Spam script includued in Current Package
-
- New Member
- Posts: 5
- Joined: Fri Aug 21, 2015 2:35 pm
Spam script includued in Current Package
I installed cmsmadesimple-1.12-full.tar.gz on my server this weekend. There is a script in it that starts sending out spam, it started yesterday.
From my system admin
---
/var/www/html/cms_....../lib/lang/cms_selflink/ext/
was file stats72.php
it's a encrypted script, unencrypted version stored in 73.php
created half year ago
attacker ip 97.64.150.78 he send POST queries
POST /lib/lang/cms_selflink/ext/stats72.php HTTP/1.0
------
From my system admin
---
/var/www/html/cms_....../lib/lang/cms_selflink/ext/
was file stats72.php
it's a encrypted script, unencrypted version stored in 73.php
created half year ago
attacker ip 97.64.150.78 he send POST queries
POST /lib/lang/cms_selflink/ext/stats72.php HTTP/1.0
------
-
- Support Guru
- Posts: 8169
- Joined: Tue Oct 19, 2004 6:44 pm
- Location: Fernie British Columbia, Canada
Re: Spam script includued in Current Package
Where did you download the package from? Did you verify the md5 signature of the downloaded package? Are you sure that your PC isn't infected?
I just downloaded the exact same version of CMSMS from CMSMS website site, verified the MD5 signature and then looked at the contents. As you can see from the commands I executed below there is no stats package any where in our archive.
rob@rob-desktop:~/Downloads$ tar ztvf cmsmadesimple-1.12-full.tar.gz | grep cms_selflink
-rw-r--r-- root/root 11640 2015-03-28 10:40 ./plugins/function.cms_selflink.php
drwxr-xr-x root/root 0 2015-04-12 12:06 ./lib/lang/cms_selflink/
drwxr-xr-x root/root 0 2015-04-12 12:06 ./lib/lang/cms_selflink/ext/
-rw-r--r-- root/root 373 2011-04-15 08:03 ./lib/lang/cms_selflink/ext/hu_HU.php
-rw-r--r-- root/root 410 2010-12-14 08:46 ./lib/lang/cms_selflink/ext/pt_BR.php
-rw-r--r-- root/root 318 2012-05-19 13:11 ./lib/lang/cms_selflink/ext/de_DE.php
-rw-r--r-- root/root 399 2010-09-22 06:21 ./lib/lang/cms_selflink/ext/nl_NL.php
-rw-r--r-- root/root 411 2011-09-24 17:59 ./lib/lang/cms_selflink/ext/fa_FA.php
-rw-r--r-- root/root 412 2010-11-01 11:37 ./lib/lang/cms_selflink/ext/fi_FI.php
-rw-r--r-- root/root 383 2011-07-11 02:37 ./lib/lang/cms_selflink/ext/ar_AR.php
-rw-r--r-- root/root 104 2014-05-06 11:31 ./lib/lang/cms_selflink/ext/fr_FR.php
-rw-r--r-- root/root 410 2010-10-02 04:34 ./lib/lang/cms_selflink/ext/sr_YU.php
-rw-r--r-- root/root 380 2010-10-27 09:23 ./lib/lang/cms_selflink/ext/pl_PL.php
-rw-r--r-- root/root 379 2011-02-28 02:57 ./lib/lang/cms_selflink/ext/ro_RO.php
-rw-r--r-- root/root 359 2011-03-27 14:06 ./lib/lang/cms_selflink/ext/da_DK.php
-rw-r--r-- root/root 315 2012-02-15 15:15 ./lib/lang/cms_selflink/ext/et_EE.php
