I was hacked. I found a file I don't recognize.

[dmgd]

Yes, sadly I was.  The hacker added a file called db.inc.php in a dir I think.  Is this a really a file to allow remote access?

[alby]

Yes, sadly I was.  The hacker added a file called db.inc.php in a dir I think.  Is this a really a file to allow remote access?

You should look at the source to see what it does.
My advice is to rename file, move in other folder and check your server log.
Read this topic

Alby

[Pierre M.]

Hello,

I agree with Alby : you should audit the situation (what is in here, what is in the logS...)

My advice : do this audit OFFline (copy) to wipe out everything online and restore from a sane backup or fresh install.

Pierre M.

[dmgd]

Here is the last entry in the log file form the hacker.  Got any idea what this means?

xxxxxxxxxxxxxxxxxx

[Maki]

It just means that in date/time [14/Mar/2008:11:03:05 -0500] someone with (apparently) Firefox 2.0.0.12 under Win XP coming from the IP 88.240.125.230 requested the file "/stylesheet.php?templateid=20&mediatype=screen" while displaying the page

Nothing useful, I think.
You should search the first entries from the attacker, to know how he cracked the system. By any chance are you still using CMSms 1.2.2? There is a known vulnerability.

After wiping out and before reinstalling remember to change every password (login, server account, database).

[dmgd]

88.240.125.230 was the hacker ip address. 

I am running 1.2.3

The first entry was to mydomain.com The second through eighth entries were admin/login.php  After that they changed the admin user name and password and all the global settings.  It seems pretty benign and that is what has me worried.  There must be something I am missing.

The site was not that secure and I take full responsibility for the lack there of.  I have sense followed these suggestions.
http://forum.cmsmadesimple.org/index.php/topic,19660.new.html

[alby]

The second through eighth entries were admin/login.php  After that they changed the admin user name and password

Can you post that entries?
Have you used standard login/password?

Alby

[Maki]

Actually looking at http://www.cyberfatal.com/bak.php/?id=6536 looks like they cloned your stuff (S****ook Tourism, is it that?) or made some trick to use your server from another host. I'm not too expert in this kind of thing, so I don't know what they are trying to gain, but I'm pretty sure it's not benign..

[dmgd]

Yep that b**^&#d  change the id number and you see another site.

[nivekiam]

Unless you've restored already, I don't see how your site was hacked.  Looks to me like he mirrored your site.

But as alby posted, can you post all of the entries from your log where he was hacking your site?  If there is a vulnerability letting the devs know about it is the only way to fix it.

As for what you are missing, here is what I would do, though it is a pain.

change all user names and passwords, database username and password as well.

backup your database

maybe depending on how many pages you have, I count 19, go to each page in the admin, like you were going to edit each one and copy the content to plain text files.  I'd do the same with your menu code and style sheets and any UDTs you have.

backup your files

remove everything

reinstall CMSms from a fresh download

restore your settings

restore your pages from the static files, or if you're feeling brave like and feel that there is no "bad" stuff left behind in the database, do a restore from your backup of the database.

[dmgd]

See attached.

[nivekiam]

hm, well I don't see anything odd.  Looking at one of my logs for comparison here is what I see:

He hit your main page

Then he went directly to your admin page

Then he knew your username and password, entered it and had access to your admin site.  Doesn't even look as though there was any guessing going on.

Are you the only person who has access to that site or does someone else add content to it? I have a feeling this "hacker" got your URL and login credentials from some place.  Do you have other user accounts?  Perhaps he didn't clear the Admin Log.  If you log into your admin section, go to Site Admin > Admin Log then you can see if he used a different username to login with, other than your main admin one if you have other users setup.

Hmmm, just thought of something.  I'll be modifying my CMSms install to remove the "Clear Admin Log" link at the bottom.  Well at least comment it out in the code and make some other edits so the Admin log cannot be cleared just by hitting a link.

[Pierre M.]

Hello again,

Nothing useful, I think.
You should search the first entries from the attacker, to know how he cracked the system.

Yes, Maki is right.

And the IP, the user-agent, the referer URL all can be forged.

If you have not been hit by the 1.2.2 vulnerability and the bad guy has came into your admin by already knowing your login+password may be your desktop has a keylogging spyware or the hosting is insecure or somebody else knew/guessed your password.

Pierre M.

[dmgd]

hm, well I don't see anything odd.  Looking at one of my logs for comparison here is what I see:

Yes I have to agree.  I take full responsibility for the lack of security.  My main regret is that I did not follow the advice I found here.
http://forum.cmsmadesimple.org/index.php/topic,19660.new.html  IMO this should be a tacked or tagged what ever the term is, item easily found.

But as I said I should have been more  aware of this.  Playing the odds is not always the best action.

Thanks for your help and a great product that I will continue to use and donate $ to.

[Pierre M.]

Hello again,

My main regret is that I did not follow the advice I found here. (link to forum thread)

These informations are published here now :
http://wiki.cmsmadesimple.org/index.php ... mall_Guide
The doc is being rewritten. Everybody can read and contribute with its forum account.

A funny way to discover and learn things about CMSms :
http://wiki.cmsmadesimple.org/index.php ... Randompage

Best wishes for hardening your PHP installation !

Pierre M.