CMS Made Simple Forums

All

New to these forums and am just posting concerning a huge surge in sites running old & insecure versions of CMSMS that have been hacked in the last couple of weeks. I would be grateful for any feedback on this....

I work in IT Security and spend time monitoring a long running website hacking & SEO poisoning campaign. A couple of weeks ago, I started to come across many sites running CMSMS that were starting to appear on my radar. After some analysis, I saw that all the hacked sites followed a very similar pattern:

websitename.com/tmp/templates_c/<first 5 letters of site>/randomword+3digits.php

I constructed a Google search to find other hacked CMSMS sites as follows. This returns results for all sites with the keyword sony on any page in a folder called templates_c

sony inurl:templates_c

You will see that there are literally thousands of sites out there that have been hacked recently - I believe within the last month.

So....CMSMS seems to be getting heavily targeted by hackers at the moment. Anyone else seeing this? Any clues on how to tackle this very real problem?

cheers

Nick

I believe the keywords of your post are:

sites running old & insecure versions of CMSMS

old & insecure implies that there a new versions, which have addressed the security issues.

there are literally thousands of sites out there that have been hacked recently

We've not seen any reports about this from our users, so I don't really believe the number. Shirley, somebody would have mentioned it on the forums...

Anyone else seeing this?

No

Any clues on how to tackle this very real problem?

Update

If you do the Google search I suggest, you will see thousands of results. Just about every one is a hacked site.

When the sites are exploited, the core site remains intact so unless the owner is monitoring it carefully, they wouldn't know that anything was amiss.

I have contacted many owners in the last two weeks to let them know and none had a clue. In other cases, the sites have been created and then abandoned.

This is why you haven't heard of any reports. I am reporting it!

Having been hacked, the sites are used as landing pages before visitors are redirected to other malicious sites which do the usual fake AV scans.

I know to keep my site updated...but it appears that thousands of site owners/admins do not.

Nick

I guess everybody will appreciate your enthusiasm and helpful spirit.

To be honest there's not a single message about this subject on the forums. If thousands of website's are infected we would have seen at least something about it.

The folder templates_c is not CMSMS specific, Drupal uses a folder with the same name and so will a lot of the other Smarty based content management systems.
The fact that a lot of websites show up in the google search query doesn't directly mean that all of these website's are CMSMS websites.

The only thing we can say is, and we say that to all our users: Keep your core CMSMS and modules updated and keep an eye out for suspicious changes to files.
(Use system verification to create a checksum, and check if there are any changes on a weekly basis)

M@rtin.. templates_c isn't unique, but tmp/templates_c is more likely to be CMSMS.. I did his search and the first site I saw was using a modified form of the default CMSMS template. One of the others had a unique template, but had an admin/ login. I'm guessing that most of these are CMSMS.

I just took one of them at random... http://clearfs.net ... It has an 1.9.* admin login, so it's pretty recent.. I wonder if it's the News security hole which was just fixed?

I can only repeat what I have mentioned already....

I have contacted and notified approx 20 site owners in the last two weeks that have CMSMS sites that have been hacked and follow the pattern outlined below.

Without exception, none realised they had been hacked. This is why this hacking campaign is so successful. After the hack, the sites remain completely functional. When I notify owners, their first reaction is to check their site, see that the home page and other pages are working OK and ignore my message as some kind of scam. At that point, I notify the hosting companies and they notify the owner and help to get the sites cleaned up.

I have been working on this website hacking & SEO poisoning campaign for months now (mainly because my company is being targeted) and I can assure you that this CMSMS hacking campaign is very recent and on a very large scale.

You won't find any reports about it on your forums as owners don't know about it and I'm the guy that found it!

I'm not trying to blow my own horn here - I'm just very concerned about what I am seeing and am hoping that the CMSMS community will take this seriously.

cheers

Nick

The Dev team has had a good record (and will endeavor to keep that record) of responding to valid, verified security problems.

Therefore if you (or anybody) can submit (via email) to the members of the dev team a verifiable and reproducible mechanism to exploit the latest released version of CMSMS we will quickly investigate it.

Until there is a verifiable, and reproducible report of an exploit all we have is un-researched thoughts, innuendo, and rumors. We will not respond to those.

Actually there have been quite a few hacked CMSMS websites. I have multiple accounts with Host Gator and though my sites haven't been affected (I keep updating) other Host Gator clients whose sites are 1.9.2 or below have been affected.

The hack only shows up if you search using Google or Bing and then click on any of the search results to get to the website. It offers you the "security problem" landing page and will redirect you to a Russian url if you click it.

Typing the domain name directly into the address bar will take you to the website totally unaffected.

Well if people aren't updating... there isn't much we can do is there.

If you look through the release history we have a good number of quick releases just to fix security issues. But it is still up to the public to use them.

If your running 'some version of cmsms' that is not the latest, and your site gets hacked... then restore from known good backup and UPGRADE, protect your site, then backup again.

If you're running the latest version of CMSMS AND you've taken reasonable efforts to protect your site, AND you've still been hacked.

Then we need to see:
a: System Details
b: LOGS (both error and access logs)
c: Symptoms of the hack

Then, and only then there MAY be something we can do.

However, the hack may have come through another site on a shared host... OR by another package used on the same site, OR by hacked passwords, or...

You get the picture.

Hi Calguy,

You're absolutely correct. I've not had a problem with the over 135 websites I've built using CMSMS and that I keep updating as new updates are posted. This same hack has also shown up on Joomla and Drupal websites over the last two weeks.

Thanks for the continuous work and updates!

Perhaps I didn't make it completely clear that these hacks are not exploiting a vulnerability in the latest & greatest version of CMSMS - these are all sites that are running old & insecure versions.

