Hacked.

[tgnc.org.uk]

It looks like the site has been hacked, the search box between yesterday and today has vanished off the site and in the admin console the new module only outputs the module header and no articles list. None of the titles in the news modile header are click able. The admin console, cant put my finger on it but it seems to be a bit light in content, sorry I can not be more specific but you know what its like when you know something is wrong but can't adequately place what the issue is but it just looks like some menu entries have also vanished.

The warning indicates that 6 articles are not published and the notice that a new version of CMSMS is blinking away. Unfortunately I can not upgrade to 1.7 because of PHP issues and I had to reinstall 1.6.7

Any suggestions on what to do to get the site back up or has the issue with 1.7 been dealt with?

I noticed allot of activity in a logging routine I built for CMSMS has been logging many login attempts on various URLS and they appear to be coming from clients identifying themselves as Mozilla compatible bots and also Google.

It would appear that CMSMS 1.6.7 has a hackable search box so anyone caught in the 1.6.7 trap may want to remove this element from the main template by commenting it out as a precaution and watch all other forward facing forms and input boxes as I not that some requests for the contact form in CMSMS are also present.

HELP !

[replytomk3]

Are we talking about

Code: Select all

tgnc.org.uk

??

If it is that site, then I don't see why you are panicking.

If you want to be sure, download the entire site by FTP and scan it with Avast!

[tgnc.org.uk]

It is the full site, after the fiasco of upgrading to 1.7 I had no option but to revert to 1.6.7 and that needed a full install.

After repairing the site by reinstalling it the thing functioned after removing the files and folder that were in the warning of the 1.6.7 reinstall.

This was a few weeks ago.

My friends site, he called me and said that he cant find the search box and then told me that his news interface won't show up, the important bit, like how the news gets input, so yeah, it is a case to panic because this has happened in the last few hours. As a precaution I have altered the template to comment out the search smarty and put it in a non searchable (lol) page that is not visible of can be cached...

How can I validate that the database has not been compromised?

What I can tell you is that the search box tag outputs "Nothing" as I inserted the tag in to a static page and no code is output. Other pages function fine, so how can I check the search box tag, is that in the database? could it have been deleted?

Then the attachment illustrates the output from the news module.

[reneh]

Its per 18th april 2010 no known security problems on version 1.6.7.
"the issue with 1.7 been dealt with?" What issue?
1.7 is working fine afaik.
But read the release notes - its some big changes in requirements for the host to run on!

[tgnc.org.uk]

I am aware, of it and if you had read my post, you would have seen that I can not install 1.7 because when I did the whole site disappeared.

I had to do a FULL install of 1.6.7 AGAIN to get the sit up.

Tonight the news module admin console side of things refuses to work as per supplied screen shot and the search box disappears off the site. The first I know about it is when my friend calls me to ask where its gone to.

As I was on the site earlier to check something, it was present around 3pm, this incident has happened recently.

So it is clear that something is not right and I could do with some assistance in trouble shooting if thats at all possible.

[replytomk3]

Like I already said before, scan of the ftp download with Avast! will tell you. And like I said before, dissapeared search is more likely due to a new hosting setting than it is to an infection that has not shown itself in any other way. Have you uninstalled and reinstalled the module already? There is no such a thing as a "database compromise". Search and educate yourself before making such statements.

[tgnc.org.uk]

SQL Injection then?

We have not changed hosts in 2 years, so it hardly follows in your statement that its usually new hosting.

I will, to settle the hosting issue ask the host if they have made any changes to rule that out. That's about all I can do.

Scanning the site code won't prove anything and avast is a windows program anyway. I run linux. I don't use windows.

I can scan with clamav but that only looks for binary viruses in windows files.

[reneh]

Of course I read your post - and all of it. You didn't tell any details about what happened when you upgraded to 1.7. Only hint is "the fiasco of upgrading to 1.7" - and that tell nothing!

We can't give any more help if you don't provide information about the server. Paste us the generated server information from inside admin. And then maybe its posible to give some hints...


"How can I validate that the database has not been compromised?"  
Compare it with a earlier backup of db!
And to compromise the db - a hacker need your db credentials and some sort of access to it. You have protected the config.php file I hope?

And the door into your site for a hacker don't need to be trough your cms. It can be trough the server if the server is not correct configured.....

[jmcgin51]

It would appear that CMSMS 1.6.7 has a hackable search box...

Please provide details when making a claim like this.

[replytomk3]

tgnc.org.uk, people on this forum are very, very busy. It takes us more time to read thru two pages of the tread to try to make heads or tales than it would take for you to formulate clear-cut problems and questions. It REALLY is very hard to keep track of old problems, etc, etc as there are new HELP! posts here every day.

Every clear question will produce a clear answer.

[tgnc.org.uk]

This afternoon the site was working find. Sometime between 3pm and 3.25pm when the site owner called me... the search box disappeared off the site.

Seeing the HTML output was not outputting the HTML code that would appear where the search box should appear and in the admin console side of things the News module page showing same issue, see image in previous post... provided for illustrative purposes is what the problem is... It is not showing up, I came here for help and I can't get any further with this.

I investigated it and looking at the site code, the HTML code, nothing appears to be output by the smarty tag for the search box.

As I do not have any access to that stuff, how do you propose it suddenly stops working?

The web host has done nothing to the site, they don't touch what they don't make.

So what will cause the news module to stop working and the search box to disappear?

[jmcgin51]

Have you checked your system information, error logs, etc?  Your web host may not have touched YOUR site specifically, but they could have adjusted a PHP/Apache/other setting somewhere that would have affected your site (as well as possibly others).

Hackers usually leave behind more of a concrete calling card than what you appear to have.  You just seem to be missing a couple of rendered items, and your News module seems to be having problems.  Is there any extra output code in the page source?  Or any Javascript or other code in index.php or other files?

[replytomk3]

Uninstalled and reinstalled the module? Made a test page and switched it to one of the default templates and stylesheets? Replicated the problem with a subfolder CMSMS install? Tried to install same version on XAMPP and imported the database and templates to see if templates work there with search?

And jmcgin51 just shamelessly stolen my thoughts on what I think happened.

[tgnc.org.uk]

The reinstall of the news module appears to have worked.

SO... Rubbing the only two brain cells I have left together I managed to apply the same principle to the dearch module as was with the news module and hey presto! Its back again.

Thanks.

Now the issue is that no artiicles are showing where before the articles were....

[Dr.CSS]

If you uninstall modules like search it removes all data from DB, this includes all articles...