherlands
JamesT \JamesT:
Just to add, I've changed my CMSMS password and deleted the virus file from the server.
You also changed your FTP and hosting passwords?
And are they strong passwords?

JamesT \JamesT:
The only files which failed the checksum are those in the News module, but I think that's because it was updated post-release via Module Manager due to an issue with 2.3 Beta.
As far as I know the CMSMS checksum function checks core CMSMS files. It does not check if there are other/extra scripts present... So you can't be sure in some folder there is an extra bad file hacking your files over and over again. Only if this file is gone you are safe
Try to see at the folder/file dates, what is changed and when?

_________________
$1

Did my post help you solving a problem at your (customers) website and it saved you many hours of work? Great!! Consider buying me a cup of coffee in return!



Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: I have been hacked
PostPosted: Thu Jul 25, 2019 11:29 pm 
Offline
Forum Members
Forum Members

Joined: Tue Sep 08, 2015 10:41 am
Posts: 118
Rolf \Rolf:
You also changed your FTP and hosting passwords?
And are they strong passwords?

I haven't, but they are strong passwords.

Rolf \Rolf:
As far as I know the CMSMS checksum function checks core CMSMS files. It does not check if there are other/extra scripts present... So you can't be sure in some folder there is an extra bad file hacking your files over and over again. Only if this file is gone you are safe
Try to see at the folder/file dates, what is changed and when?

No files had been added or changed, aside from the img1.txt uploaded via CMSMS as I mentioned earlier. There have been no further unauthorised login attempts.


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: I have been hacked
PostPosted: Fri Jul 26, 2019 11:57 am 
Offline
Forum Members
Forum Members
User avatar

Joined: Fri Dec 09, 2005 12:36 pm
Posts: 237
Location: Marlow, UK
When we've had cases where malicious files were uploaded via the admin interface it's been down to password reuse from a user who had their password exposed in a different breach.

Make sure you and your admins are using unique passwords.
It's well worth checking in https://haveibeenpwned.com/ to see whether an email address has been exposed in any public data dumps as well.

We built a simple module that runs a background job to monitor when files are updated (outside /uploads and /tmp). We never quite got it in a fit state to add to the forge (I can feel a moderate getting poised to delete this post already) but it is actually quite reassuring.
It's available on Github at https://github.com/millipedia/MillcoMonitor.


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: I have been hacked
PostPosted: Fri Jul 26, 2019 2:00 pm 
Offline
Forum Members
Forum Members

Joined: Tue Sep 08, 2015 10:41 am
Posts: 118
It was my own account (primary, admin) they logged in as. The other user's account was not used.

I do appear on haveibeenpwned.com as "Onliner Spambot" but that is not a password leak as far as I can make out.

I use good security practices, every password is strong and unique (KeePass).

If this happens again I might try and set up something to log POST data to a file since we might get some clues as to what they're doing.


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: I have been hacked
PostPosted: Sat Aug 03, 2019 6:23 am 
Offline
New Member
New Member

Joined: Sat Aug 03, 2019 6:13 am
Posts: 1
This is good information about cmsms and its hacking. I am sure it will help me if such issue occurred.


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: I have been hacked
PostPosted: Tue Sep 24, 2019 11:01 am 
Offline
Forum Members
Forum Members

Joined: Tue Sep 08, 2015 10:41 am
Posts: 118
CMSMS 2.2.12 has just been released which addresses a security issue in FileManager. Possibly related to the issue I raised in this thread?

I have already installed the latest version and changed my database password as advised.


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: I have been hacked
PostPosted: Wed Sep 25, 2019 7:28 am 
Offline
Dev Team Member
Dev Team Member

Joined: Mon Nov 28, 2011 9:29 am
Posts: 3121
Location: The Netherlands
Considering the severity of the fixed security issue it is possible it has been used to compromise your website.

Especially if your hosting offers public access to a database frontend (usually phpmyadmin) or your database allows connections from any host.

That said it will be very hard to track down the way someone got into your system.


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: I have been hacked
PostPosted: Wed Sep 25, 2019 10:43 am 
Offline
Forum Members
Forum Members

Joined: Tue Sep 08, 2015 10:41 am
Posts: 118
velden \velden:
Especially if your hosting offers public access to a database frontend (usually phpmyadmin) or your database allows connections from any host.

My host offers the option but I've never enabled that. I suppose my host's phpmyadmin interface was another possibility but it seems like it was just an attack on FileManager.

If it had happened continuously I probably would have started to log POST data but it didn't reoccur.


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 14 posts ] 

All times are UTC


Who is online

Users browsing this forum: No registered users


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
A2 Hosting