Have I been hacked??!!!! Heeelp!

[herbshirt]

How on earth did someone insert Google Ad's on my page? I found the code inserted into my template!

I've removed it now but how do I stop it happening again? Which file permissions? database password? admin login password?



Heeeelpp!!! Any suggestions on what to do greatly appreciated.

[alby]

How on earth did someone insert Google Ad's on my page? I found the code inserted into my template!

I've removed it now but how do I stop it happening again? Which file permissions? database password? admin login password?

You should understand "how" you have been hacked.
There are many possibilities:

- server hacked
- from other site hacked (in a shared hosting) and config.php readable
- from other shared client in poor environment hosting and config.php readable
- hacked for a old vulnerability (your CMSMS version?). Check your server access log for "strange" url
- stolen the admin password?
- ...

Alby

[mikehenson]

If someone put Google Adverts on your site you should be able to find out who it was because the code will be unique to them as presumably they're trying to get revenue from clicks on your site?

[herbshirt]

Yes I found the URL and sent them an email  .
I found cubics.com I can't seem to find a relevant place to report them. I'm also having trouble finding a good step by step on how to update my site. I'm sure there'd be a post somewhere...?

I checked my config and it was set to 644, that's right isn't it?

[cubix]

my heart dropped for a second there.. not cubix

[blast2007]

...
- server hacked
- from other site hacked (in a shared hosting) and config.php readable
- from other shared client in poor environment hosting and config.php readable
- hacked for a old vulnerability (your CMSMS version?). Check your server access log for "strange" url
- stolen the admin password?
Alby

also:

- admin dir = /admin

is not very safe...rename this directory with strange names, something like "AdMiNx3711atRdcX" that is not easy to guess, and futhermore protect this directory with .htpassword and .htaccess

You can read some more basic safe instruction in our italian page. If you need we could translate this page in english.

Best regards
blast

[herbshirt]

I'll do all that. Thanks again!

I would dearly love a translation. i think a lot of people could benefit...

[herbshirt]

I'm not sure what you mean... ".htpassword and .htaccess" ... I'll wait for the translation.

Also, when I change the name of the admin directory I have the feeling (obviously change my link to it etc etc) I'll need to change something elsewhere (config???)

[alby]

I'm not sure what you mean... ".htpassword and .htaccess" ... I'll wait for the translation.

View Apache docs (or google) for this

Also, when I change the name of the admin directory I have the feeling (obviously change my link to it etc etc) I'll need to change something elsewhere (config???)

You must change name in config.php only

Alby

[mikehenson]

Yes I found the URL and sent them an email  .
I found cubics.com I can't seem to find a relevant place to report them.

Their site is hosted by NETTICA.COM so that would be a good place to start and also report them to GOOGLE

[Pierre M.]

Hello all,

as no CMSms version has been cited here, I'd like to stress two things :
-always run nothing but the latest official stable release on the wild Internet. Previous releases have known security bugs.
-harden your site with URL filtering and other .htaccess restrictions (like denying web access to /lib...).

Pierre M.

[blast2007]

I'm not sure what you mean... ".htpassword and .htaccess" ... I'll wait for the translation.

For start with  .htaccess and .htpassword, you can read this article, it's very userful and detailed.

Regards
blast

[herbshirt]

Thanks guys. I must admit, I wasn't actually aware of all of the above. I'm off to educate myself and take appropriate action!

(This is such a terrific forum)

Should this post become sticky??

[nivekiam]

Should this post become sticky??

Sticky?  No, not IMO.  A "securing" CMSms  page on the wiki?  Yes.

I think maybe if it were cleaned up and summarized and some other stuff from this thread http://forum.cmsmadesimple.org/index.ph ... .html  there would be some good info and it could be presented in a way to make it easy for someone to follow.

One question, where you running a version older than 1.2.3 when you were hacked?

[herbshirt]

A quick update - I'm devoting today to this topic and hopefully might accumulate something appropriate for the wiki.

So far ,
* I reported to their host Nettica.com and and Google.
* Changed my admin url (and in config)
* Checked config permission is set to 644
* Changed my admin password


Next I'll...
* go change my database password
* update to the latest version of cms ms (thanks to blast for some very useful pm's.)
* look into this: "harden your site with URL filtering and other .htaccess restrictions (like denying web access to /lib...)"