My client's site, running the latest version of CMSMS (1.11.7) has been hacked three times this week (twice today) by a base 64 error.
The hosting company has predicted it's due to a weakness in the software and not anything wrong with the vulnerability of their servers (not surprising) and suggested I make you aware of the issue.
I've used CMSMS for 5+ years on dozens of sites and never suffered from this issue. Any advice? I've already changed hosting password, FTP password and my dashboard-admin panel password.
The database is unaffected, but my site goes blank due to all PHP files hacked with a wacky mystery code starting with "eval(base64_decode("... immediately after the <?php entry.
[SOLVED] Base 64 error?
-
JackOutoftheBox
- Forum Members
- Posts: 89
- Joined: Thu Jan 25, 2007 8:05 pm
[SOLVED] Base 64 error?
Last edited by JackOutoftheBox on Wed Jun 26, 2013 4:39 pm, edited 1 time in total.
-
calguy1000
- Support Guru
- Posts: 8169
- Joined: Tue Oct 19, 2004 6:44 pm
- Location: Fernie British Columbia, Canada
Re: Base 64 error?
there are no known vulnerabilities in CMSMS 1.11.7 core. Certainly nothing reported in the last while that has not been resolved. And the last numerous vulnerabilities have been XSS vulnerabilities not anything related to files.
If the php files are getting modified then it can come from a few places:
a: hacked FTP/shell account (changing passwords would handle this)
b: hacked CMSMS admin password (it's possible to upload php files if you are a logged in administrator). This is unlikely however.
c: vulnerability in some other software on the same server (much more likely).
two ways this could effect you:
- your php files are open to writing from other user accounts and vulnerabilities in software used on those other accounts could be effecting you).
- some other software you are using in that account has a vulnerability.
(I have seen reports where a popular blogging software (and others) was installed side-by-side with CMSMS in the same account, and a vulnerability in that software caused problems with CMSMS).
If the php files are getting modified then it can come from a few places:
a: hacked FTP/shell account (changing passwords would handle this)
b: hacked CMSMS admin password (it's possible to upload php files if you are a logged in administrator). This is unlikely however.
c: vulnerability in some other software on the same server (much more likely).
two ways this could effect you:
- your php files are open to writing from other user accounts and vulnerabilities in software used on those other accounts could be effecting you).
- some other software you are using in that account has a vulnerability.
(I have seen reports where a popular blogging software (and others) was installed side-by-side with CMSMS in the same account, and a vulnerability in that software caused problems with CMSMS).
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
Re: Base 64 error?
The website isnt hacked again, but is probably still hacked!!
Seen it before a non-cmsms php file somewhere between the regular files hacking the files over and over... This file can be months or years old.
Seen it before a non-cmsms php file somewhere between the regular files hacking the files over and over... This file can be months or years old.
- + - + - + - + - + - + -
LATEST TUTORIAL AT CMS CAN BE SIMPLE:
Migrating Company Directory module to LISE
Migrating Company Directory module to LISE
- + - + - + - + - + - + -
-
calguy1000
- Support Guru
- Posts: 8169
- Joined: Tue Oct 19, 2004 6:44 pm
- Location: Fernie British Columbia, Canada
Re: Base 64 error?
Rolf is correct. If you were hacked once you could still have extra files there that once browsed to again cause the hack to propogate.
Have you done a system verification?
Have you done a system verification?
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
-
JackOutoftheBox
- Forum Members
- Posts: 89
- Joined: Thu Jan 25, 2007 8:05 pm
[solved] Re: Base 64 error?
Thanks to you both. I did a system verification, and it's clean.
What I did find based on your sound advice was a separate folder that contained an outdated WordPress site, which was also hacked with the base 64 virus.
Hopefully this eradicates the issue completely. Never would have thought of a vulnerability because of WordPress shared on the same hosting account. I'll update this post if I discover additional information or issues.
Thanks again.
What I did find based on your sound advice was a separate folder that contained an outdated WordPress site, which was also hacked with the base 64 virus.
Hopefully this eradicates the issue completely. Never would have thought of a vulnerability because of WordPress shared on the same hosting account. I'll update this post if I discover additional information or issues.
Thanks again.
-
JackOutoftheBox
- Forum Members
- Posts: 89
- Joined: Thu Jan 25, 2007 8:05 pm
[SOLVED] Base 64 error?
Yep! I thought I had posted "solved" on my last post. But lemme give that a go again.
