I have been hacked

General project discussion. NOT for help questions.
Locked
JamesT
Forum Members
Forum Members
Posts: 175
Joined: Tue Sep 08, 2015 10:41 am

I have been hacked

Post by JamesT »

Browsing FTP I saw an unusual file: img1.txt

I downloaded it and Windows Defender immediately fired off a virus warning.

I logged into CMSMS admin and I could see it was uploaded via File Manager.

Apache showed the login attempts from a German IP address, Deutsche Telekom AG (I'm in UK). User-agent shows "Windows NT 6.1" (Vista) so almost certainly a virus bot at work.

First login attempt in admin log failed, Apache said:

Code: Select all

www.m.co.uk 79.199.215.??? - - [23/Jul/2019:15:17:19 +0100] "POST /admin/login.php HTTP/1.1" 200 5067 "https://www.m.co.uk/admin/login.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36" 79.199.215.???
Two further login attempts performed simultaneously correspond with two authentication successes in CMSMS admin log:

Code: Select all

www.m.co.uk 79.199.215.??? - - [23/Jul/2019:15:18:28 +0100] "POST /admin/login.php HTTP/1.1" 302 - "https://www.m.co.uk/admin/login.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36" 79.199.215.???

www.m.co.uk 79.199.215.??? - - [23/Jul/2019:15:18:28 +0100] "POST /admin/login.php HTTP/1.1" 302 - "https://www.m.co.uk/admin/login.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36" 79.199.215.???
A few minutes later, img1.txt shows in Admin log as uploaded via File Manager.

My password is very strong, so any ideas how they got in?
User avatar
DIGI3
Dev Team Member
Dev Team Member
Posts: 1609
Joined: Wed Feb 25, 2009 4:25 am
Location: Victoria, BC

Re: I have been hacked

Post by DIGI3 »

Which version of CMSMS?

How do you know it was uploaded via file manager, was it in the admin log or something?

You'd need to check your server access logs and do some real digging to find out how they got in, but if you're using an old version of CMSMS there are known exploits.
Not getting the answer you need? CMSMS support options
JamesT
Forum Members
Forum Members
Posts: 175
Joined: Tue Sep 08, 2015 10:41 am

Re: I have been hacked

Post by JamesT »

Latest version of CMSMS and all the modules.

The virus was uploaded via File Manager, it was in the CMSMS Admin Log.


----------------------------------------------

Cms Version: 2.2.10

Installed Modules:

AdminSearch: 1.0.4
Banners: 2.10
CGBetterForms: 1.9.9.1
CGBlog: 1.15.11
CGExtensions: 1.63.3
CGSimpleSmarty: 2.2.1
CMSContentManager: 1.1.7
Captcha: 1.0
CmsJobManager: 0.1.3
DesignManager: 1.1.6
FileManager: 1.6.8
FilePicker: 1.0.4
Gallery: 2.3.3
JQueryTools: 1.4.2
MicroTiny: 2.2.4
ModuleManager: 2.1.6
NMS: 2.13.3
Navigator: 1.0.9
News: 2.51.6
Search: 1.51.6
Showtime2: 3.6.3
ThemeManager: 1.1.8

Config Information:

php_memory_limit:
max_upload_size: 100000000
url_rewriting: none
page_extension:
query_var: page
auto_alias_content: true
locale:
set_names: true
timezone: Europe/London
permissive_smarty: false

Php Information:

phpversion: 7.3.3
md5_function: On (True)
json_function: On (True)
gd_version: 2
tempnam_function: On (True)
magic_quotes_runtime: Off (False)
E_ALL: 32767
E_STRICT: 2048
E_DEPRECATED: 8192
test_file_timedifference: No time difference found
test_db_timedifference: No time difference found
create_dir_and_file: 1
memory_limit: 128M
max_execution_time: 60
register_globals: Off (False)
output_buffering: On
disable_functions:
open_basedir:
test_remote_url: Success
file_uploads: On (True)
post_max_size: 100M
upload_max_filesize: 100M
session_save_path: No check because OS path
session_use_cookies: On (True)
xml_function: On (True)
xmlreader_class: On (True)
check_ini_set: On (True)
curl: On

Performance Information:

allow_browser_cache: On (True)
browser_cache_expiry: 60
php_opcache: On (True)
smarty_cache: Off (False)
smarty_compilecheck: Off (False)
auto_clear_cache_age: On (True)
Server Information:

Server Software: Apache
Server Api: cgi-fcgi
Server Os: Linux 4.19.44 On x86_64
Server Db Type: MySQL (mysqli)
Server Db Version: 5.7.16
Server Db Grants: Found a "GRANT ALL" statement that appears to be suitable

Permission Information:

tmp: /var/sites/m/m.co.uk/public_html/tmp (0755)
tmp_cache: /var/sites/m/m.co.uk/public_html/tmp/cache (0755)
templates_c: /var/sites/m/m.co.uk/public_html/tmp/templates_c (0755)
modules: /var/sites/m/m.co.uk/public_html/modules (0755)
uploads: /var/sites/m/m.co.uk/public_html/uploads (0755)
File Creation Mask (umask): /var/sites/m/m.co.uk/public_html/tmp/cache (0755)
config_file: 0444
----------------------------------------------
User avatar
DIGI3
Dev Team Member
Dev Team Member
Posts: 1609
Joined: Wed Feb 25, 2009 4:25 am
Location: Victoria, BC

Re: I have been hacked

Post by DIGI3 »

Yeah that's not going to be an easy one to track down. It's possible they got in before an upgrade, so simply changing your password (make sure it's the user account they used) may stop it. You'll also need to carefully check every file on the system for anything that shouldn't be there. Shell access is best for this so you can search by modified date, etc. Using CMSMS's system verification may help too.
Not getting the answer you need? CMSMS support options
JamesT
Forum Members
Forum Members
Posts: 175
Joined: Tue Sep 08, 2015 10:41 am

Re: I have been hacked

Post by JamesT »

I thought I'd flag this up in case there's a potential vulnerability in CMSMS.

