My CMSMS was hacked yesterday :(

[Sonya]

Hello,

yesterday my site was hacked. I see today in my system log in admin area that somebody logged into as 'admin' and uploaded a php script. This script is a file explorer, so that it was possible to see all my files (also under other domains) and corrupt some of them. I use CMSMS 1.0.5 for the site attacked. And I did not ever give my admin password to somebody because I develop on my own and not in community. But i change my passwords rarely.

I have some other sites run with CMSMS 1.0.6. So I need a good plan to protect my installation. I intend to do these steps:

1. Upgrade the attacked site to CMSMS 1.0.6.
2. Change the user 'admin' to something else.
3. Change url of admin area of all my sites to something 'unguessable'. For example http://mysite.org/cnt0105 or something like this.
4. Make a reminder to change my passwords more often.

Have you any other ideas? Do you know how it could happen?
Thank you,
Sonya

[Pierre M.]

Hello,

how do you trust the software downloaded/installed (even Flash(Java)Scripts and toolbars) on your admin computer ? May be there is some key logger on it ?

Pierre M.

[cyberman]

Do you run other (non CMSMS) software on your page?

Have you any other ideas?

It's a little bit against CMSms promotion but you can delete all notes to CMSms too (in footer, in metatags and in index.php).

[Sonya]

May be there is some key logger on it ?

I was not sure and so I had them all Kaspersky, Symantec, ZoneAlarm, SpyBot, Ad-Aware, HiJackThis... Nothing is found. I have now the idea how it could happen:

I registered in forum or other service with my mail address me@mydomain.com. And I gave my master password (yes, I have really used one password for all my logins  ). The password was saved but not crypted. So the owner of the database could go to mydomain.com and then just try to get mydomain.com/admin and it worked. Then he just tryed to login with user 'admin' and the password I gave before. That is.

I do not think, that it was possible to login in admin with brut force or something like this.

[Sonya]

double authentication

I did it with htaccess additionally. I am allowed to be a little bit paranoidal now

[Sonya]

Do you run other (non CMSMS) software on your page?
It's a little bit against CMSms promotion but you can delete all notes to CMSms too (in footer, in metatags and in index.php).

Yes, I left any promotion on the site (I love CMSMS  ) It will be an inner conflict for me to remove them from the site...

[Pierre M.]

We can still promote CMSms and slow down hijackers' bots by removing only the version numbers, not "made with CMS Made Simple".
I like Antonio's suggestion of double protection. Further, may be the /admin URL can be obfuscated and not promoted in robots.txt.
Pierre M.

[Kayin]

I hate to be a bastard but I'm kinda concerned about the point of entry.

All you know is that someone logged in as admin and then uploaded a file browsing script. This means the person didn't have or need access to the web server via any other method. It also suggests that the attack was a remote attack to the CMS itself, whether that be the login or some other point allowing the attacker to retrieve information from the database.

The only other option is that the guy knew the password from some other source, since he only uses one password for everything, which is kinda stupid yes. (I use over 40 passwords, 2 of which are 21 seemingly random characters in length.)

Though it was most likely the ladder, I'm still a little concerned about CMSMS's authentication system. CMSMS has a lot of code, anyone know where that's at?

-K

[Sonya]

... since he only uses one password for everything, which is kinda stupid yes.

she uses. Yes, it's a woman 

(I use over 40 passwords, 2 of which are 21 seemingly random characters in length.)

I am not able to notice my passwords. Do you have any system to remember all of them?

I'm still a little concerned about CMSMS's authentication system. CMSMS has a lot of code, anyone know where that's at?

You'll find the admin authentification in /admin/login.php. I did not find any security issues there.

[Kayin]

ah, sorry bout that. I don't try to guess gender by username anymore, though yours is kinda obvious. I have been fooled before.

so far I've gone through..

includes.php
class.user.inc
class.events.inc
login.php

There isn't a grace login system which isn't that bad of an idea (imo). I can write a very annoying PHP brute force program to either crash the database, dramatically slow down the site, or actually succeed in logging in.

Passwords use md5. I know it doesn't really matter because lets face it, nobody's going to run into collisions but sha1() is a supported php function since 4.3, so why not right?

There's really a lot of options for the password system. Though they don't do much more beyond boost ego of the system. I wonder if I rewrote it out of boredom if they'd put it in or not.

As for my passwords. The first 10 or so were actually autogenerated and recommended when I was signing up for forums back in the day. The next bit I added a few numbers to.  The 20+ character ones were actually remnants of a 50 character password that I made using 2 hashed mac addresses mixed in a ridiculous matter. Long story behind why I used that.  Another set follows a rhyme scheme, and the others were just made up.

Every password I have has a story behind them of either where I got it, why I use it, or how I got it.  I remember them by fonder memories, if that makes any sense.

-K

[cyberman]

Passwords use md5. I know it doesn't really matter because lets face it, nobody's going to run into collisions but sha1() is a supported php function since 4.3, so why not right?

Good idea - maybe you should ask Ted on IRC.

We can still promote CMSms and slow down hijackers' bots by removing only the version numbers

If hackers know used software it's very easy for them cause they can install it locally and have a lot of time for trying to hack the system (every version).

[jmcgin51]

Sonya,

It's not as convenient as pulling passwords from memory, and in some ways a little less secure (since the passwords are stored outside your mind), but you can use a password manager like Password Corral (http://www.cygnusproductions.com/)  This is what I use.  Very easy, very secure.

[Sonya]

you can use a password manager like Password Corral (http://www.cygnusproductions.com/) 

It's nice, but I have at least three different places and PC's where I develop. So I have to 'carry' my passwords with me in my mind. Nevertheless, thank you!

[RonnyK]

I use "Keepass" to store my logins, it runs on a memory-stick as well, so no need for installation, just extract it in a folder on the stick.

Ronny

[banter]

I use good old fashioned pen and paper to store passwords! I know, that sounds very old fashioned but it works for me  I use names that mean something for me that others won't recognize if they found the paper eg instead of writing "CMSMS admin" I might put "Holiday"