[solved] Trojan virus hack: can't figure out where spam content is coming from

[tonyrap]

I have a site that was using CMSMS 1.2 when it got hacked. First I found file uploading didn't work and I got a spammy error message.

I updated the site to 1.2.5. Then I noticed a lot of hidden spammy text at the beginning of the source code for all my pages. It can be seen in "View source" but not otherwise (http://tdrc.net).

In backing up the site, my NAV caught a virus, PHP.RSTBackdoor, in three files:

In modules/FileManager:
st.php
r.php

In modules/FormBuilder:
method.php

I deleted them. I also found a lot of numbered directories in modules/FileManager/postlet that each had a spammy index.html file in it. I deleted all those, too.

The source code junk is still there.

I've replaced index.php with a fresh copy, checked the templates for anything unusual, and searched a dump of the database and the site backup for the bad content, with no luck, so I don't know how it's being generated for the browser.

I find it strange that the junk appears in a font tag before everything else in the code, even before the doctype declaration.

I spoke to the technical people at my server, Bell Hosting (Bell Canada), and they had no idea.

Any help tracking down how this is happening and what to do about it would be appreciated!

[Nullig]

You also have a couple of links in your footer that look like they shouldn't be there.

If the additions are not in the db, I think you should delete all of the files on the server and re-upload fresh copies.

Nullig

[tonyrap]

Thanks, Nullig,

I'm sure that's good advice, and thanks for catching those links in the footer. It's even worse when it's visible content, and, again, the junk isn't in the template or the footer block.

There are folders on the server that aren't part of the CMS, with legacy internal links from before I converted the site to CMS. I have them backed up, but I have no way of knowing if the backups are clean: they're virus-free, and I can't find any text that resembles the spam. Similarly with the upload folder.

Just to have a sense of what I'm getting into: if I delete all the CMS files and install it fresh, will it re-establish all the database content (templates, pages, links, etc.), including in modules like FormBuilder, or will I be rebuilding all that?

[Nullig]

If you just recopy fresh versions of all of the stuff you have now, you shouldn't need to reinstall. If you do reinstall, just don't create the tables and add sample content. Skip those parts.

Also, make sure you clear your cache in Admin.

Nullig

[cyberman]

Please read this

http://forum.cmsmadesimple.org/index.ph ... 516.0.html

[mnelson]

Check the file include.php at the root ,level of your CMSMS installation.  You will find that it has been hacked and the spam links you are seeing in the source code of your pages has been placed in that file.  As for the fix, I do not know exactly what it is...

[Dr.CSS]

Wipe everything on your site, backup only your images first and run them thru your antivirus, then FTP a fresh set of CMSMS folders/files...

Run install and DON'T MAKE TABLES...

EDIT: Forgot to tell you, your site has a ton of spam/junk before the header...

[mnelson]

Mark, your advice sounds good, but I am curious if you have direct experience with this exact hack or is your advise based on sound practices in recovering from a hack.

I am just curious as I am currently suffering from this very same type of hack, and I am seeking the best way to get out of this situation without causing further problems.  I have been hacked twice (the spam code was injected into include.php) and now I have done what you have suggested and I am waiting to see if the hack comes back. 

EDIT: Forgot to tell you, your site has a ton of spam/junk before the header...

That is the nature of the hack.  It inserts invisible spam links into all you pages.  On my site the spam links were appended to the beginnning of include.php.

[Dr.CSS]

I've been using CMSMS for just over 2 years and never had a hack, the only thing was a comment on a page showing that a sxx or what ever it was could happen, mine main site is running 1.2.3 w/o a problem, I'm starting to think a lot of the problems are coming from the server side not being as secure as it could be...

[tonyrap]

Thanks, I think I'm ok now!

I deleted and reinstalled all the CMS files, left uploads folder and some other non-CMS material as is. I just now looked at the (now-deleted) include.php, and saw the junk pre-header content there. I don't know if the bad links in the footers were in the same file, but they're gone now.

Possibly supporting the weak server security idea: when I log in to my server's admin, Firefox gives me a warning that I'm sending information (username+password) over an insecure connection. But I would think the password is at least encrypted (don't know much about this stuff).

[Pierre M.]

running 1.2.3 w/o a problem, I'm starting to think a lot of the problems are coming from the server side not being as secure as it could be...

You seem lucky to have a good hosting provider preventing cracks. But everybody should run fixed releases, not known vulnerable ones. And applying extracts of the hardening guide doesn't hurt.
BTW I agree there are bad (insecure) hosting providers.

Pierre M.