CMS Made Simple Forums

My client's site, running the latest version of CMSMS (1.11.7) has been hacked three times this week (twice today) by a base 64 error.

The hosting company has predicted it's due to a weakness in the software and not anything wrong with the vulnerability of their servers (not surprising) and suggested I make you aware of the issue.

I've used CMSMS for 5+ years on dozens of sites and never suffered from this issue. Any advice? I've already changed hosting password, FTP password and my dashboard-admin panel password.

The database is unaffected, but my site goes blank due to all PHP files hacked with a wacky mystery code starting with "eval(base64_decode("... immediately after the <?php entry.

there are no known vulnerabilities in CMSMS 1.11.7 core. Certainly nothing reported in the last while that has not been resolved. And the last numerous vulnerabilities have been XSS vulnerabilities not anything related to files.

If the php files are getting modified then it can come from a few places:
a: hacked FTP/shell account (changing passwords would handle this)
b: hacked CMSMS admin password (it's possible to upload php files if you are a logged in administrator). This is unlikely however.
c: vulnerability in some other software on the same server (much more likely).
two ways this could effect you:
- your php files are open to writing from other user accounts and vulnerabilities in software used on those other accounts could be effecting you).
- some other software you are using in that account has a vulnerability.
(I have seen reports where a popular blogging software (and others) was installed side-by-side with CMSMS in the same account, and a vulnerability in that software caused problems with CMSMS).

The website isnt hacked again, but is probably still hacked!!
Seen it before a non-cmsms php file somewhere between the regular files hacking the files over and over... This file can be months or years old.

Rolf is correct. If you were hacked once you could still have extra files there that once browsed to again cause the hack to propogate.

Have you done a system verification?

Thanks to you both. I did a system verification, and it's clean.

What I did find based on your sound advice was a separate folder that contained an outdated WordPress site, which was also hacked with the base 64 virus.

Hopefully this eradicates the issue completely. Never would have thought of a vulnerability because of WordPress shared on the same hosting account. I'll update this post if I discover additional information or issues.

Thanks again.

Yep! I thought I had posted "solved" on my last post. But lemme give that a go again.