CMSMS Sites Hacked....

[richiejarvis]

Hi Folks,

I started using CMSMS recently to host 3 of my websites.  Everything was grand, until last week.

On all of the installs, either I, or more embarrassingly, others have discovered that they have been hacked.  Most recently was today, when my main site was masquerading as the Bank of America website:


It seems that the hackers are uploading content to either the uploads dir, or the modules dir - the files uploaded are also secured in such a way as it is impossible to remove them without contacting my hosting provider.

I have secured the modules and uploads directories as follows:

drwxr-xr-x

So, my questions are these:

1. Are these known issues?
2. Is there a solution that someone knows of?

Thanks in advance....

Cheers,

Richie

[cyberman]

Hmm, think you should contact your provider and make a look into the logs.

If I'm right there's currently not such a (known) security risk. Think "only" your providers server was hacked like sometimes in the past ...

[richiejarvis]

Hmmm....

I have full access to the logs - what should I be looking for?

Thanks,

Richie

[cyberman]

Are there some mysterious activities they come not from CMSms?

[NickR]

Firstly check with your host, other sites could of been hacked, that would rule out CMSMS straight away.

The fact that theres been no other reports of CMSMS being hacked would suggest its more likely to be a hosting security issue.

Check through your files, index.php, index.html are intact, could be a malicous line or 2 of code.
Also, if you have anykind of control panel, check that, any logins to sql etc.

CHANGE PASSWORDS if you can - at the moment you dont know how access was gained, so this will reduce one avenue of access.

Also, check the folder permissions - secure them down, im not much of a linux guy (there are plenty on here that can help), wont take long and again will reduce possibilty of whoever accessing, your folders.

In the access logs search for anything to do with online bank of america, that cgi-bin folder and then look at the log entries leading upto those lines, might be a clue of the steps used in setting up those files.

Hope this helps, im not a big expert in trying to fix linux server hacks (which I am guessing you are running on), but hopefully some pointers to get you started.

Cheers Nick

[richiejarvis]

Hi All,

Well, after several rounds of this, I switched hosting providers, and overnight they reuploaded the content!  I did the suggested, and changed all the passwords, etc and cleaned everything out before re-uploading btw.

I notice that there is a known issue with FCKEditor upload facilities, the Geeklog website has posted here: http://www.geeklog.net/article.php/expl ... ilemanager.  I wonder whether this could be how they managed to upload?

The hosting provider did turn up something interesting in the site, it seems that they are getting in by first uploading a file called r57.php into images/cms/wewin, and this is then in turn allowing them to upload further.

Anyway, for now, until this issue is solved, I am going back to pure HTML pages.

Thanks,

Richie

[mahjong]

a file called r57.php

Looks exactly like last year's phpBB remote command execution exploit. Let me guess, someone, on the same server as you, is running an old version of phpBB...

[Ted]

Well, one option would be to just remove the fckeditor module.

However, this sounds pretty serious, though I'm just not sure how it would work.  People HAVE to be logged into CMSMS for the connector to even look at the passed variables.  I've tested this a bunch of different ways...

I'm assuming this was CMSMS 0.13?

Anyone have any thoughts?

@mahjong: He changed ISPs.  I can't imagine that it was the same phpbb problem...

[Greg]

The article at geeklog also states as a solution

If you'd rather have the upload capabilities back, you could upgrade to the recently released FCKeditor 2.3

CMSMS 1.0 Beta 4 uses FCKeditor 2.3.1 - should this not solve the problem?

[Ted]

Good point.  I guess it's just another reason to push 1.0 along, though I would think that more people would be complaining of this problem...

If people are paranoid about this potential problem, please remove the FCK module.  CMSMS doesn't really require it to run, even if your clients do. 

[richiejarvis]

Hmm - interesting about the phpbb issue - one of the sites was running phpbb!  And the R57.php file was on the site that wasn't running phpbb.

Just a little nervous at the moment, as I have been told the Police are now investigating....

Richie

[Ted]

the police?  Yikes.

r57 is a remote control script.  Any security hole that could allow uploading could allow it to be uploaded and executed.  So maybe it was an old phpbb, or maybe it FCK.  Probably won't be able to tell without some serious log parsing.

However, I just feel that this would've been brought to our attention sooner if it was CMSMS.  Though, I'm sure I'm just being naive.

[mahjong]

the R57.php file was on the site that wasn't running phpbb.

For has long, it's on the same server, it doesn't matter in which folder. I had a similar case, last year, on a shared hosting account. I found the remote script inside one of my folders. But, after checking the logs, it happened to be another Web site, with phpBB, that let r57.php in.

But, Ted is right. It's only speculations at that point. The logs need to be carefull examined. Maybe, you'll find the point of entry.