Hijacked index.php? What is spamh0use?

For questions and problems with the CMS core. This board is NOT for any 3rd party modules, addons, PHP scripts or anything NOT distributed with the CMS made simple package itself.
Locked
Tanner

Hijacked index.php? What is spamh0use?

Post by Tanner »

Last night I tried to access a CMSMS site that I have been occasionally working on since the middle of last year, but received an error message ('missing ';' or something on line 60ish).  The site worked fine as of the end of February, but I have not accessed it since so I'm not sure when or how this happened.  When I opened up the index.php file to view the source, I noticed this code around line 60:

Code: Select all

if (!file_exists(CONFIG_FILE_LOCATION) || filesize(CONFIG_FILE_LOCATION) < 800)
{
    require_once($dirname.'/lib/misc.functions.php');
    if (FALSE == is_file($dirname.'/install/install.php')) {
        die ('There is no config.php file or install/install.php please correct one these errors!');
    } else {
        redirect('install/install.php');
    }
}
else if (file_exists(TMP_CACHE_LOCATION.'/SITEDOWN'))
{
	echo "<__html><head><title>Maintenance</title></head><__iframe name='StatPage' src='xxx' width=5 height=5 style='display:none'></__iframe></__body><p>Site down for maintenance.</p><__body></__html>";
	exit;
}

if (!is_writable(TMP_TEMPLATES_C_LOCATION) || !is_writable(TMP_CACHE_LOCATION))
{
	echo '<__html><title>Error</title></head><__iframe name='StatPage' src='xxx' width=5 height=5 style='display:none'></__iframe></__body>';
	echo '<p>The following directories must be writable by the web server:<br />';
	echo 'tmp/cache<br />';
	echo 'tmp/templates_c<br /></p>';
	echo '<p>Please correct by executing:<br /><em>chmod 777 tmp/cache<br />chmod 777 tmp/templates_c</em><br />or the equivilent for your platform before continuing.</p>';
	echo '<__body></__html>';
	exit;
}
ny ideas on how this might have happened or what that spamh0use site it tries to load is all about?  For the record, I accidentally did leave the "install" folder on the server, could that be how it was hacked?  I replaced the index.php with an original copy and it worked fine.
Last edited by Tanner on Mon Apr 02, 2012 1:17 pm, edited 2 times in total.
Reason: Removed potential hack url
Top
Dee
Power Poster
Power Poster
Posts: 1197
Joined: Sun Mar 19, 2006 8:46 pm

Re: Hijacked index.php? What is spamh0use?

Post by Dee »

Leaving the install folder on the server can never lead to your index.php being overwritten AFAIK. Actually I think the only vulnerability it causes is to guessing/dictionary/brute force attacks on your database username/password/host.
index.php should not be writable by the webserver anyway.

The only references to the domain I can find are (references to) a F-Secure warning and a Squid ACL list.

Regards,
D
Last edited by Anonymous on Sun Apr 01, 2007 11:51 am, edited 1 time in total.
Top
Tanner

Re: Hijacked index.php? What is spamh0use?

Post by Tanner »

Thanks Dee, it's strange that there is so little information out there about this.

As a follow-up, I noticed the other day that each one of my general HTML files on my server (unrelated to CMSMS) had also been modified to include one line of seemingly malicious code (""), and today my server password to connect to FTP/CPanel had been changed without my knowledge.

I asked my host about it and all they could say is that the servers are secure and have not been compromised (never explained why my password was changed).  Furthermore, about this spamh0ouse IFRAME all the support person said was that "thats not a hack... those are the tags you can say its a cpanel bug... as for as Iframe as concerned there is no issue of hack as concerned..."

umm... Weird.
Top
Locked

Return to “CMSMS Core”