My system hacked? All modules suddenly gone and replaced with new files.

[FirstGateDreamer]

For some reason the navigation on my website suddenly disappeared and so have all of the "Modules".

I'm not sure when exactly this occurred but I only noticed this a when I logged in to update a page. When I logged into the system I had no WYSIWYG and all modules were gone.

Upon closer investigation into the system files I noticed that the folders within the Modules folder were last modified on August 17, 2009 around 1am. I had not logged into the system before that since May 12th and logged in on August 21st.

In that same folder a file called "mad.php" and "index.php" was added August 13th and 17th, 2009 respectively.  All of the folders within "modules" seem to have been emptied and replaced with a single file called "index.php". All instances of "index.html" were replaced.

I have the same content management system installed in as a development environment and comparing the same folders
I noticed that there shouldn't even be a file called "mad.php" or "index.php" but rather just a file called "index.htm" and the corresponding files and folders for the installed modules.

Is it possible this was some sort of attack or virus? If so are there any other ways I could prevent this sort of thing in the future?

Has anyone ever heard of this? I get nothing relevant searching for "mad.php".


I'm running:
CMSMS v1.2.4 (yeah I know I need to upgrade)
Can't remember how to find out the rest of my server information. All add it in when I figure out how (if it's even relevant).

Thanks
r.

[calguy1000]

Yes, you were hacked.

Restore from backup, then upgrade.

[FirstGateDreamer]

I asked my host to rollback the site and database in hopes that solves my problem. I realize I might be able to just reinstall all of the files and folders in /modules/ but I'm not 100% sure if that is the only thing affected. I thought I would raise this issue here to alert of a possible security flaw (either CMSMS or my fault).

Thanks again. and yes I will upgrade at the same time. I sure hope the security flaw has been patched.

[calguy1000]

Thanks again. and yes I will upgrade at the same time. I sure hope the security flaw has been patched.

We won't know if it's been fixed, or what caused the hack until we get information from you as to how they got in.  That's something you need to diagnose with your access logs... not much we can do to help you.

[FirstGateDreamer]

Here is what my host told me

It seems your CMS did in fact have a vulnerability.  FTP logs show
nothing for [removed], but the web access logs suggest that someone
managed to upload the mad.php file via a php file in your CMS (hence its
user:group of apache:apache).

Does that help you much?

He also told me

Unfortunately, we are unable to rollback the site's content to a certain
date.  The data is backed up, but kept up-to-date.

I don't get it. So what's the use of a backup if it can't be rolled back? What exactly is the difference between content and data?

Does this mean that if I delete the old CMSMS files and re-install (from backed up files and folders via FTP) that everything should be back to normal and my content will still be there? If so would it be better to just re-upload with the files and folders from the latest version of CMSMS?


And also forgive me if this is a really stupid question but why would anyone actually want to hack such measly sites like my clients (just a small local chiropractic business)? Just because they can? Are they hoping to find financial info? Are they doing so to steal bandwidth or something?

Thanks
r.

PS: I'm off to read the upgrade info now.

[replytomk3]

CMSMS v1.2.4 (yeah I know I need to upgrade)

Problem

Backup database immediately

Install newest version on XAMPP. Restore from backup. (or do this on subfolder on your server). If everything works, rescue additional files as described on my site http://mkrd.info/software-discussions/cms-made-simple/backin-up-and-restoring-cmsms.html. Pulling any more data than that from the server is not advised since it can be infected.

The reason for backups of your host is if the server itself fails, and they have to restore to another server; your site as it was running exactly like it was before. Versioned backups are YOUR RESPONSIBILITY.

If the new version works like the old one, you can then delete all old files, and overwrite the new version, KEEPING the data that is described on my website.

Once more, for versioned backups, a versioned database backup and the versioned backup of data described on my website would suffice.

[Pierre M.]

Hello,

short story : you were using an old unsecure version and got cracked (may be by a script kiddy). You should always run the last official supported release.
http://forum.cmsmadesimple.org/index.ph ... 539.0.html

Here is what my host told me

It seems your CMS did in fact have a vulnerability.  FTP logs show
nothing for [removed], but the web access logs suggest that someone
managed to upload the mad.php file via a php file in your CMS (hence its
user:group of apache:apache).

Does that help you much?

You can help the DevTeam if you release privately the relevant extracts of the log that "suggest that someone
managed to upload the mad.php file via a php file in [CMSms]". But is may be be an already known and fixed hole.

The data is backed up, but kept up-to-date.

I don't get it.

I don't either. May be the "live" data is backed up (mirror/spare storage) but no timestamped snapshot is made.

Pierre M.