Security issue - help needed

[nmotion]

Hi,

We have a client that have had some content changed on their cms ms site. Here is what happend.

On a version 1.6.6 of cms ms content on some pages were modified. As far as we can see no cms files were destroyed or modified and we could find no signs of a hacking incident.

We then upgraded it to 1.7.0 told the client to change passwords on their users and we did the same. However, two days went by and it happend again. This time a single page was modified and we could again not find any signs of hacking.

It should be noted that the site is not yet publicly known and cannot be found trough a search engine.

Do any of you know of such incidents and how do we find out how it happend? Sadly the admin log does not contain IPs of those logging on. Any help would we highly appreciated as we really enjoy using cms ms and don't want to scare of the client because he thinks the software is unsafe.

We currently host a number of cms ms sites that have had no problems at all.

[reneh]

I can only guess...
The db may be open for external access and the db password can be compromised.
(If the config.php is readable by others this one way to find the db password...)

[tyman00]

It's very possible the issue is coming from the shared host with improper permissions (like reneh said). Do a quick search on the Network Solutions and Wordpress issues. The same issue could apply to your current situation. It's no fault of CMSMS, it's a matter of improper setup by shared hosts.

[nmotion]

We use RackSpace Cloud Sites for the solution and have never had any problems with them.

From what we have been told it is not possible to "read" the file from another setup. It is only possible trough FTP access which is protected with a 8-10 digit auto generated password.

[reneh]

That sounds realy strange then!

My only guess is that someone found the database password and i.e. remote access in and change data....
You told that user changed passwords. But did they change database password also?

Remember that password is in clear text in config file. So config file should NEVER be readable by public. a 0400 permission is good for that file.

[Peciura]

is {php} tag allowed on your site? It is possible to use any kind of FE submit form ans "ask" server to do smth. the similar thing works if you write some smarty tags to textarea. You need to do better logs - what about statistics module ? after you  track what pages were visited before content was changed you could eliminate security hole.

[tyman00]

Have you studied the server and site logs for the site to see what kind of traffic you are getting and what kind of access?

I had a client working with Rackspace once and had a test site tied to the same database. There was issues being caused that way. Make sure there is nothing else pointing to that database.

[nmotion]

If I were to intall an extra log mechanism on the admin what do you recommend?