-rw-r--r-- root/root 412 2010-09-22 03:32 ./lib/lang/cms_selflink/ext/hr_HR.php
-rw-r--r-- root/root 402 2011-05-10 02:18 ./lib/lang/cms_selflink/ext/gl_GL.php
-rw-r--r-- root/root 443 2010-10-11 10:27 ./lib/lang/cms_selflink/ext/ru_RU.php
-rw-r--r-- root/root 108 2014-08-19 04:48 ./lib/lang/cms_selflink/ext/sk_SK.php
-rw-r--r-- root/root 422 2010-09-11 12:18 ./lib/lang/cms_selflink/ext/nb_NO.php
-rw-r--r-- root/root 388 2010-09-27 12:15 ./lib/lang/cms_selflink/ext/sv_SE.php
-rw-r--r-- root/root 373 2010-11-02 06:14 ./lib/lang/cms_selflink/ext/it_IT.php
-rw-r--r-- root/root 345 2012-04-02 23:25 ./lib/lang/cms_selflink/ext/vi_VN.php
-rw-r--r-- root/root 396 2010-09-15 11:56 ./lib/lang/cms_selflink/ext/es_ES.php
-rw-r--r-- root/root 395 2011-02-10 08:42 ./lib/lang/cms_selflink/ext/tr_TR.php
-rw-r--r-- root/root 444 2011-02-11 14:40 ./lib/lang/cms_selflink/ext/cs_CZ.php
-rw-r--r-- root/root 394 2010-10-10 11:07 ./lib/lang/cms_selflink/ext/sl_SI.php
-rw-r--r-- root/root 26 2015-04-12 12:06 ./lib/lang/cms_selflink/ext/index.html
-rw-r--r-- root/root 358 2012-08-08 14:54 ./lib/lang/cms_selflink/ext/zh_TW.php
-rw-r--r-- root/root 318 2012-12-29 09:56 ./lib/lang/cms_selflink/ext/lt_LT.php
-rw-r--r-- root/root 313 2012-06-25 05:13 ./lib/lang/cms_selflink/ext/en_CY.php
-rw-r--r-- root/root 373 2012-02-02 14:35 ./lib/lang/cms_selflink/ext/pt_PT.php
-rw-r--r-- root/root 84 2010-09-09 11:02 ./lib/lang/cms_selflink/en_US.php
-rw-r--r-- root/root 26 2015-04-12 12:06 ./lib/lang/cms_selflink/index.html
rob@rob-desktop:~/Downloads$ tar ztvf cmsmadesimple-1.12-full.tar.gz | grep stats
rob@rob-desktop:~/Downloads$
I just downloaded the exact same version of CMSMS from CMSMS website site, verified the MD5 signature and then looked at the contents. As you can see from the commands I executed below there is no stats package any where in our archive.
rob@rob-desktop:~/Downloads$ tar ztvf cmsmadesimple-1.12-full.tar.gz | grep cms_selflink
-rw-r--r-- root/root 11640 2015-03-28 10:40 ./plugins/function.cms_selflink.php
drwxr-xr-x root/root 0 2015-04-12 12:06 ./lib/lang/cms_selflink/
drwxr-xr-x root/root 0 2015-04-12 12:06 ./lib/lang/cms_selflink/ext/
-rw-r--r-- root/root 373 2011-04-15 08:03 ./lib/lang/cms_selflink/ext/hu_HU.php
-rw-r--r-- root/root 410 2010-12-14 08:46 ./lib/lang/cms_selflink/ext/pt_BR.php
-rw-r--r-- root/root 318 2012-05-19 13:11 ./lib/lang/cms_selflink/ext/de_DE.php
-rw-r--r-- root/root 399 2010-09-22 06:21 ./lib/lang/cms_selflink/ext/nl_NL.php
-rw-r--r-- root/root 411 2011-09-24 17:59 ./lib/lang/cms_selflink/ext/fa_FA.php
-rw-r--r-- root/root 412 2010-11-01 11:37 ./lib/lang/cms_selflink/ext/fi_FI.php
-rw-r--r-- root/root 383 2011-07-11 02:37 ./lib/lang/cms_selflink/ext/ar_AR.php
-rw-r--r-- root/root 104 2014-05-06 11:31 ./lib/lang/cms_selflink/ext/fr_FR.php
