Script Injection:

For questions and problems with the CMS core. This board is NOT for any 3rd party modules, addons, PHP scripts or anything NOT distributed with the CMS made simple package itself.
Post Reply
Pierre M.

Re: Script Injection: "Yahoo Counter"

Post by Pierre M. »

Hello all,
rogerm wrote: ...same issue with a CMSMS (older version - 1.0.2)
as Jeremy has said above, if you don't run the latest official stable CMSms package on the wild Internet, you are asking for trouble. Today it is 1.5.1.
Of course it doesn't make all, a bad hosting can brake things like a newly-discovered-and-not-yet-patched security bug.

Pierre M.
Top
rogerm
New Member
New Member
Posts: 5
Joined: Mon Sep 18, 2006 2:52 pm

Re: Script Injection: "Yahoo Counter" - GOT IT

Post by rogerm »

UDPride,

I suspect that you're right about Host Excellence and  IX Web being connected.

Meanwhile, I found the malicious code that's been attacking my CMSMS site in the modules area of the database. PhpMyadmin for Host Excellence is not secure, so maybe that's where the hole is. I have CMSMS installs (many different versions) with other hosting companies that are fine.Their PhpMyadmin interfaces are secure.

I removed the malicious line from the database, restored it, and restored the site files from a clean copy that I had on my local computer. I changed ALL the passwords (hosting login,database, CMSMS backend) and made nice clean backup copies of everything. We will change hosting if there's any more trouble (and maybe even if there isn't). I only use PhpMyadmin to do backups and will change the database password each time I do (in the hosting control panel and CMSMS config.php file).

The malicious code points to a remote file. It is the last line in the database excerpt below. Happy hunting.

Roger M, NYC
http://www.aboriginaltheatre.com

Code: Select all

--
-- Table structure for table `cms_modules`
--

CREATE TABLE IF NOT EXISTS `cms_modules` (
  `module_name` varchar(255) default NULL,
  `status` varchar(255) default NULL,
  `version` varchar(255) default NULL,
  `admin_only` tinyint(4) default '0',
  `active` tinyint(4) default NULL,
  KEY `module_name` (`module_name`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;

--
-- Dumping data for table `cms_modules`
--

INSERT INTO `cms_modules` VALUES
('CMSMailer', 'installed', '1.73.10', 0, 1),
('FCKeditorX', 'installed', '1.0.1', 1, 1),
('MenuManager', 'installed', '1.2', 0, 1),
('News', 'installed', '2.1', 0, 1),
('nuSOAP', 'installed', '1.0.1', 0, 1),
('Search', 'installed', '1.0.4', 0, 1),
('ThemeManager', 'installed', '1.0.7', 1, 1),
('../../../../../../../../../../../../../../../../../../../../../hsphere/local/home/andrewha/v8-powered.com/forum/Packages/pic8.jpg\0', 'installed', NULL, 0, 1);
Top
calguy1000
Support Guru
Support Guru
Posts: 8169
Joined: Tue Oct 19, 2004 6:44 pm

Re: Script Injection: "Yahoo Counter"

Post by calguy1000 »

Now that is interesting..... that should not cause any problems (invalid entry in the modules table like that).

Can somebody please try to intentionally reproduce this issue?  If it is reproducable, I'll fix it for 1.5.2
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
Top
Post Reply

Return to “CMSMS Core”