Unable to Login in Admin Panel

[makhatri]

CMSMS version 1.11.7, Genovesa, 36

Hi,
After several months yesterday I try to login in my admin panel. After given user name and password it does not open admin panel nor password error because it was correct.
When I open developer tool in chrome, following are the messages that are appears in it:

Login:


After Login:


After login, login.php file not found, and its redirect to error page.

header of login.php (page not found):

Code: Select all

Remote Address:199.168.190.250:80
Request URL:http://codeetch.com/admin/login.php
Request Method:POST
Status Code:404 Not Found
Request Headersview source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip,deflate
Accept-Language:en-US,en;q=0.8
Cache-Control:max-age=0
Connection:keep-alive
Content-Length:56
Content-Type:application/x-www-form-urlencoded
Cookie:CMSSESSID7ab1ed90=c1b8711a4f6c204845fd3b1bd8693657; fbcookie=true; popz=1411233552; webmailrelogin=no; webmailsession=%3ajJFO8MS51zgERfoMHtTubUvHt3E9v7NLFFAt4o2Gepw27FBvLSmt2japyPekCw0a%2c6f3f1c8340f3010ac89317cf68e928896312380645749249abf03159e870a7f2; _sx_=bb7a09b1; CMSSESSIDc4a827b2=1b00f6eb2f66929b038a3a21b4fc8ecc; __utma=229905550.108369048.1409724347.1413352402.1413356133.7; __utmb=229905550.1.10.1413356133; __utmc=229905550; __utmz=229905550.1409724347.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
Host:codeetch.com
Origin:http://codeetch.com
Referer:http://codeetch.com/admin/login.php
User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
Form Dataview sourceview URL encoded
username:xxxxx
password:xxxxx
loginsubmit:Submit
Response Headersview source
Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection:close
Content-Type:text/html; charset=utf-8
Date:Wed, 15 Oct 2014 07:06:18 GMT
Expires:Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified:Wed, 15 Oct 2014 07:06:18 GMT
Pragma:no-cache
Server:Apache
Transfer-Encoding:chunked
X-Frame-Options:SAMEORIGIN
X-Powered-By:PHP/5.3.28

Console - Message


I do not know who is "ceck" in facebook! (its always appears in my all pages)

I also replace all the files in Admin directory from my backup, but no luck.

Please let me know how can I overcome this issue.

-MAK

[Jo Morg]

After given user name and password it does not open admin panel nor password error because it was correct.

And if you give the wrong password does it behave normally (giving the login screen again with an error message)?
We need more info if possible, like:

• - list of modules installed;
• - PHP version;

Particularly: did you install a new module just before this problem started?

Also: I would try login from a different browser or even from a different computer just to rule out the possibility of a virus (unlikely but possible).

[velden]

Looks like this website is compromised!

I see the code too and it should not be there.

[makhatri]

Thanks for reply.
Yes when I give wrong password its prompt me again as normal.
Here is details:
Apache version 2.2.26
PHP version 5.3.28
MySQL version 5.5.36-cll-lve

Modules:
Gallery
Captcha
CGExtensions
CMSMailer
MysqlDump
CMSPrinting
FileBackup
FileManager
SEOTools2
Showtime
FormBuilder
FrontEndUsers
Search
MenuManager
News
MicroTiny
ThemeManager
SiteMapMadeSimple
Statistics
TinyMCE
Sorry I am not able to determine the version of these modules right now.
I try firefox, chrome and IE, same behavior in all browsers. Also I did not install any new module in it.

"I see the code too and it should not be there."
What its mean? Can you explain it.

So please, let me know is there any way to rectify this issue?

-MAK

[paulbaker]

Tried to go in to login screen (I see your domain in your post), typed a username and then tabbed to password field. About 7 tabs opened with spammy links. JS hack? Unlikely to be specifically related to CMSMS.

[Jo Morg]

So please, let me know is there any way to rectify this issue?

Apparently the whole site is compromised, as velden said, so uploading the admin files alone wouldn't help much.
I would:

• - backup all files and DB;
• - re-upload CMSMS version 1.11.7, making sure it overwrites all old files;
• - search the DB for possible suspect entries on templates, GCBs and content blocks;
• - change passwords site wide;
• - as soon as it seems solved, upgrade CMSMS and modules;
• - check for additional scripts (like other CMSs) that might be installed along side with CMSMS, and which might have been hacked;

If CMSMS is not the week link (it shouldn't be) there is possibly another backdoor that needs to be closed, and until it is closed it won't matter much whether you solve the CMSMS install or not.
If that doesn't solve it, you may need a more radical approach.

[makhatri]

Thank you, I will try to reinstall the CMSMS on my servere.

-MAK

[Jo Morg]

For the moment I would just overwrite the files with a fresh copy, but wouldn't re-install it. In fact I would even delete the install folder.
Additionally I would also review the config.php to see if there are also suspicious entries.

[makhatri]

OK, first I will overwrite the new files on my existing old files.
Here is my config file for your review:

Code: Select all

<?php
# CMS Made Simple Configuration File
# Documentation: /doc/CMSMS_config_reference.pdf
#
$config['dbms'] = 'mysql';
$config['db_hostname'] = 'localhost';
$config['db_username'] = '_admin';
$config['db_password'] = 'xxxxx';
$config['db_name'] = 'codeetch_cms';
$config['db_prefix'] = 'cmsCE_';
$config['timezone'] = 'Asia/Karachi';

$config['url_rewriting'] = 'mod_rewrite';

?>

Is my config file is ok?

-MAK

[Jo Morg]

So far so good.

[Rolf]

This check is clean...
http://sitecheck.sucuri.net/results/www.codeetch.com
Have you checked Google Webmaster Tools?

[Rolf]

By the way, if you do find hacked code in one of your files, don't post it in the forum!! Make a screendump and post that...

[makhatri]

Rolf, I have checked with webmaster tools, its says "No errors detected in the last 90 days".


-MAK

[Jo Morg]

This check is clean...
http://sitecheck.sucuri.net/results/www.codeetch.com
Have you checked Google Webmaster Tools?

That doesn't necessarily detects all hacks, so it's not conclusive. The fact remains that the links are still there.

Rolf, I have checked with webmaster tools, its says "No errors detected in the last 90 days".


-MAK

Did you take the recommended steps?

[Rolf]

Download the checksum file matching your CMSMS version and do the test. It will detect if there any core files changed... It won't check if there are new files added or other files changed.

Site Admin >> System Verification >> Perform Validation
"This function will compare the checksums found in the uploaded file with the files on the current installation. It can assist in finding problems with uploads, or exactly what files were modified if your system has been hacked."