High rate of malware attacks, also affecting 2.2.16

[bergt]

Hi all
Since around the 25th of May there's been a constant barrage of malware affecting my customer sites. I've upgraded to PHP 7.4.33 and upgraded all the sites to v2.2.16. Changed all the login passwords. Updated CKEditor that's used by a page in the admin area. Set everything bar the /tmp folder read-only. Still happening. So I'm guessing its a file upload or RCE type of vulnerability being exploited to download and install malware.

Installation of the malware doesn't generate anything in the IIS logs around the time of the files being modified. Installation creates/modifies the index.php files (not just the main index.php) and inserts a PHP include line (surrounded by PHP comment blocks) to a file that's been installed somewhere on the site. Never in the same place. Always ends in a .inc. Is heavily obfuscated code that even malwaredecoder.com doesn't really help with demystifying.
I've come across a couple of open exploits. Looking at the CMSMS bug tracker it could be that Smarty related one? Otherwise I'm guessing it is file manager/file picker or FCKEditorX vulnerability.
I don't use many modules, just the basics.... FormBuilder, CGExtensions, MenuManager. And a CKEditor which I've updated to the latest 4.x version.

Has anyone got some ideas on what else I can do to mitigate against this?
My server is running IIS so I can't use ModSecurity.
TBH seems like moving to a hosting solution with ModSecurity or other such stuff is the only way forward. My customers are getting kinda annoyed and embarrassed. Especially when Google starts warning people about visiting the website

Any help appreciated. Thank you.
If there's some open bugs that need squashing I could help with development.

[Jo Morg]

Hi Bergt,
although we don't advise, and generally do not support, installing CMSMS in an ISS environment, there are a few suggestions that can be implemented no matter the environment:
- once the site suffers an initial attack and depending on what was the vector and level of compromise, there is a high probability that the attacker compromised other areas of the software or server so that there may always be at least one backdoor open to gain access to the server,
- it's important that a checksum of the site is created frequently in order to have the means to check for the integrity of the files that are part of the software;
- as it's most likely that a current checksum doesn't exist right now I would start by doing a full back up of files and database;
- change all the passwords used both in the site as in the server;
- use the CMSMS installer of 2.2.16 to freshen all the core files -- the files will be overwritten by the original ones thus restoring their integrity;
- replace the files of each of the 3rd party modules with new ones (it shouldn't be needed to re-install them though);
- scan the server for files that shouldn't be there and that may constitute an open door to an attack;
- if there anything that may be recognized as a signature (a sentence, a sequence of characters, something that recognizably should not be there), search the database and other files that don't belong to the CMSMS file system for those.

To the best of our knowledge and assuming you have the latest versions of the core and modules, there is no vector of attack to CMSMS that doesn't require gaining access to the admin area of the software, so try to assess if there are other vectors extraneous to cmsms itself.

HTH

[bergt]

Hi Jo
Thank you for your thorough response.

I had been trying the "System Verification" function on my sites, using the original distribution checksum.dat file provided in the downloads section from cmsmadesimple.org. It complained of some missing files and some existing (mostly language) files not matching - different lists on each site. I assumed this was because of the various upgrades applied to the sites from 1.x to 2.whatever.

- I ran a PHP malware scanner (https://github.com/marcocesarato/PHP-An ... re-Scanner) and it picked up several files that had suspicious content, including a few of the CMSMS language files, some core files (particularly smarty and some admin area files), as well as some obvious "stuff" left behind by the hackers in the admin folder. So I figure the installations had been compromised quite badly. This is unsurprising as one site was 1.x before I upgraded it only a few days ago.

- I took backups of the sites again.
- Grabbed the data.tar.gz file from the 2.2.16 installation zip, went through all the folders in the sites and removed any folders that correspond to OG admin/assets/modules/libs in the data file, and then unpacked the installation file over the sites to restore the core files back to OG.
- Re-installed Formbuilder.
- Now the original distribution checksum.dat reports everything is good.
- Re-ran the malware scanner and removed anything that was not CMSMS code (admin/smarty/language related). It picked up stuff lurking around in a couple of other module folders and elsewhere in e.g. the uploads folder.

One site has Captcha, JQuery tools, and CGExtensions+CGSimpleSmarty modules and are the latest versions.

I'm hopeful that everything nefarious has been cleared off. Time will tell.

HTH this helps anyone else trying to battle against a malware infestation.

[pierrepercee]

Hello,

You can protect your admin folder with a simple .htaccess, dont know with IIS ?
it is a low level protection that works very well. With username and password. I systematically put it in place on all my cmsms sites. Remember to change the line

Code: Select all

 $config['admin_dir'] = mydiradminok';

in the config.php to change admin dir
.htaccess

Code: Select all

AuthUserFile /home/rephtpw/.lfkgrrtsgjdpm
AuthGroupFile /dev/null
AuthName "Accès Restreint"
AuthType Basic
require valid-user
<IfModule mod_expires.c>
	ExpiresActive Off
</IfModule>

<IfModule mod_headers.c>
    Header set Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform"
    Header set Pragma "no-cache"
</IfModule>