CMS Made Simple Forums

1) Have you changed your passwords?

2) Have you checked your HTTP logs to see if they are actually coming in via your website or via another way, like logging in under your account?

3) Does your host run accounts in a jailed (chrooted or suexec) environment?

4) Do you have other scripts on your site installed?  I noticed you have at least some other search engine.  Have you verified that those scripts are up to date and don't have any known security holes?


[edit]  There also appears to be several threads about something similar going on right now.  I'd check them out too as there is some advice in there:
http://forum.cmsmadesimple.org/index.ph ... 514.0.html
http://forum.cmsmadesimple.org/index.ph ... 595.0.html

What version of CMSms were you running before upgrading?

You might want to re-think MidPhase, but you might have better luck, maybe:
http://forum.cmsmadesimple.org/index.ph ... l#msg95795

Looks like the hacker somehow got some files on your site and used those to do their hacking.

To block web access to /lib here is a quick and dirty fix:

put an .htaccess file in /lib and put this in it
EDIT (corrected per proper way as posted in the sticky here

order deny,allow
deny from all
# allow files .js in /lib avoiding errors related to js calling e.g. tag {startExpandCollapse}

Order deny,allow
  Allow from all

In my playing around and testing, I don't see a need to specifically allow from an internal IP address, IOW, nothing appeared broken once you allowed javascript files to be served to anyone.

[END EDIT]


More info here:
http://corz.org/serv/tricks/htaccess.php

Search google, there is a ton of info on using Files, Directory, Location directives and .htaccess

Hello,

Just about

There were also a couple of perl scripts that it was invoking too in the same directory, which have also been wiped: Mohajer22-perl.pl and N3tsh_backconn.pl

Consider wipeing all you hosting account, including hidden files and folders, no only the strangers you find : there can be others you don't find. Then reupload a sane latest official package (from scratch) and rerun the installer without checking the checkbox "create tables..." to keep your existing database content. Backup before, of course.

May be the Filtering rules could be improved to deny '.pl' postfixed scripts names.

PierreM.

Yeah, that was a quick and dirty, untested hack, didn't realize what I did until after I started seeing the errors.

There is a sticky at the top of this forum that shows another way:
http://forum.cmsmadesimple.org/index.ph ... 660.0.html

I'll edit my post so other people don't follow my bad advice

You should consider removing the CMSMS version info from your footer. If a security hole is found in that version you are broadcasting to the whole google world that you are running that vulnerable version.

© Copyright 2004-2008 - CMS Made Simple
This site is powered by CMS Made Simple version 1.2.3

What version is no longer vunerable to these hacks?
I have a few installs of the above version.
b

You should be running at least 1.2.5, but 1.3.1 would be best...

For what its worth. After being hacked for the third time in 3 days I upgraded to 1.4.1 and was hacked again!.

Thorough searching of the log files identified a call to ...../modules/FileManager/postlet/require.php that took place when most people doing updates would be asleep.

Exploring this and following its code showed me that the FileManager had been replaced by a "new" version that allowed access to the system.

This "new" Filemanager works exactly the same as the old one so it is not discernible in day to day operation. It has additional "features" that allowed hackers uncontrolled access to the servers directories.

The files to look for (in postlet directory) are:

• LICENCE
• README
• [PATH TO UPLOAD DIRECTORY].php.dhtml
• index.html
• list.txt
• mod_test.php
• r.php
• require.php

in particular the r.php is a giveaway.

Solution: delete FileMangager and install a completely clean version

Prevention keep releases up to date.

Note - it is worthwhile checking the rest of the site for evidence of this hack. I did a search for r.php.... and found nothing

Other measures worth considering:

Change the name of the admin directory to something random - a good tool can be found http://www.pctools.com/guides/password/. If you do this you will need to change the config.php file.

Create a non-display page with the link to the new admin page, opening to "_blank". Give this page/link to editors, etc. and let them use this to find the admin page - you can them change it without having to tell everybody - just change the link on the "hidden" page to the new directory

goallblacks wrote: For what its worth. After being hacked for the third time in 3 days I upgraded to 1.4.1 and was hacked again!.

You can to have bad scripts in files or DB.
Here is the importance of a good cleaning ...
Read this post for a few steps

Alby

Hello,

goallblacks wrote: ...Exploring this and following its code showed me that the FileManager had been replaced by a "new" version that allowed access to the system.

Thank you very much for this feed back. It would be even better if we could discover HOW "the FileManager had been replaced". If you have some hint on the topic from your hosting provider or your http logS please disclose it privately to the DevTeam.

goallblacks wrote: Solution: delete FileMangager and install a completely clean version

I disagree on this one : more precisely I suggest to delete-erase-wipe-remove everything to restart from a known sane state. For example : the hosting provider closes the cracked hosting space and opens a new fresh empty one.

goallblacks wrote: Prevention keep releases up to date.

Yes, well said. Keep exposed software uptodate. Read and apply security hints.

I much count upon preventive URL filtering. "Deny from all" pretty helps in sensitive folders.
Thank you again for the diagnostic from the logS.

Pierre M.

Thank you very much for this feed back. It would be even better if we could discover HOW "the FileManager had been replaced". If you have some hint on the topic from your hosting provider or your http logS please disclose it privately to the DevTeam.

Sorry cannot help here. By hacking the File Manager they made sure all upgrades i.e. replacing known files would propagate the hack.

I suspect it has been around for quite a while and only activated recently. I have no idea how they got in. Its shared hosting so maybe someone else is/was vulnerable.

I disagree on this one : more precisely I suggest to delete-erase-wipe-remove everything to restart from a known sane state. For example : the hosting provider closes the cracked hosting space and opens a new fresh empty one.

You are absolutely correct, only there is only so much my customer would pay for, and its there call.

Hello again,

goallblacks wrote: I suspect it has been around for quite a while and only activated recently. I have no idea how they got in. Its shared hosting so maybe someone else is/was vulnerable.

May be shared breach. Or may be "around" since 1.2.x using some 1.2.4- known vulnerability.
Have a nice week end

Pierre