CMS Made Simple Forums

Help please.

1 site has been attacked but is now fine.

The other one, www.ipsm.org.uk, seems to have disappeared.

The index & config files have been unchanged since installation and the only changes in files have been some of the temp files. I quote from my ISP:


The following items were modified or ameneded in the last day:

./tmp/templates_c/%%95957^957FC821%%preview%3AcmspreviewlckMAA.php
./tmp/templates_c/%%01016^016780C3%%preview%3AcmspreviewXGZ4o0.php
./tmp/templates_c/%%5E^5E7^5E74AD9F%%template%3Anotemplate.inc
./tmp/templates_c/%%D0^D0C^D0CA9BB1%%preview%3Acmspreview2bzwTv.php
./tmp/templates_c/%%09098^09882797%%template%3A21.inc
./tmp/templates_c/%%30^30F^30F6245F%%preview%3AcmspreviewY5K7GG.php
./tmp/templates_c/%%09098^09882797%%template%3A21.php
./tmp/templates_c/%%5E^5E7^5E74AD9F%%template%3Anotemplate.php
./tmp/cache/contentcache.php
./error_log


These files were dated at the time I found there was a problem and I assume that they were changed at the time I accessed the site BUT 2 files were changed today when I had no access.

Essentailly, the index.php gives nothnig at all and I have asked my ISP to try to reinstall this site from an earlier backup.

Ideas anyone please. What can I do please?

Thanks

Martin

What version... what.. what .. what?? You’ll need to give us more on this... refer to the forum Readme for more information...

Cheers
Jeremy

I am trying to find the version online from the /admin BUT all the /admin files have been now been set to 0000 permissions so I can't access them nor can I change them from CPanel.

I am now in a situation where I have no competenances at all I'm afraid.

Has everything gone belly up?

Martin

you can try to do this...

make a php file and upload it and chmod to 755
 
This is only one of many script you could run... this was form http://us.php.net/manual/en/function.chmod.php#92674

It'd be better to ssh and do a line command line ... but I'd talk with you host... see if you have a backup... Hope this helps

Cheers
Jeremy

Jeremy

Thank you for all your help.

When I create the fiile you recommend, do I save it to the /admin folder and under what name?

As I hinted before, I am right at the limit of my compentance.

Thank you again

Martin

I'd run it at the root.. before the admin folder... you'll need to know what the path it and change that ... but you can get that from cPanle... This is a recursive chmod... so all file would be come 0755... now this will only work if the user apache is still the owner or in the user group... if not you'll need to do command lines at the root via ssh - meaning you'll need to talk with you host most likely if the script will not work... ... Hope this helps...  -Jeremy

There are a couple of ways to approach this.

Initially, it seems your files are still there, as I can browse a number of your folders, eg., http://www.ipsm.org.uk/images/, ../tmp/, templates_c/, /uploads/, and more.

This in itself is not a good thing, and in future I would recommend using something like an empty index.html to stop directory browsing.

Is you data intact?
Log into your site's control panel, navigate to phpMyAdmin, and browse the tables for a quick check.
Yes? Back up immediately.

FTP to your site.
Do the files appear ok?
It appears from browsing your folders, that all custom content is there, but check, Are your custom files all ok?
Yes? Back up immediately.

(By now it should be apparent that I am a fan of backups, and with this experience, I am sure you can appreciate their value, without relying on your host provider to do it)

Look in the root folder for a file called version.php, open that and check what you were running.

If your data is ok, a simple re-installation of CMSms could solve your problems, depending on the level of midification you've done, or template design.

Do you, or can you, have a copy running locally on your PC?
If so, then deleting the server files and replacing them with a local copy could help.

There are various options, depending on what has happened, and whether or not your data as corrupted.

Did I mention backups?

If you'd like more help on a more personal and confidential level, you can PM me, otherwise best of luck.

Cheers,

Fat Lizard

Thank you FatLizard.

The database is full backed up, and always has been though I should also have backed up the files!