I find it odd they had a failed attempt just before the success, obviously without seeing the POST data which they sent it's impossible to see if they found an exploit and used it.
JamesT
Forum Members
Forum Members
Posts: 175
Joined: Tue Sep 08, 2015 10:41 am

Re: I have been hacked

Post by JamesT »

Just to add, I've changed my CMSMS password and deleted the virus file from the server.

The only files which failed the checksum are those in the News module, but I think that's because it was updated post-release via Module Manager due to an issue with 2.3 Beta.

If I see any further occurrences of a bot logging in as me I'll report back. Thanks for the replies.
User avatar
Rolf
Dev Team Member
Dev Team Member
Posts: 7825
Joined: Wed Apr 23, 2008 7:53 am
Location: The Netherlands
Contact:

Re: I have been hacked

Post by Rolf »

JamesT wrote:Just to add, I've changed my CMSMS password and deleted the virus file from the server.
You also changed your FTP and hosting passwords?
And are they strong passwords?
JamesT wrote:The only files which failed the checksum are those in the News module, but I think that's because it was updated post-release via Module Manager due to an issue with 2.3 Beta.
As far as I know the CMSMS checksum function checks core CMSMS files. It does not check if there are other/extra scripts present... So you can't be sure in some folder there is an extra bad file hacking your files over and over again. Only if this file is gone you are safe
Try to see at the folder/file dates, what is changed and when?
- + - + - + - + - + - + -
LATEST TUTORIAL AT CMS CAN BE SIMPLE:
Migrating Company Directory module to LISE
- + - + - + - + - + - + -
Image
JamesT
Forum Members
Forum Members
Posts: 175
Joined: Tue Sep 08, 2015 10:41 am

Re: I have been hacked

Post by JamesT »

Rolf wrote:You also changed your FTP and hosting passwords?
And are they strong passwords?
I haven't, but they are strong passwords.
Rolf wrote:As far as I know the CMSMS checksum function checks core CMSMS files. It does not check if there are other/extra scripts present... So you can't be sure in some folder there is an extra bad file hacking your files over and over again. Only if this file is gone you are safe
Try to see at the folder/file dates, what is changed and when?
No files had been added or changed, aside from the img1.txt uploaded via CMSMS as I mentioned earlier. There have been no further unauthorised login attempts.
scooper
Forum Members
Forum Members
Posts: 242
Joined: Fri Dec 09, 2005 12:36 pm
Location: Marlow, UK

Re: I have been hacked

Post by scooper »

When we've had cases where malicious files were uploaded via the admin interface it's been down to password reuse from a user who had their password exposed in a different breach.

Make sure you and your admins are using unique passwords.
It's well worth checking in https://haveibeenpwned.com/ to see whether an email address has been exposed in any public data dumps as well.

We built a simple module that runs a background job to monitor when files are updated (outside /uploads and /tmp). We never quite got it in a fit state to add to the forge (I can feel a moderate getting poised to delete this post already) but it is actually quite reassuring.
It's available on Github at https://github.com/millipedia/MillcoMonitor.
JamesT
Forum Members
Forum Members
Posts: 175
Joined: Tue Sep 08, 2015 10:41 am

Re: I have been hacked

Post by JamesT »

It was my own account (primary, admin) they logged in as. The other user's account was not used.

I do appear on haveibeenpwned.com as "Onliner Spambot" but that is not a password leak as far as I can make out.

I use good security practices, every password is strong and unique (KeePass).

If this happens again I might try and set up something to log POST data to a file since we might get some clues as to what they're doing.
avisawant
New Member
New Member
Posts: 1
Joined: Sat Aug 03, 2019 6:13 am

Re: I have been hacked

Post by avisawant »

This is good information about cmsms and its hacking. I am sure it will help me if such issue occurred.
JamesT
Forum Members
Forum Members
Posts: 175
Joined: Tue Sep 08, 2015 10:41 am

Re: I have been hacked

Post by JamesT »

CMSMS 2.2.12 has just been released which addresses a security issue in FileManager. Possibly related to the issue I raised in this thread?

I have already installed the latest version and changed my database password as advised.
User avatar
velden
Dev Team Member
Dev Team Member
Posts: 3483
Joined: Mon Nov 28, 2011 9:29 am
Location: The Netherlands

Re: I have been hacked

Post by velden »

Considering the severity of the fixed security issue it is possible it has been used to compromise your website.

Especially if your hosting offers public access to a database frontend (usually phpmyadmin) or your database allows connections from any host.

That said it will be very hard to track down the way someone got into your system.
JamesT
Forum Members
Forum Members
Posts: 175
Joined: Tue Sep 08, 2015 10:41 am

Re: I have been hacked

Post by JamesT »

velden wrote:Especially if your hosting offers public access to a database frontend (usually phpmyadmin) or your database allows connections from any host.
My host offers the option but I've never enabled that. I suppose my host's phpmyadmin interface was another possibility but it seems like it was just an attack on FileManager.

If it had happened continuously I probably would have started to log POST data but it didn't reoccur.
Locked

Return to “General Discussion”