-rw-r--r-- root/root 410 2010-10-02 04:34 ./lib/lang/cms_selflink/ext/sr_YU.php
-rw-r--r-- root/root 380 2010-10-27 09:23 ./lib/lang/cms_selflink/ext/pl_PL.php
-rw-r--r-- root/root 379 2011-02-28 02:57 ./lib/lang/cms_selflink/ext/ro_RO.php
-rw-r--r-- root/root 359 2011-03-27 14:06 ./lib/lang/cms_selflink/ext/da_DK.php
-rw-r--r-- root/root 315 2012-02-15 15:15 ./lib/lang/cms_selflink/ext/et_EE.php
-rw-r--r-- root/root 412 2010-09-22 03:32 ./lib/lang/cms_selflink/ext/hr_HR.php
-rw-r--r-- root/root 402 2011-05-10 02:18 ./lib/lang/cms_selflink/ext/gl_GL.php
-rw-r--r-- root/root 443 2010-10-11 10:27 ./lib/lang/cms_selflink/ext/ru_RU.php
-rw-r--r-- root/root 108 2014-08-19 04:48 ./lib/lang/cms_selflink/ext/sk_SK.php
-rw-r--r-- root/root 422 2010-09-11 12:18 ./lib/lang/cms_selflink/ext/nb_NO.php
-rw-r--r-- root/root 388 2010-09-27 12:15 ./lib/lang/cms_selflink/ext/sv_SE.php
-rw-r--r-- root/root 373 2010-11-02 06:14 ./lib/lang/cms_selflink/ext/it_IT.php
-rw-r--r-- root/root 345 2012-04-02 23:25 ./lib/lang/cms_selflink/ext/vi_VN.php
-rw-r--r-- root/root 396 2010-09-15 11:56 ./lib/lang/cms_selflink/ext/es_ES.php
-rw-r--r-- root/root 395 2011-02-10 08:42 ./lib/lang/cms_selflink/ext/tr_TR.php
-rw-r--r-- root/root 444 2011-02-11 14:40 ./lib/lang/cms_selflink/ext/cs_CZ.php
-rw-r--r-- root/root 394 2010-10-10 11:07 ./lib/lang/cms_selflink/ext/sl_SI.php
-rw-r--r-- root/root 26 2015-04-12 12:06 ./lib/lang/cms_selflink/ext/index.html
-rw-r--r-- root/root 358 2012-08-08 14:54 ./lib/lang/cms_selflink/ext/zh_TW.php
-rw-r--r-- root/root 318 2012-12-29 09:56 ./lib/lang/cms_selflink/ext/lt_LT.php
-rw-r--r-- root/root 313 2012-06-25 05:13 ./lib/lang/cms_selflink/ext/en_CY.php
-rw-r--r-- root/root 373 2012-02-02 14:35 ./lib/lang/cms_selflink/ext/pt_PT.php
-rw-r--r-- root/root 84 2010-09-09 11:02 ./lib/lang/cms_selflink/en_US.php
-rw-r--r-- root/root 26 2015-04-12 12:06 ./lib/lang/cms_selflink/index.html
rob@rob-desktop:~/Downloads$ tar ztvf cmsmadesimple-1.12-full.tar.gz | grep stats
rob@rob-desktop:~/Downloads$
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
-
- New Member
- Posts: 5
- Joined: Fri Aug 21, 2015 2:35 pm
Re: Spam script includued in Current Package
I downloaded directly from the downloads link on the CMSMS. I didn't run the signing, shame on me, won't do that again.
The package was downloaded to my Mac, then uploaded and decompressed on my hosting via the Webmin upload functionality on AWS.
I still have the package locally if you want a copy.
---
I did three installs that same on that same server with the same package. I'm double checking with my admin to see if that's the only one that has an issue.
The package was downloaded to my Mac, then uploaded and decompressed on my hosting via the Webmin upload functionality on AWS.
