CMS Made Simple Forums

davids355 wrote: Hmm strange, downloaded cmsmadesimple-1.4.1-full and then via ftp I uploaded for example admin/systeminfo.php (one of the ones that said checksum was bad) then rechecked in system verification and even with the original file uploaded to server, it still says the checksum is bad?? What now??

Possibly either the file was not uploaded correctly (its not an uncommon ftp problem), in which case try uploading it again and re-running the checksum. Or, the file permissions prevented you from uploading the correct file. Try to actually delete the problem file off the server and make sure it is actually deleted before you re-ftp the file and re-check.

If you are still having problems, try uploading the problem file to your server and then download it again to your local disk and do a file comparison [1] between the uploaded/downloaded file and the one in the original cmsmadesimple-1.4.1-full package to see what is different.

[1] e.g. http://www.winmerge.org/

Nick

This doesnt look right: firstly even though I have re-named the admin directory to admingfgfgfg (or similar) I find that now another folder has been created, again called admin, and in it, under lang/ext/.indipendan/ there are loads of perculiar looking files, here is a screenshot:

Ok I took for example admin/systeminfo.php
I backed it up then I deleted it from my cms directory.
then I uploaded the file from a freshly unziped cms1.4.1 tar, then I downloaded it to another location and I ran the downloaded file and the file from the tar through winMerge (Cool program by the way!) and they are identical. Then I did a verification in cms with the 1.4.1-full.dat checksum and it still showed that file as failing the checksum??

Anyway aside from that, see my last post, is this a problem? I am going to monitor things over the next day or two. But If those files are alien, am I best doing a clean install? If so how do I go about it? I have done a test restore before (incase of losing data) but how do I do a re-install without re-uploading the corrupt files?

Many thanks

davids355 wrote: This doesnt look right: firstly even though I have re-named the admin directory to admingfgfgfg (or similar) I find that now another folder has been created, again called admin, and in it, under lang/ext/.indipendan/ there are loads of perculiar looking files, here is a screenshot:

Bad thing, you must do a clean installation ...

Alby

How do I go about doing that? Obviously I still want all my content etc...??

davids355 wrote: How do I go about doing that? Obviously I still want all my content etc...??

Not exist a good guide, but:

- Export your DB

- a. If you have an other DB, import prev DB export in this new DB and use this in other steps, if not
  b. edit your export DB and substitute all tablenames [prefix]table with [newprefix]table (ex: cms_ -> cmsms) and check if you have exactly double tables in this DB and use this newprefix in other steps

- FTP a clean CMSMS in a subfolder (ex: test) from forge and all your modules (always from forge)
- install/index.php and in step 5 (with data in prev a. or b.) uncheck create tables .... and sample content ....
- install/upgrade.php
- if you have files in uploads folder, copy this files (BUT CHECK FIRST THOSE) in subfolder/uploads
- use this subdir and check for anomalies
- if all works (after BACKUP) drop your root install and move this installation from subfolder to root dir
- read this

Alby

So should there be no personal data stored in the file system? - As from what you are saying [summarised] I do a new install of cms (dont create tables) install modules, then I import my backed up database then run upgrade and Im ready to go? So I dont have to re-upload any of the old file system? (Which I assume is where any viruses would be help). Right?

davids355 wrote: So should there be no personal data stored in the file system?

yes, if you have files in upload folder, copy this files (BUT CHECK FIRST) in subfolder/uploads

davids355 wrote: - As from what you are saying [summarised] I do a new install of cms (dont create tables) install modules, then I import my backed up database then run upgrade and Im ready to go?

reverse, import DB in new DB or with new prefix table and after upolad (via FTP) CMSMS+other modules and after run install and upgrade

davids355 wrote: So I dont have to re-upload any of the old file system? (Which I assume is where any viruses would be help). Right?

yes, hacked file can be in:
1. CMSMS file (but you use a new and clean installation) or in a broken module
2. upload folder (copy images files only or GOOD personal files)
3. in DB (templates/UDT/...)

my prev post cover item 1 and 2 and you must check behavior of your site for be sure of 3
if you have skill you can check in DB dump for malicious code

Alby

Having major problems here: Although my admin directory has been renamed. the original admin folder has re-appeared (even though I had deleted it), and there is a file tree in there:
admin/lang/ext/de_DE/.independen/

There are loads of files in here, but I cant even delete the files or the folder because it says access denied, I cant even get into the .indipenden folder from ftp (access denied), when I look via ssl, .independen is not even visible (the de_DE directory appears empty). When I try removing de_DE (Using rmdir -rf) it says permission denied.

Firstly, Id like to get rid of this folder, secondly Id like to have a rough idea of how this could be happening (where is the security hole?), and thirdly if I have to reinstall, just want to confirm the steps:

Backup my sql database (I have spare databases so i can import this to a new db)
ftp a clean install of cms to a new folder
ftp all modules
Run install.php but dont create tables
run upgrade.php
then from my backed up file structure, I only need to restore files from uploads folder (Everything else is unnecesary) is this right? then check all is working?

davids355 wrote: Firstly, Id like to get rid of this folder, secondly Id like to have a rough idea of how this could be happening (where is the security hole?), and thirdly if I have to reinstall, just want to confirm the steps:

First: Have you tried with FileManager module?
Second: there is an bad script, malware in DB, from other site in same server (shared server), ........
Third:

davids355 wrote: Backup my sql database (I have spare databases so i can import this to a new db)
Backup File site
ftp a clean install of cms to a new folder
ftp all modules
Run install.php but dont create tables
run upgrade.php
then from my backed up file structure, I only need to restore files from uploads folder (Everything else is unnecesary) is this right?
And If you have other files (ex: in images/ folder or personal folder)

Alby

Just tryed file manager, it gain access to the folder (.independen) but still cannot delete the folder or the files with in - same permission denied.

What to do now? That folder is on my server and it seems theres no way to delete it!

davids355 wrote: What to do now? That folder is on my server and it seems theres no way to delete it!

If you have shell access (I think because you said rmdir -rf), check owner/group with ls -al

Alby

OK great, I done this and found the directory could be read only (No write or execute permissions).

Also learnt something that you probably already no - with a directory, the execute permission indicates the ability to browse the direcory - which is why when I gave read and write permissions I still couldnt delete it, even with -rf. Gave execute permission then I was able to delete it! I have now kept this old admin dir, password protected it and also given no permissions to public. Hopefully this might stop the intruder? And if files still apear in there, does it indicate that they are gaining access in a particular way?

Would you still recommend a re-install?

davids355 wrote: Would you still recommend a re-install?

With hack files is ALWAYS recommend (you don't know exactly if there are other hidden files or modify)

Alby

Ok thats what Il have to do then. Thanks alot for all the help!