CMS Made Simple Forums

Hi All

This is a slightly strange issue I've encountered and wondered if people had come across this before...

I hadn't changed anything, then a couple of days ago I opened my site, added the admin at the end and got a really strange error php error.

The error was reported in the files na__de_DE.nls.php and patch__de_DE.nls.php.

To resolve it I deleted these files, which resolved the issue, however looking in the files I can't quite see what they are supposed to be doing.  I also tried copying them back to get the error to appear but it doesn't appear anymore.  Interestingly I couldn't see these files as part of the CMS installation.

Anyone know what these files are for?  Should they be there?

Regards

Seen such files in other threads - they are collect cmsms passwords. These files are NOT a part of CMSms.

Do the following for security (soon as possible):

1. Delete complete admin folder.
2. Upload the original /admin folder.
3. Change all CMSms passwords.
4. Rename /admin folder to a very curiously name (like adm39xRLK3d)
5. Change the entry in your config.php to
6. Read the security guide

http://wiki.cmsmadesimple.org/index.php ... mall_Guide

Thanks Cyberman

Now done.  I have a couple of questions...

Before I used to just add /admin to the end of my address to login.  Do I now need to enter the folder name I have renamed that folder too?  Or is their a more user friendly way to get the login screen.

Secondly who or how might these files be getting on my server?  Seems a bit scary that something is creating files on my server without knowing the password in the first place?  I assume they are generated somehow as only I have FTP access to place files in that folder.  The site is also currently barely used.  Only a few friends really know much about it so how would someone find my site and know that its CMSMS?

Many thanks again

evilhomer wrote: Before I used to just add /admin to the end of my address to login.  Do I now need to enter the folder name I have renamed that folder too?

Yes, you have to call your admin panel like www.my-domain.com/adm39xRLK3d

For myself I'm using a browser bookmark for that .

Secondly who or how might these files be getting on my server?

That's the big big question!

Do you running last CMSms version? Last one is 1.2.5
Do you run other risky software on your server? Which?
Do you have access to your server log files? If yes, check it.
Have you read (and realize) securitiy guide?

Maybe a (german), Google translated security thread can help too ...

http://translate.google.com/translate?u ... l=de&tl=en

This problem has been identified as somebody exploiting the bug in 1.2.4 that was fixed with 1.2.5
I suggest the following steps.

1.  Completely destroy all files in your cms install
    (the attack seems to alter different files at different times, and not just in the admin section).  And once a file
    exists in the directory it may be exploitable,  Therefore the only way to be 100% sure that it is fine is to erase
    all files and restore from a known good backup.
2.  Completely restore your site from a known good backup
3.  Immediately upgrade to CMS 1.2.5
4.  Change ALL CMS passwords

Then, as an option you can rename the admin folder as cyberman recommends.

calguy1000 wrote:
1.  Completely destroy all files in your cms install
     (the attack seems to alter different files at different times, and not just in the admin section).  And once a file
     exists in the directory it may be exploitable,   Therefore the only way to be 100% sure that it is fine is to erase
     all files and restore from a known good backup.
2.  Completely restore your site from a known good backup

Do you mean deleting and restoring the database, or just the files in the CMS installation?

Think calguy means both ...