site hacked, not sure if CMS was the hole

[lancemuz]

My site was hacked whereby several files such as index.php had code inserted which displayed a nefarious site through an iframe.  I discovered the following in the apache log:

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

My CMS is version 1.2.3. I'm not sure if my CMS software was vulnerable or if it could have been something else. Can anyone determine from the log file statements if it was CMS which was attacked?

[cnymike]

I had a similar experience a few months ago. Who is hosting your website? Does the webhost use cPanel? cPanel has had some security issues in the past and if your web host hasn't upgraded, perhaps this is a way the hacker got into your site.

Unfortunately there are many ways a site can get hacked such as leaving directories world writable and having your login information gleened from cross site scripting attacks.

I'm no expert on any of this by the way. But I've been a victim and you really need to be vigilant by checking your stats and logs frequently to ensure that no spikes in traffic, that could signal that something is awry, or other weird behaviors are noticed.

Michael

[nivekiam]

I would take a serious look at the optional settings for rewriting URLs.  Look at the URL filtering:
http://wiki.cmsmadesimple.org/index.php ... l_Settings

When I put the URL filtering in my htaccess and tried to enter a URL similar to what you posted from your logs, I got a 403 error so that might have stopped something like this.

I can't tell from what you posted if your site was hacked through CMSms.  Your user account could have been hacked, another script you have running on the site could have been hacked, there's too many variables here.

What ever happens I'd make sure you change your passwords for your user account, database, etc.  I'd make sure your database is not accessible remotely, only locally to your web server.

Do you know if Apache runs as your user account at your host?  Some people like that and think it's secure, but what happens is that any vulnerable script on your site can have 100% access to every file for your site.

[Pierre M.]

Hello,

I agree with nivekiam :
-A site enabling URL filtering blocks such requests (at the webserver level) before they reach PHP.
-We can't diagnose from what you show if CMSms is the hole or a collateral victim. An inplace security audit should tell it.

Pierre M.

[faglork]

So why not put the filter stuff into the .htaccess which is shipped with every version of CMSMS?

With a comment that if you do not want filtering simply delete these lines?

Cheers,
Alex

[nivekiam]

Simple, not everyone has the ability to use mod_rewrite.  I have yet to see a package of any software that's meant to run on more almost any server ship with rewrite rules enabled by default.  Some hosts don't even allow .htaccess files.  Though I suspect you probably wouldn't be able to get much more than a basic script running on those sorts of no-talent, clueless hosts.

Not only that, even if they shipped it with a .htaccess file that had rewrite rules wrapped by an IfModule statement, I don't think that would work on Windows servers running IIS.

Example:

RewriteEngine On

# Might be needed in a subdirectory
RewriteBase /cmsms/cmsmadesimple

# URL Filtering helps stop some hack attempts
#IF the URI contains a "http:"
RewriteCond %{QUERY_STRING} http\: [OR]


So then they would have to ship an .htaccess file with all lines commented out so everything would be off by default.

Although, those optional settings could be made a bit easier to find.  Perhaps I'll help out with the documentation project.

[faglork]

Simple, not everyone has the ability to use mod_rewrite.  I have yet to see a package of any software that's meant to run on more almost any server ship with rewrite rules enabled by default.  Some hosts don't even allow .htaccess files.  Though I suspect you probably wouldn't be able to get much more than a basic script running on those sorts of no-talent, clueless hosts.

Not only that, even if they shipped it with a .htaccess file that had rewrite rules wrapped by an IfModule statement, I don't think that would work on Windows servers running IIS.

I disagree. These are no valid reasons IMO.

IF there is a way to improve security for those with mod_rewrite enabled (which may be far more than you think, btw) - why should it be withheld?

"Equal insecurity for all"??

If you don't stumble upon the corresponding filter  thread in ths forum you may never know that a tested(!) set of filters already exists.

I still suggest adding the filters.

Cheers,
Alex

[giggler]

I agree, I think it should be in the default htaccess. You'll have to customize it to your usage anyway, but at lease the filter is there and you know it exist. I didn't know it existed until now...

[cnymike]

Sounds good to me too. Couldn't it be commented out, and then it would be easy to invoke it if you wanted to use it? It would be there for everyone, but would be turned off by default for those that could not use it?

[Pierre M.]

Hello all,

I understand you would like some URL filtering rules be pushed in the packaged .htaccess sample. I think it is a good idea if they are commented out by default.

Because one problem of this support forum is to deal with topics not intrinsicaly related to CMSms and URL filtering at the web server level is one of those topics. If rewriting/filtering were on by default we would have to deal with questions about third party software having stoped to work.

I'd like to underline that the pretty URLs and the URL filtering optional settings are linked to at the end of the installation procedure in the guide. I think NO security aware webmaster would NOT read this or have to find URL filtering via the forum.

Happy hardening, share your filtering rules in the wiki !

Pierre M.

[giggler]

Code: Select all

 If rewriting/filtering were on by default we would have to deal with questions about third party software having stoped to work.

so if I install something else (third party) in the directory or subdirectory, it will not work if the filter is there?

[Pierre M.]

I can't tell, it depends on how the third party is working.
For example filtering may prevent some modules to work.
Know your modules, know your third parties, use filtering after having tested it is ok for your context.

Pierre M.