Website Hacked

[jayhands]

I have recently had a website built on CMS Made Simple that has been hacked! The index.php was replaced. I did delete the /install/ folder 

Anyway, i have reuploaded the index.php and everything is fine - the database was not dropped or owt. Anyway, does anyone know if this is a software vunerability or a server problem or can you not tell?

The website is not hosted on our server.

Cheers

[calguy1000]

Which version of CMS Made Simple?

[jayhands]

1.1.2

Do you need a URL?

The password is quite secure and not password or anything silly - It is a random generated password.

[Signex]

is it on shared hosting ? maybe other accounts are hacked to, then its probably server security, maybe ask your host?

do you have any other software on your account which could have been hacked so they could access your account?

[calguy1000]

check your httpd access log for weird urls, to try to see how they got in.  We fixed one issue in 1.1.3.1, so I hope that that's it.

[jayhands]

THE WEBS (ooops) website is not hosted on our server so i have no idea if other sites are hacked etc. I also have no idea what software is running on there. My understanding is that it is a dedicated server but i am not certain. There are other websites on the server. I don't think they have been affected but am not certain.

In my limited understanding i guess somebody would require FTP access to change a page...which means a server security issue.

I know that the bloke who owns the server will say its a software problem. I just need to tell him and my client that it is not software with some kind of certainty.

Any ideas?

[jayhands]

check your httpd access log for weird urls, to try to see how they got in.  We fixed one issue in 1.1.3.1, so I hope that that's it.

Does this look like software or server if it is this?

Thank you everybody 

[Signex]

depends on what you find in the httpd access logs wether its cmsms software or something else.

[jayhands]

Thank You All - wow what fast feedback!

I'll check that out - would it be worth me upgrading to 1.1.3.1 ?

Will all my databases and tables etc still be in tact?

[calguy1000]

Well, 1.1.3.1 doesn't change any databases, so don't worry about that, but first I'd like to find out how the person managed to hack your site before I say wether it's worth upgrading.  (we may have to put another patch out).

[calguy1000]

You should work with your hosting provider to find out a) how to read your httpd access and error logs, and then if you don't have an idea what's going on, perhaps work with him to find any odd looking access URLS that may have rewritten your index.php

[jayhands]

No probs will let you know

[citrus]

In my limited understanding i guess somebody would require FTP access to change a page...which means a server security issue.

I know that the bloke who owns the server will say its a software problem. I just need to tell him and my client that it is not software with some kind of certainty.

For the benefit of others I'm "That bloke who owns the server"

Jay, you really should stick to design and SEO and leave the techy stuff to others. Unfortunately it was down to the sites excellent search engine listings that led to the problem as all the would be hacker had to do was search for "powered by CMS Made Simple version 1.1.2" and then exploit the known problem with that version. he was not targeting the site as such but looking for opportunities made available by the faulty script. how do you think all these Phishing sites get hosted? The hacker did you a favour really by leaving his signature otherwise it could have gone unnoticed till someone complained about a Phishing scam.

We have not had a server compromised in 9 years, it's always the out of date or insecure php scripts that cause the problems.

You owe us an apology it WAS the software, NOT the server security.

Here are the logs to prove it.

Here are the log entries to show that the part of the CMS script which was abused here was "lib/adodb_lite/adodb-perf-module.inc.php".

xxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxx

You can see that this insecure php page has been used to load various files into the sites hosting from hosts such as
xxxxxxxxxxxxxxxxxxxxxxx

TIP: If I had to use this script, the first thing I would do is remove the footers and all searchable references to CMS Made Simple and version numbers.

Now if you'd like to tell OUR client that you cocked up and used an insecure cms system and did not CHMOD the files to the correct permissions I would be grateful.

And the next time you offer to do a web site for FREE just think about this one. It happens every time, they come back and bite you. I know that from hard experience.

How would you feel if she left your accounts, statements and other private information in the street for all to see?

Citrus.

[calguy1000]

CMS 1.1.3.1 was released over the weekend.  Please upgrade.

[citrus]

CMS 1.1.3.1 was released over the weekend.  Please upgrade.

Thanks,

We were already working on the update as you replied.

Your signature is so appropriate to this thread, LOL

Citrus.