I completely understand that the fact the owners/admins are not updating promptly is something that is out of your control.

I am not too familiar with the update mechanism with CMSMS. Is it straightforward & intuitive? Are upgrade notifications displayed prominently after a login? Perhaps that is something that could be improved in future versions? It would not really help owners who only update their sites rarely and for those sites which have been created and subsequently abandoned...but it may help in reducing the number of vulnerable sites going forward.

Nick

Hello,

I can imagine the message of Nick appearing to be overdone, but it is not.

I have around 10 websites using cmsmadesimple and three of them were hacked the way described in this thread, in the last three months. They were hosted by different hosting companies. It clearly is my own fault as I neglected some of the sites and didn't upgrade. However:

The first time I did everything I could do: completely empty my web space, throw away the database and rebuild from scratch. It did not help. Some of the links in the web site (of a fresh install!) still took me to a russian site. Typing the url directly did not show this probem. I even asked the hoster to completely reset my account which they did, but it did not help.

The only thing that did help was cancelling my subscription and move the domain name to a different hoster. Only then the problem was solved. So I believe it is a dns related problem.

I now have the same problem with a website hosted by the first mentioned hosting company. I told them that the only way I solved the problem was taking away the hosting, which clearly wasn't what we wished. So the company is (hopefully) digging deeper into the problem.

Part of the problem is that it isn't visible directly. I only became aware of the problem when Google emailed me that they found a security issue on my site, resulting in a warning when finding my site using Google. Another part of the problem is that key persons are not taking the problem serious enough.

One thing puzzles me. If keeping the site upgraded is the solution to the problem (or prevents the problem from occuring), that means that cmsms must be aware of the security breaches that causes the problem.

So, to all that are still using 1.6, my advice would be to upgrade to the current version (1.9.4.2) as soon as you can.

Hmmm, an interesting thread. I see what you mean NickW. I did my own survey of the first page of my google results. I went to the root of each CMSMS installation to display the home page and in most cases the version was there at the footer, just like it used to be in the standard install.

Here's a run down of the sites I saw for a google search of

sony inurl:templates_c

Format for results below is:

Bad link (warning! possible malware/nastiness/rubbish here!)
CMSMS home page (clean)
CMSMS version as reported on home page

http://www.canyonfishingcharters.com/tm ... tte375.php
http://www.canyonfishingcharters.com/
1.6.8

http://mikeguernsey.com/tmp/templates_c ... heat58.php
http://mikeguernsey.com/
1.9.3

http://nastava.tvz.hr/~dcika/cms/tmp/te ... ying38.php
http://nastava.tvz.hr/~dcika/cms/
1.6.5

http://www.steijlen.com/tmp/templates_c ... man101.php
http://www.steijlen.com/
1.7.1

http://fx-dj.com/tmp/templates_c/fx-dj/interfacing3.php
http://fx-dj.com/
1.9.2

http://www.mscs.mu.edu/~praveen/tmp/tem ... index.html
http://www.mscs.mu.edu/~praveen/
0.10 (this is not a typo - see link and view source...)

http://gmeh.com.au/tmp/templates_c/gmeh ... led286.php (giving 404 error)
http://gmeh.com.au/
1.9.4.2 (new) the 404 error suggests to me the site was an older version, it was infected and then upgraded and cleaned?

http://parkershouse.net/tmp/templates_c ... ise138.php
http://parkershouse.net/
1.9.4.1 Nasty link is *still active* and has crappy text/links/pics relating to a poker site........why, when this is a new(ish) install/upgrade?

To summarise, all results I saw for this search were running CMSMS - not Drupal, Joomla etc.

Most sites showing the problem are old versions of CMSMS. So a good reminder to keep your installations updated as often as possible...

Does the running install/upgrade.php during the upgrade process clear out the contents of the tmp folder? If not, then even an update to the latest version won't clear these files from the server or from google. The last example above (parkershouse) suggests that maybe even upgrading may not be enough to clear the rubbish once it's there (ties in with the post from Robbie above).

And to answer your questions NickW:

I am not too familiar with the update mechanism with CMSMS. Is it straightforward & intuitive?

Yes to the person who installed CMSMS in the first place. No if you're an editor/writer/content person without installation/FTP knowledge.

Are upgrade notifications displayed prominently after a login?

Yes it shows clearly when you login to the admin back end. But it's easy to ignore and, as you say, if the site has been abandoned and you never login you'll never see it.

Would be interested to hear comments on the parkerhouse example from people more knowledgeable than me.

Parkershouse.net...

I have seen dozens of sites with hacked pages showing the Poker site theme. Why? Who knows....

Remember the idea is to populate the hacked/added pages with keywords & images that the Google crawlers can index and then include as poisoned results when users search for these terms. These hacked pages look awful to human eyes...but lovely to a Google crawler!

gmeh.com.au...

I managed to get hold of this guy and after some initial scepticism, on his part, I managed to persuade him that his site had been compromised. His website guy then updated to the latest version and deleted the crappy content. A modest success in an ocean of hacked sites!

I have managed to get about 25 compromised CMSMS sites cleaned up in the last month but each one is a struggle as the owners, if they respond at all, are highly suspicious of an unsolicited email. A phone call followed by an email works best...but I can't be spending all my days calling around the world!

One of the problems I ran into is that, after cleaning the sites, there's still a discrepancy in the dns system, redirecting me to a russian site. This even happened accessing the site from a different computer (work).

It happened after clicking links in the cms admin pages (even of a fresh install!). The problem was solved not before moving to a different hoster.

The current hoster of a site which is (was - I upgraded) infected, initially seemed to take the problem serious enough, but now I haven't heard from them for days. I think I have to move this site as well.