As these files hacked/hackers or genuine?

[burlington]

A CMSMS website was hacked this week. I have sorted out most of the 'nasties', but asked the website host to run a security scan on the server to check for anything left.

The malware scan came up with 3 'hits'. These were:

./public_html/***/modules/FormBuilder/lang/ext/nb_NO.php
./public_html/***/modules/FormBuilder/lang/ext/nb_NO.php
./public_html/modules/CGExtensions/lib/htmLawed.php

These files date from, or before, May this year. I just wonder if anyone has come across these before.

Would it be safe to delete them?

Thanks

Martin

[calguy1000]

The malware scan came up with 3 'hits'. These were:

Beware of false positive tests.

Your best solution is to re-download the modules and copy over those files from a known good source.

[burlington]

Thanks. That is a relief.

As part of my present worries is the strange news that my webspace (not domain name) is in now in someone else's name, In others I am no longer the account holder- after 14 years!

Odder and odder. Perhaps, when I wake up, things might be normal!

[Rolf]

To be on the safe side don't overwrite the files, but delete the whole folder and upload the new one. That in case a non-CMSMS file/script is in there...

[burlington]

Thank you.

The hacker left something behind! Looking at the 'source' of a page on-screen I see:

<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Sanjungan Jiwa</title>
<link href="http://fonts.googleapis.com/css?family=VT323" rel="stylesheet" type="text/css">
<style type="text/css">
body,td,th {
color: #000;
font-family: VT323;
background-color:#030000;
}
</style>
</head>

This is the hack BUT I can't find out how to get rid of it. It is not in the template(s), stylesheets etc. It appears on all pages.

Any advice would be great please.

[Jo Morg]

The hacker left something behind!

There are a few topics about this on the forum already IIRC...
Check if the index.php files (there shouldn't be many) and or index.html files have not been hacked. Recent attacks to php scripts add code to these files, which in the case of the root index.php would mean that the code would end up being included on all pages.
Better yet: grab a copy of the same version of CMSMS you are using and overwrite all the files of your installation.

Recommendations:

• - Backup everything (files and DB);
• - remove the install folder as you won't need it;

That should take care of that too.

Further recommendations:

• - Backup everything again;
• - Setup frequent backups so that you have a recent clean version of the whole site to comeback to;
• - Search and test of other CMSs for vulnerabilities (I don't believe that the hack came from a CMSMS vulnerability unless you have left the install folder there...);
• - Change all credentials on all accounts ASAP (including CPanel or similar);

[burlington]

Jo. Many thanks.

You suggested I grab a copy of 1.11.12, which the site in question is being run on. However, I can't find it on the CMSMS system.

Any ideas would be welcome. Thanks.

Martin

[Jo Morg]

http://dev.cmsmadesimple.org/project/fi ... ackage-618

Somewhere down that list a bit.

I would also recommend an upgrade to at least 1.12.1 if possible. if there are any vulnerabilities in CMSMS the latest version of the branch should have solved them too.

[Rolf]

Don't forget to change server passwords...