CMS Made Simple Forums

Content management as it is meant to be
https://forum.cmsmadesimple.org/

1.11.10 Site got hacked - code injected

https://forum.cmsmadesimple.org/viewtopic.php?t=70027

Page 1 of 1

1.11.10 Site got hacked - code injected

Posted: Tue Apr 29, 2014 1:52 am
by amandamaddox3
http://www.treeoflifelcms.org

Using CMS Made Simple 1.11.10 Site got hacked. The following pages were modified by the hacker.
\index.php
\admin\footer.php
\admin\header.php
\admin\index.php
\admin\login.php
\admin\themes\ncleargrey\login.php \admin\themes\oneeleven\login.php \modules\cmsprinting\action.default.php \modules\menumanager\action.default.php \modules\menumanager\action.setdefault.php
\modules\microtiny\action.default.php
\modules\news\action.default.php
\modules\search\action.default.php

The following code was injected into those pages:

XXXXXXXXXX

Please help me figure out how to stop the hacking. The site is getting hacked about every week. I delete the whole site and re-download a fresh copy of CMS Made Simple 1.11.10

Re: 1.11.10 Site got hacked - code injected

Posted: Tue Apr 29, 2014 8:02 am
by chandra
It seems the hacker know very accurate what he have to do to point you.

To the first you should change ALL passwords (CMSMS backend, database, FTP, host). Then you should check the file permission of named files. They should be read and execute but NOT written.

After that you should make a look to the logs on your host and see where the attack come from.

Re: 1.11.10 Site got hacked - code injected

Posted: Wed Apr 30, 2014 4:08 am
by amandamaddox3
Chandra,

The last time I downloaded the CMS Made Simple 1.11.10 code I changed the php files mentioned set to 0644. I had not done that in the past.

So far so good.

I also noticed that the .js files in the "lib" folder had been modified. What permission level do .js files need to be set?

Re: 1.11.10 Site got hacked - code injected

Posted: Wed Apr 30, 2014 9:20 pm
by Dr.CSS
If this is a weekly thing I would think it was a compromised shared server with some other system like WP installed on the server that is letting the hacker in so it can screw with all sites on it...

Re: 1.11.10 Site got hacked - code injected

Posted: Thu May 01, 2014 2:30 am
by amandamaddox3
Dr.CSS,

I actually had thought the same thing. Contacted the Server Admin. They told me there are about 160 other sites on that same server and none are having issues.

Just mine. So far so good. The site has not been hacked since the permissions changed on the above files.

Re: 1.11.10 Site got hacked - code injected

Posted: Fri May 02, 2014 4:27 pm
by Rolf
The hacker probably added a script/file to your server and change your files again (and again...)

Re: 1.11.10 Site got hacked - code injected

Posted: Sat May 03, 2014 3:08 am
by milehigh
Make sure whatever PC's you've accessed the site via FTP are not infected. Change all your FTP passwords and thoroughly scan your PC. Make sure you're not letting your FTP client store the passwords either, some store them as plain text.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited