Major Security Issue - Sites Repeatedly Hacked

[DB-9000]

Please advise if there is a solution to this constant security issue to the modules. 

Site is running 1.2.4.  Database was manually rebuilt and all passwords changed after repeated url hacks in the modules urls.  Config.php is 444 and all other permissions set as low as possible.  Only tmp/cache and tmp/templates_c are 777 (won't operate lower).  .htaccess is setup using the recommendation in installation guidelines.  Here is a sample of the hundreds of logs entries:

xxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxx

The same hacks occur to all module queries - album, self registration, news, etc...  I have completely reloaded new files and new database, but it does not stop.

How can this be prevented?  Is there a problem with CMS Made Simple or ??  (I really like CMSMS and want to keep using it)

Thanks for any advice.

[calguy1000]

Is somebody actually causing problems? have they hacked your site? or is it just numerous hack attempts by some script kiddie?

I'd be interested in knowing.

Also, mod_security can be used to filter out certain urls from even getting this far, but you have to use caution with it.

[DB-9000]

I'm not sure what they are doing but it is so aggressive, it must be useful to them.  It is many different IPs and hundreds of url entries.  I added the url filtering to the .htaccess, but that is not returning 403 or 404 errors.  All of the urls entries are returning acceptable 200.  Is your suggestion for mod_security the same as the url filtering mod_rewrite?

Thanks!

[pixelita]

Maybe it's not CMSMS at all but someone accessing it from another account.  Are you on shared hosting? This can be problematic sometimes.  Ask your web host to look into that for you.  They are usually very interested in these kinds of security breaches, as it ends up affecting more than just you. 

I have about five CMSMS test sites up and running and I haven't been hacked yet (knock on wood!).  I'd be interested to know anything that can be done to batten down the hatches, so to speak.  Sounds like your file security is about as good as it can be.

I hope you solve it.

[DB-9000]

I will notify the hosting. They use cpanel. 

I am still unsure how they are manipulating the url so easily.  I know they are stealing bandwidth.  If anyone knows how they are doing this so easily, I am sure there are other people who would want to understand more to protect their sites too.

Thanks

[Pierre M.]

It is many different IPs and hundreds of url entries.  I added the url filtering to the .htaccess, but that is not returning 403 or 404 errors.  All of the urls entries are returning acceptable 200.

Really ? Both samples you show contain an "illegal" "http" string.
This very simplified .htaccess

Code: Select all

ServerSignature Off
Options -Indexes

<Files "config.php">
order allow,deny
deny from all
</Files>

ErrorDocument 403 /forbidden403.html

RewriteEngine On
#RewriteBase /

#IF the QS contains a "http"
RewriteCond %{QUERY_STRING} http [OR]
#OR if the QS contains a star
RewriteCond %{QUERY_STRING} \*
#THEN deny the request
RewriteRule ^.*$ - [F,L] 

should have stopped them with 403. (note : don't forget to put [OR]s except after the last condition).

Try mod_rewrite with it, wget http://www.yoursite.net/cmsmspath/index ... =httpCrack

Pierre M.

[DB-9000]

My hosting company has stated that it appears someone is attacking the mact variable on the system. They believe that the CMSMS package has been exploited.  They said "someone has developed a rather efficient exploit for it. You are going to have to patch your code to look for this string and ignore it."

I know at a minimum they are using the bandwidth, but not sure what the worse case might be.  I backtracked on one of the urls which led through their phpmyadmin entries and  I got a test.php script that responded with "test is successful".

I will check the htacess as suggested to see if there are any differences in the htacces that I am using.

I appreciate any further suggestions regarding the feedback from the hosting company.

[calguy1000]

since I don't know the complete url I can't test.

but I suggest you try this
a) copy the exact (byte for byte) url to a text file
b) create a script that'll wget or some similar thing the contents of the given url
c) look at the output

then you'll know if they're actually getting any output, or are just doing a DDOS on you.

if they're getting some output, let us know with complete details (private messages are okay) and we'll look into it.

[DB-9000]

Calguy - I have tried your suggestion, but I must not be doing it correctly.  I am not sure how to get the script to work.  Can you provide more information?  The log file for April 2 showed about 1200 url attacks like the ones I listed.  Is there more that I can provide to the development team to check this out as a legitimate concern?

Here is my htaccess -  is the problem? - Thanks for your help.

Code: Select all

Options All -Indexes


order allow,deny
deny from all


ServerSignature Off

RewriteEngine On
RewriteBase /

# URL Filtering helps stop some hack attempts
#IF the QS contains a "http"
RewriteCond %{QUERY_STRING} http [OR]
#OR if the QS contains a star
RewriteCond %{QUERY_STRING} \* [OR]
#IF the URI contains a "http:"
RewriteCond %{QUERY_STRING} http\: [OR]
#OR if the URI contains a "["
RewriteCond %{QUERY_STRING} \[ [OR]
#OR if the URI contains a "]"
RewriteCond %{QUERY_STRING} \] [OR]
#OR if the URI contains a ""
RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]
#OR script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
#OR any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^.*$ - [F,L]
# END Filtering

# 301 Redirect all requests that don't contain a dot or trailing slash to
# include a trailing slash
RewriteCond %{REQUEST_URI} !/$
RewriteCond %{REQUEST_URI} !\.
RewriteRule ^(.*) %{REQUEST_URI}/ [R=301,L]

# Rewrites urls in the form of /parent/child/
# but only rewrites if the requested URL is not a file or directory
RewriteCond %{REQUEST_FILENAME} !-f [NC]
RewriteCond %{REQUEST_FILENAME} !-d [NC]
RewriteRule ^(.+)$ index.php?page=$1 [QSA]

[Pierre M.]

Hello,

Here is my htaccess -  is the problem? - Thanks for your help.

You mean .htaccess, don't you ? Where is it located ?

Try mod_rewrite with it, wget ;http://www.yoursite.net/cmsmspath/index ... =httpCrack

Does this wget get a 403 ?

Pierre M.

[Pierre M.]

Hello Lexus,

Does this wget get a 403 ?

at least answer this question first.

Pierre M.

[DB-9000]

I wanted to pass on that since I originally posted the url attack problem, I have not had a single url attack against any of my sites.  Here are three changes that may be the link to the solution.

1.  I added two lines of code in the .htaccess file that are not in the CMS Made Simple recommended optional settings guide.  Info was from a post by Pierre M.  (Also -see the entire pertinent code in my earlier post)  Thanks Pierre!

#IF the QS contains a "http"
RewriteCond %{QUERY_STRING} http [OR]
#OR if the QS contains a star
RewriteCond %{QUERY_STRING} \*

2.  I notified my hosting company.  They said it was an external script attack, but I saw that last week they took all of the servers down for security upgrades.  Hmmm.....?

3.  I changed from using mod_rewrite for pretty urls to the internal pretty url with hierarchy.  I will change one of the sites back to mod_rewrite for pretty urls in a week or so and monitor for recurrence of url attacks.

It seems to me, that based on these corrective actions, I could definitively say that the root of the problem is not in the CMS Made Simple package.  I am still uncertain about mod-write for pretty urls - I will post an update after my test.

Thanks to all who assisted me to correct this situation.