I still have the package locally if you want a copy.
---
I did three installs that same on that same server with the same package. I'm double checking with my admin to see if that's the only one that has an issue.
-
- New Member
- Posts: 5
- Joined: Sat Jul 28, 2012 9:48 am
Re: Spam script includued in Current Package
I and my clients experienced the same problem and still experiencing since August 20. The system is sending spam and hosting providers are suspending our accounts. Not only last version(1.12) was infected, but also an older version of CMSMS(1.11.4) was infected.
The thing is each of them had the malware script in different locations, and index.php and config.php codes were changed (some Crypto code on top).
I will do a clean installation on each website as soon as they get unsuspended, and hope it won't happen again.
The thing is each of them had the malware script in different locations, and index.php and config.php codes were changed (some Crypto code on top).
The other 3 sites had them elsewhere with different file names.[removed by moderator]
I will do a clean installation on each website as soon as they get unsuspended, and hope it won't happen again.
Last edited by Jo Morg on Sun Aug 23, 2015 6:17 pm, edited 1 time in total.
Reason: Please do not post the code of hacked sites
Reason: Please do not post the code of hacked sites
Re: Spam script includued in Current Package
That is not correct. The sites may have been hacked for a number of reasons. We do not provide infected packages.tumaykilinc wrote:The system is sending spam and hosting providers are suspending our accounts. Not only last version(1.12) was infected, but also an older version of CMSMS(1.11.4) was infected.
If you follow a few procedures CMSMS is secure:
- - follow the suggestions of this page: http://docs.cmsmadesimple.org/general-i ... ring-cmsms;
- - make sure you have deleted the install folder of your CMSMS installation;
- - make sure no frontent form submissions are evaluated by Smarty;
Typically good hosts work with their clients to find the source or the weak link, so you may have to request some help from your hosting providers (actually: suspending accounts without any warning or attempt to investigate the source of the issue seems a bit uncommon...).
"There are 10 types of people in this world, those who understand binary... and those who don't."
* by the way: English is NOT my native language (sorry for any mistakes...).
Code of Condut | CMSMS Docs | Help Support CMSMS
My developer Page on the Forge
GeekMoot 2015 in Ghent, Belgium: I was there!
GeekMoot 2016 in Leicester, UK: I was there!
DevMoot 2023 in Cynwyd, Wales: I was there!
* by the way: English is NOT my native language (sorry for any mistakes...).
Code of Condut | CMSMS Docs | Help Support CMSMS
My developer Page on the Forge
GeekMoot 2015 in Ghent, Belgium: I was there!
GeekMoot 2016 in Leicester, UK: I was there!
DevMoot 2023 in Cynwyd, Wales: I was there!
-
- New Member
- Posts: 5
- Joined: Fri Aug 21, 2015 2:35 pm
Re: Spam script includued in Current Package
Obviously, looking at where the bad file is would lead us to an CMSMS distro issue at first.
We thought we'd nabbed it yesterday, but back today in the same place on one of the cmsms installs.
It's back in this location:
-rw-r--r-- 1 apache apache 155149 Jan 24 2015 ./cms***/admin/themes/OneEleven/page68.php
We thought we'd nabbed it yesterday, but back today in the same place on one of the cmsms installs.
It's back in this location:
-rw-r--r-- 1 apache apache 155149 Jan 24 2015 ./cms***/admin/themes/OneEleven/page68.php
-
- New Member
- Posts: 5
- Joined: Fri Aug 21, 2015 2:35 pm
Re: Spam script includued in Current Package
Just checked config.php. found this before "#CMS Made Simple Configuration File" line.
<? php $ cookey="."; preg_replace("."); ? ><?php
is that supposed to there?
I'm not sure that I have a clean reference anywhere in my system if I've got malware.
<? php $ cookey="."; preg_replace("."); ? ><?php
is that supposed to there?
I'm not sure that I have a clean reference anywhere in my system if I've got malware.