I am still completely locked out of /Admin and still cannot change the permissions. I am wating for my ISP to let me know if they have a backup earlier than 19 August, which seems to be the date when all this happened, and/or to change the permissions for /Admin.

I take your point about creating an empty index.html file but surely would the visitor not be immediately directed to that file rather than to index.php when they access the site? Also, would this be search engine friendly?

I am now backing up everything but /admin which I can't touch and am waiting for my ISP.

Thanks again,

Martin

By tghe way, the version of CMSMS I am using for this site is:

$CMS_VERSION = "1.3";
$CMS_VERSION_NAME = "Cuba";
$CMS_SCHEMA_VERSION = "29";

Hello again,

If you have an empty index.html file in your subdirectories, it helps prevent people snooping around.

By backups, I mean backups conducted independently of whatever the ISP does, such as manually backing up the database via control panel, or, phpMyAdmin.

Someone changed the file & folder permissions, and you can't change them back?

The hosting provider should be able to remove any files and directories once you've finished copying, and ask them to.

After that, it may mean a reinstall, of a later version of CMSms, then updating the database using the backup.
If the hacker has modified stored data/templates, then you may restore a bad copy - perhaps copying the relevant data, not core files, would be prudent?

Version 1.3 is a little out of date now, so it would be good to use this opportunity to upgrade.
Be mindful of any module dependencies that may interfere with using the latest version, although updating modules would also be preferable.

If you can create the site locally, using a local server on your desktop/laptop, then you are one step closer, whilst you wait for the hosting provider to assist.
I use xampp for local develpoment, although there are other choices.

If I can be of any further assistance feel free to ask.

Fat Lizard

Hello all,

fatlizard wrote: Version 1.3 is a little out of date now, so it would be good to use this opportunity to upgrade.

v1.3 is very much out of date. Even 1.4 and 1.5 are unsupported today.
And one of the 1.6-fix is a security fix.
So, again : exposing an old know-unsecure unsupported version to the wild Internet is shooting oneself in the foot. This is why it is important to keep current with new releases.

Pierre M.

Thank you, again.

I have now had the /admin folder restored and can access the admin menu etc.

All the pages etc seem to be there, but they don't show online. When I go to look at them in 'preview' I get the message:


Warning: fread() [function.fread]: Length parameter must be greater than 0 in /home/*****/public_html/lib/content.functions.php on line 291


I have been into this file but nowhere can I find this length parameter around about line 291.

The other strange thing about what has happened is that, on 19 August, when according to the admin log there was no access to the site, files were added to the ./tmp/templates_c/ folder as follows:


54^%%1E^1E0^1E02528E%%content%3Anewsblock1.php
54^%%3D^3D0^3D026139%%content%3Ablock1title.php
54^%%70^707^707A8977%%content%3Acontent_en.php
54^%%E7^E78^E787A62A%%content%3Ablock1.php
55^%%1E^1E0^1E02528E%%content%3Anewsblock1.php
55^%%3D^3D0^3D026139%%content%3Ablock1title.php
55^%%E7^E78^E787A62A%%content%3Ablock1.php
55^%%70^707^707A8977%%content%3Acontent_en.php


in 2 time slots: 0942 and 1302.

I am assuming that these are the problem, or indeed perhaps not.

Should the temp_c folder be cleansed anyway?

If I reinstall CMSMS, I would of course copy all my templates, CSS etc anyway to .txt files. Would it then be best to compeletely delete everything on the site and reinstall from new, as it were? Then re-set the templates & CSS etc, and then add back the database.

Would the page structure, relationships & content automatically return?

Sorry about all these questions but I still on a very steep learning curve.

Martin

I would not recommend trying to rescue that site. Use instructions in the link and my site to install the newest version.

replytomk3 wrote: I would not recommend trying to rescue that site.

Neither do I : http://forum.cmsmadesimple.org/index.ph ... 539.0.html

Pierre M.