Page 1 of 1

CMS site hacked

Posted: Fri Mar 19, 2010 5:38 pm
by petani
Hi,

My CMS site www.riisvangen.dk (Danish only) was hacked yesterday.
I had a backup and everything is up and running and the site is only for a small sport club so no real harm done.

The only thing is that it bothers my that I do not know how they hacked the site.
My hosting company only advise is to keep everything up to date which I am. The site is using version 1.6.7 and all modules has recently been upgraded.

The trace the hackers has left behind is a new index.php file and a index.html file in every subdirectory. Besides that the login.php was deleted from the admin folder and the admin/themes/default folder
Also the admin log shows no trace of anybody logging in besides myself.

At the same time the site was hacked the FTP server on which the site is placed could not be reached.
Any idea what happen? Could it be a error on the server that the company will not admit?

Thanks for any input
Peter

Re: CMS site hacked

Posted: Fri Mar 19, 2010 5:41 pm
by jmcgin51
I believe there are no known vulnerabilities in CMSms 1.6.7.

Check your server logs.

Re: CMS site hacked

Posted: Fri Mar 19, 2010 5:50 pm
by owr_bgld
Do you have rights on some directorys set to 777?

Re: CMS site hacked

Posted: Fri Mar 19, 2010 5:51 pm
by Wishbone
I have had this happen before using IXWebHosting... Nothing in the logs.. .htaccess files changing. At the time it was common with this host. Changed hosting companies and it never happened again.

Re: CMS site hacked

Posted: Fri Mar 19, 2010 6:49 pm
by replytomk3
Change your passwords (obviously).
Make sure to set proper permissions after installation (config.php, etc)
Add good security measures to .htaccess


1.) Remove malicious files and/or files you're not familiar with. While many PHP applications generate files you may not be familiar with, it's important to watch for files or directories that may may sound suspicious

2.) Update all script s/applications to the newest versions available. Old security holes are updated and remedied in new versions of software, so updating to the newest versions available ensures that you're running the most secure option available. If you installed these applications using Simple script s, automatic updates are available by clicking the "Update Now" button. For installations done with Fantastico, the main Fantastico screen will show a link on the right-hand side of the screen with the available versions you can upgrade to.

3.) Update all plugins to the newest versions available. Just because your applications have been updated doesn't mean the plugins you use have been also. Popular plugins for Wordpress, Joomla, Drupal, etc are created for specific application versions. When updating your applications, make sure the plugins you're using are also certified to work with the newest version of your software.

4.) Delete any databases/applications from your account that are no longer in use. Each databases/application you have installed on your account is another possible point of entry for attackers. By removing applications/databases you're no longer using, you're eliminating the potential for those outdated script s to be exploited.

5.) Fix dangerously writable permissions. Most website files should be set at 644, and folders should be set to 755. This can be adjusted in an FTP client, or by manually changing it in the Control Panel File Manager by selecting the file, and clicking on the icon at the top of the screen that says, "Change Permissions"

6.) Hide your configuration files. Moving your config.php and other files containing passwords to a secure directory outside of the "public_html" folder will make them inaccessible to general web surfing.

7.) Adjust your php.ini file. The "php.ini" file on your account is file that adjusts how PHP behaves on your account. By adjusting the properties of this file, you can greatly increase aspects of your security. This file is generally located in your "public_html" directory. If you're unable to see this file, you may need to manually generate one. You can manually generate one by logging into your Control Panel, and clicking the "PHP Config" icon located in the section called "Software/Services". You'd then click the button that says, "Install Master PHP.ini Fileâ". This will install a file in your "public_html" directory called "php.ini.default". To make this file active, you will then need to rename it to "php.ini".

Adjustment 1.) Set "register_globals" to OFF.
Adjustment 2.) Set "error_display" to ZERO.

8.) Connect to your account using a secure network. If you're connecting to the internet using a wireless connection, make sure the wireless network is using a method of security such as WPA or WEP encryption.

9.) Make sure your local computer is secure. One of the biggest security holes in internet site security is accessing your site from an insecure computer. Viruses, malware, and keyloggers can be installed on your computer covertly and can be used to obtain your username/password credentials, or to infect your website files themselves. Practice good at-home computer security by regularly running a reliable anti-virus/spyware scanner. Below is a link to high-quality, free software that can help you maintain a safe, healthy computer. PC Tools Anti-Virus: http://www.pctools.com/free-antivirus/ Ad-Aware Anti-Malware: http://www.lavasoft.com/single/trialpay.php

10)  I recommend changing your account password and any user and passwords for any scripts that you have installed on the server.

Re: CMS site hacked

Posted: Sun Mar 28, 2010 6:15 pm
by petani
Just to let you know.
The hosting company has now admitted to have had a problem on the server and therefore an error in the server set-up led to the site being hacked and not CMS

Thank you for your suggestions
Peter