Re: Spam script includued in Current Package
No it shouldn't be there.
I would recommend downloading a clean copy from our servers.
I would recommend downloading a clean copy from our servers.
-
- New Member
- Posts: 5
- Joined: Fri Aug 21, 2015 2:35 pm
Re: Spam script includued in Current Package
**Update
We found the <? php $ cookey="."; preg_replace("."); ? ><?php in each config.php cmsms instance on our server. Cleaned the file and locked down permissions to 444 on that and index.php (post above mentioned similar issue with index.php)
We also blocked inbound IPs that were pinging the foreign files added to the cmsms directory structure.
Permissions change doesn't seem to have impacted site performance.
We found the <? php $ cookey="."; preg_replace("."); ? ><?php in each config.php cmsms instance on our server. Cleaned the file and locked down permissions to 444 on that and index.php (post above mentioned similar issue with index.php)
We also blocked inbound IPs that were pinging the foreign files added to the cmsms directory structure.
Permissions change doesn't seem to have impacted site performance.
-
- New Member
- Posts: 5
- Joined: Sat Jul 28, 2012 9:48 am
Re: Spam script includued in Current Package
No, this is not what i said of course. However i experienced this issue on 4 hosting companies with only CMSMS installed on them, and i think there is an exploit to cause this. Each hosting company handled the situation in a different way, most are solved, i did clean installation on all of them. However i request you to look into this issue please, because this can happen again.That is not correct. The sites may have been hacked for a number of reasons. We do not provide infected packages.
While searching about this issue i found another CMSMS site that was infected. [edit: remove link to possibly infected website]
Hence the date and issue addressed, they are the same as our problem.
Peidemiller, it existed in my config.php as well. It is also in version.php page, you might want to check that too.We found the <? php $ cookey="."; preg_replace("."); ? ><?php in each config.php cmsms instance on our server.
Last edited by velden on Tue Aug 25, 2015 8:55 am, edited 1 time in total.
Reason: removed link to website
Reason: removed link to website
Re: Spam script includued in Current Package
I stand corrected, sorry. Given the original post title that was my read.tumaykilinc wrote:No, this is not what i said of course.That is not correct. The sites may have been hacked for a number of reasons. We do not provide infected packages.
Most, if not all, of the Dev Team members work with tons of CMSMS installations, from the pretty simple simple one page sites, to huge and complex sites, from test sites to popular sites with hundreds of hits. We do take seriously all security reports, even though only act upon the valid ones. If this was a CMSMS vulnerability there would be far more reports and, inevitably, we would witness 1st hand the results of such attacks.tumaykilinc wrote:However i experienced this issue on 4 hosting companies with only CMSMS installed on them, and i think there is an exploit to cause this. Each hosting company handled the situation in a different way, most are solved, i did clean installation on all of them. However i request you to look into this issue please, because this can happen again.
A quick search on Google gave me the impression that this is a WP vulnerability, particularly related with a specific plugin.
If this was to be a CMSMS vulnerability we would need far more information than what has been given in any of the posts so far, including but not limited to:
- System info (CMSMS version, PHP version, etc...);
- server error and access logs;
- list of other scripts installed on the same server;
- Server environment settings;
- etc...
In short: we would need to be able to reproduce the vulnerability in order to solve it.
So far there is no evidence that this is a CMSMS vulnerability.
Additionally, please keep in mind that there are other factors that concur to opening a backdoor to a system:
- other accounts on the same server with vulnerable scripts or otherwise compromised (doesn't have necessarily to be on the same account);
- site developers with infected computers (possible viruses, trojans and keyloggers);
Also please remember that, after recovering a site from a backup, additional measures should be taken to ensure that the system cannot be further compromised:
- change ALL passwords, for FTP, cPanel, administrator accounts and make sure you do not have any FTP accounts on your server that should not be there at all;
- update CMSMS and 3rd party modules to the latest versions;
- try to implement our security suggestions;
- update and secure other scripts or web applications that might be running on your server;
HTH
"There are 10 types of people in this world, those who understand binary... and those who don't."
