Security – I've been hacked [solved]

[howey]

Has anybody had any problems with security. My site was hacked recently and I am trying to find out where the problem may lie. The site is hosted on a reseller account with Fasthosts. They had a security issue last year but they seem to have safe guarded against this.

The only issue I can find is that the config file defaults back to 644 and won't stay set at 444.

Any suggestions or advice would be gratefully recieved. 

I have since found these notes helpful:

http://forum.cmsmadesimple.org/index.php/topic,18584.15.html

http://forum.cmsmadesimple.org/index.php/topic,19660.new.html

[alby]

Any suggestions or advice would be gratefully recieved. 

Not say much about your version....
If you have a CMSMS < 1.2.3 upgrade now

Alby

[howey]

Sorry I should have said which version – I think it was 1.1.2

Any further comments would be welcome, as I am running another site but that uses version 1.2.2.

[alby]

Upgrade to 1.2.3 because there are security problem

Alby

[Pierre M.]

Hello,

howey, you are shooting yourself in the foot as you are running old unsupported releases. The latest official stable release is the only usable one and fixes bugs and security issues.

Pierre M.

[howey]

I shall upgrade all my CMS systems.

For information in case it is useful, I looked at the web logs and there was a lot of activity with posts to the lib directory

Code: Select all

/lib/adodb_lite/beta.php

shows the beta.php, the first post was to the temp.php

This is the first activity

Code: Select all

xxxxxxxxxxxxx

This info may be useful – I don't know.

Any advice on how to make the system more secure, in addition to the upgrade, would be welcome.

[Pierre M.]

Hello again,

Code: Select all

xxxxxxxxx

This info may be useful – I don't know.

Any advice on how to make the system more secure, in addition to the upgrade, would be welcome.

Yes, thank you it is useful : I can't see a valid reason to let POSTs on /lib/ado...
Hence one more idea of rule to URL Filtering : Limit to GET via .htaccess in /lib/ado...

Pierre M.

[nivekiam]

I don't see any files named "beta.php" or "temp.php" in my adodb_list directory.  I'm running 1.2.3 and have never ran an older version so I don't know if those use to be there.  If not, then I'd try to figure out how and when those files got put there and I'd also remove.

[Pierre M.]

Hence one more idea of rule to URL Filtering : Limit to GET via .htaccess in /lib/ado...

Silly me. May be no web access at all is needed to /lib but only local "include" access, hence allow from 127.0.0.1 and deny from elsewhere.

I don't see any files named "beta.php" or "temp.php" in my adodb_list directory.... I'd try to figure out how and when those files got put there and I'd also remove.

Yes, and may be security require more radicalism : backup database, backup files (includes poison), wipe out all files and folders, reupload a sane official package and rerun the install wizzard without checking the box to create the database object to keep them. Then reinstall extra modules. And upgrade. And backup.

Pierre M.

[howey]

Thanks for all the tips:

I followed the links and also found the tips below:

http://forum.cmsmadesimple.org/index.php/topic,19660.new.html

http://forum.cmsmadesimple.org/index.php/topic,18584.15.html