My site was hacked in June. It is a fairly large site with 11 sub-domains and 6 CMSMS installs that were at version 1.8.2. The first time I removed the pfishing stuff that had been put into the modules/search directory and got it back up. Within a couple of hours several of the sub-domains had been hacked. I cleaned them all and reset all passwords to 16 digit complex ones. Again it was hacked within hours. So I had my ISP reset the account to a base setting, uploaded the last backup from before the first attach and got the site back up again. I also added a .htaccess file to block the entire IP range of the Russian Federation (in the access logs all the IPs were from the Russian Federation and there is no legitimate reason for them to be accessing the site).
That worked for a week. In looking through the database dumps I noticed some questionable stuff so it looks like the site had been attacked earlier than I or my ISP thought so I had the site reset again and decided to restore to my dev server at home and get it working properly and updated to 1.9.4 before uploading it again.
I installed MySQL 5.1.53, Apache 2.2.17 and PHP 5.3.4 in my WAMP Server install and restored a backup from March to it. When I look at the databases in phpmyadmin, all the data is there and I have the login for all the user accounts. I changed the pathing in config.php to the correct paths for Apache, PHP and MySQL and set the login credentials to ones that work in MySQL.
Before I changed the pathing in config.php I was getting "ERROR: The CGExtensions module could not be found." in large red letters when I tried to connect to the site. After correcting the pathing I get a blank page. I get the same thing when I try to access the admin page. I have installed a local copy of ImageMagick and corrected the path in config.php but still get the same thing. I have restarted all the services several times and rebooted the server but continue to get blank pages.
Does anyone have any pointers on where to look next?
Thanks
[SOLVED] Site not working after a restore
[SOLVED] Site not working after a restore
Last edited by EoinDubh on Thu Jul 21, 2011 11:26 pm, edited 1 time in total.
Re: Site not working after a restore
I solved it by going back to the original pure html version of the site. Fore some reason I cannot get any version of CMSMS to install properly so it is back to old school for now. I will take another look later.
-
replytomk3
Re: [SOLVED] Site not working after a restore
"ERROR: The CGExtensions module could not be found."
can be triggered by many things, but chief among them are improper config.php paths and a cache that needs to be cleared. There are also other brute force methods.
Going to an HTML site version sounds like a very drastic solution.
If you would like to work on this further, post your current problems here, or let me take a look (on a paid basis).
can be triggered by many things, but chief among them are improper config.php paths and a cache that needs to be cleared. There are also other brute force methods.
Going to an HTML site version sounds like a very drastic solution.
If you would like to work on this further, post your current problems here, or let me take a look (on a paid basis).
-
replytomk3
Re: [SOLVED] Site not working after a restore
Oh, also never forget to change hosting and FTP/db accounts at the same time.
And, MOST HACKS are not compromised passwords, it is other websites on the same shared server. Do the following:
1) Use online IP tools to find out which other websites reside on same shared server/IP.
2) With an antivirus program like Avast! updated and running, visit those websites and see if they are infected as well.
And, MOST HACKS are not compromised passwords, it is other websites on the same shared server. Do the following:
1) Use online IP tools to find out which other websites reside on same shared server/IP.
2) With an antivirus program like Avast! updated and running, visit those websites and see if they are infected as well.
Re: [SOLVED] Site not working after a restore
There were several concurrent hacks. An FTP backdoor was inserted in one site in my web space and used to access several other sites in my account. Several CMSMS sites had pishing attache installed under the /modules/search directory. And one had an attack site hitting Lloyds Bank attempting to get logins and passwords. There was also a SQL injection attack. All the attempts seem to have come from IP addresses in the Russian Federation. I put in a .htaccess file that blocked the entire RU IP space ans the site was clean for a week before they got back in.
The plain HTML stuff is easier to watch while I am setting up a SiteLock account and rebuilding the CMSMS environment. Because of work demands, it will be a week or so before I get time to work on the CMSMS version again. When I start working on it I will put in a .htaccess that allows access only from my fixed IO range until everything is set correctly and only the will I open it up again. I have several documents on hardening CMSMS that I found and will implement all the suggestions that I can. I do not have console access and so cannot implement some of the suggestions.
Thank you for your suggestions.
The plain HTML stuff is easier to watch while I am setting up a SiteLock account and rebuilding the CMSMS environment. Because of work demands, it will be a week or so before I get time to work on the CMSMS version again. When I start working on it I will put in a .htaccess that allows access only from my fixed IO range until everything is set correctly and only the will I open it up again. I have several documents on hardening CMSMS that I found and will implement all the suggestions that I can. I do not have console access and so cannot implement some of the suggestions.
Thank you for your suggestions.
