php scripts being accessed within the modules directory...[SOLVED]

[davids355]

Over the last few days the following page/script has been accessed:
/modules/FileManager/postlet/counter/index.php

by an external site that has NO links to my site, and no Google ads so it cant be coming from them either.

Could this be some sort of security issue, or could there be a legitimate reason?

Incidently, the site in question (http://oreap.org) does use cms as well, but dont know if thats just coincidence.??

[JeremyBASS]

(xxxxxx) has viruses... DO NOT GO THERE

I'm betting there is a problem here if it uses CMSMS as well....

Jeremy

[davids355]

What steps do I take from here then?
See attached images of recent came from stats from yesterday and today

[Rolf]

What steps do I take from here then?

Do you have an IP-address of that site in your stats? You can block it...

Grtz. Rolf

[davids355]

done that this morning! hopefully that should sort it

[davids355]

Have been doing some research into this issue, I navigate to the directory that is being accessed by this site:
/modules/FileManager/postlet/

there is a lot of files in this directory, some suspicious, in particular massmail2.php which sounds very suspicious!!

You can see the script here :
http://www.shareworld.co.uk/modules/Fil ... smail2.php

When I check this directory against a full cms filelist there are only 8 files in that directory but on my server there are 22 files.

Seems my site may have been compromised.

Questions:
What should I do?
Can I delete files in this directory?
Can I investigate further??

[JeremyBASS]

What it the version.. have an .htaccess file? what is it... what is the server ... please post all the info you can get, logs and all...

Cheers
Jeremy

[davids355]

Ok, Im just going out now so I will post all the info when I get back.

When you say logs what do you mean?

If you give me instructions Il do it.

Just to give a little info, I am running centOS server, latest addition of cms, I have htaccess file (just been trying to impliment security into it as per cms wiki on security but getting errors.

When I get back in a few hours I will post extensive info...

[JeremyBASS]

... When you say logs what do you mean?...

Error logs, access logs, any server logs you can get about this... Hope this helps

Cheers
Jeremy

[calguy1000]

Most modules shouldn't need to be executing php scripts directly...

TinyMCE and FileManager may be two exceptions though.

However, you may want to look at copying the .htaccess file from uploads into the modules directory
and then tweaking it for those exceptions.

Note to Sil:  Lets remove these entrypoints.

[davids355]

OK here goes:
I have cmsmadesimple latest version (1.6.4)
Modules:
bmenu
captcha
cgextensions
cgsimplesmarty
cmsmailer
comments
customcontent
faqx
filemanager
forum
frontendusers
glossary
menumanager
modulemanager
mysqldump
news
nusoap
pifaq
printing
questions
rsstohtml
search
selfregistration
thememanager
tinymce
treemanager
(most of these are latest versions)

Server: CentOS dedicated root server

Here are the pages in question that arnt in the origional file sturcture:


massmail2.php

Code: Select all

xxxxxxxxxxxxxxxxxxxx

[PATH TO UPLOAD DIRECTORY]w.php.php3

Code: Select all

xxxxxxxxxxxxxxxxxxxxx

dc.pl

Code: Select all

xxxxxxxxxxxxxxxxxxxx

ext_javaupload.php

Code: Select all

xxxxxxxxxxxxxxxxxxxxx

[davids355]

CONTINUED.....

hostchk.cgi

Code: Select all

xxxxxxxxxxxxxxxxxxxxxx

[davids355]

CONTINUED:

page-structure.php

Code: Select all

xxxxxxxxxxxxxxxxxxxxxx

Logs:

access log (is it ok to post this?):
xxx

Anything else you need please let me know...

[davids355]

Sorry about the massive posts, just giving as much info as pos. Calguy, looked at htaccess file in uploads, take it that just denies direct access to all php scripts right? So Id have to copy that to modules but then allow access only to filemanager? Having said that, the issue does seem to be with file manager...

[calguy1000]

uhm, what version of CMSMS are you running?

the postlet stuff was removed from CMSMS long ago.