php scripts being accessed within the modules directory...[SOLVED]

[calguy1000]

if you're not running the latest version or the one before that, I hereby reserve the right to shake my finger vigorously at you in disdain.

[davids355]

I am running 1.6.4 but I have upgraded this many times so I guess older files may still be in the structure...?

So could/should I delete that whole folder?

[calguy1000]

those files should've been copied over with dummies a long time ago
yeah, I'd nuke the filemanager folder completely
and then re-upload it from the 1.6.4 package.

[davids355]

Calguy I did at least learn enough to keep up to date! I never used to worry about updating the core, but I got hacked once before and since then I always upgrade as soon as a new release comes out... However, maybe files got left behind after I upgraded? I am still learning a bit..!!

[davids355]

Any way to analyse the files there a bit? I have already taken IP and domain name from my visitor logs and banned that using htaccess, but any more info I could harvest would be great.

Seen a few references to bad things in those files - such as what looks like a russian mail server:)

[davids355]

ok just doing that now (after doing backup just in case:))

[davids355]

hmm while Im here, just realised something else: Last time I got hacked, I changed the name of my admin dir to something obscure. But Ive just realsied, the last few upgrades Ive done to the core, if they had upgrades to the admin dir, it would have been copyed in to the orgional name "admin" but I use "admin1234" could that cause problems as well??

[calguy1000]

if you rename the admin directory, then make the appropriate change in the config.php things will work.

If you then upload a new version (or worse a patch), without reversing the process first, then you'll end up with

two directories
admin1234 - contains all the old stuff including any potential security vulnerabilities
admin - contains just what you upload, would contain fill versions from some releases, and diff releases from other releases depending upon what you uploaded.

so therefore.. you probably have a pooched install.

[davids355]

so what do I do there? Could I not download the admin dir and upload it to admin1234 then all newer files get overwritten?

Or do I need to re-install? And if I did what are the implications/best procedures?

[calguy1000]

a) re-upload the whole 1.6.4
b) modify your config.php to point to the 'factory' admin directory
c) verify everything is working
d) remove your old admin1234 directory
e) rename admin to admin1234
f) modify the config.php appropriately

g) remember to restore everything to factory defaults before doing an upgrade.
'

[davids355]

by g) are you just refering to the admin thing, or is there anything else I need to restore?

[calguy1000]

the admin folder.

[davids355]

doing that now, but what would be the procedure to redo the file structure completely? As I have a few other issues anyway - namely that since I changed my server, the owner of the whole file structure is root - and I keep running into issues where my ftp account does not have the correct access to files...??

[Pierre M.]

Hello,

...there is a lot of files in this directory, some suspicious, in particular massmail2.php which sounds very suspicious!!

...Questions:
What should I do?

It seems you have been hacked. Please read http://forum.cmsmadesimple.org/index.ph ... 539.0.html Recovering from an exploit. The small security guide in the wiki may help too.

Pierre M.