* by the way: English is NOT my native language (sorry for any mistakes...).
Code of Condut | CMSMS Docs | Help Support CMSMS
My developer Page on the Forge
GeekMoot 2015 in Ghent, Belgium: I was there!
GeekMoot 2016 in Leicester, UK: I was there!
DevMoot 2023 in Cynwyd, Wales: I was there!
* by the way: English is NOT my native language (sorry for any mistakes...).
Code of Condut | CMSMS Docs | Help Support CMSMS
My developer Page on the Forge
GeekMoot 2015 in Ghent, Belgium: I was there!
GeekMoot 2016 in Leicester, UK: I was there!
DevMoot 2023 in Cynwyd, Wales: I was there!
Re: Spam script includued in Current Package
Hello,
I experienced the same problem since the 20 aug....
I can reproduce the "hack".... it can be exploited when install folder is not deleted....
it is this exploit: http://seclists.org/bugtraq/2014/Dec/39
sorry for my bad english, I am french....
I post only for thoses who experience this problem.... delete the install folder !!!
cordialement...
s. o.
I experienced the same problem since the 20 aug....
I can reproduce the "hack".... it can be exploited when install folder is not deleted....
it is this exploit: http://seclists.org/bugtraq/2014/Dec/39
sorry for my bad english, I am french....
I post only for thoses who experience this problem.... delete the install folder !!!
cordialement...
s. o.
Re: Spam script includued in Current Package
Just to add my twopennoth to stephane's comment.
We had a site infected with this cookey hack last week as well. When we trawled through the log files we found the vector was indeed through the install script which hadn't been removed (yes yes I know it should have been deleted).
There were several files that had been uploaded to the server in various seemingly random places as well as changes to the config file so it was not just a case of removing the code injected into config.php. You'll need to revert to a known good backup if you're not able to determine which files have been changed.
I guess the lesson is to make sure you remove the install folder when upgrading / installing. Could we perhaps insist the folder is removed rather than just showing the warning?
We had a site infected with this cookey hack last week as well. When we trawled through the log files we found the vector was indeed through the install script which hadn't been removed (yes yes I know it should have been deleted).
There were several files that had been uploaded to the server in various seemingly random places as well as changes to the config file so it was not just a case of removing the code injected into config.php. You'll need to revert to a known good backup if you're not able to determine which files have been changed.
I guess the lesson is to make sure you remove the install folder when upgrading / installing. Could we perhaps insist the folder is removed rather than just showing the warning?
Re: Spam script includued in Current Package
In CMSMS 2.0 the installer locks the config.php file so that it is read only. You won't be able to alter the config file by reinstalling CMSMS.scooper wrote:I guess the lesson is to make sure you remove the install folder when upgrading / installing. Could we perhaps insist the folder is removed rather than just showing the warning?
Removing the folder after installation is, IMO, not a CMSMS installer responsibility for a number of reasons. But the warning is there... if people choose to ignore it...
"There are 10 types of people in this world, those who understand binary... and those who don't."
* by the way: English is NOT my native language (sorry for any mistakes...).
Code of Condut | CMSMS Docs | Help Support CMSMS
My developer Page on the Forge
GeekMoot 2015 in Ghent, Belgium: I was there!
GeekMoot 2016 in Leicester, UK: I was there!
DevMoot 2023 in Cynwyd, Wales: I was there!
* by the way: English is NOT my native language (sorry for any mistakes...).
Code of Condut | CMSMS Docs | Help Support CMSMS
My developer Page on the Forge
GeekMoot 2015 in Ghent, Belgium: I was there!
GeekMoot 2016 in Leicester, UK: I was there!
DevMoot 2023 in Cynwyd, Wales: I was there!
Re: Spam script includued in Current Package
I am currently having this issue with an old site. I did clean up the config.php file and removed the install directory but ALL .php files in every directory have been infected.