Page 1 of 1
Did my CMSMS get hacked ? [SOLVED - kind of]
Posted: Thu Dec 11, 2014 7:17 pm
by thomahawk
We found a code snippet at the end of the index.php. Usually it ends like this
# vim:ts=4 sw=4 noet
?>
but at one website (thanks to a Norton warning) I found this at the end of the page
I first thought I had this put in for pretty URL's but as far as I understand it, it does something different. Or someone knows this?
Thanks for your feedback
Thom
Re: Did my CMSMS get hacked ?
Posted: Thu Dec 11, 2014 7:28 pm
by thomahawk
We found the same code in several other pages too.
Re: Did my CMSMS get hacked ?
Posted: Thu Dec 11, 2014 7:32 pm
by Jo Morg
That code is not part of the official release. It's a possible infection.
* note: pasting those code spinets is not allowed as they are signatures by which virus can be identified and may blacklist the forum.
Re: Did my CMSMS get hacked ?
Posted: Thu Dec 11, 2014 7:34 pm
by thomahawk
Ok, thanks. Well, after so many years with CMSMS, I have never seen a hacked site. Is it possible to change index.php through CMSMS itself? Or only by hacking FTP?
Re: Did my CMSMS get hacked ?
Posted: Thu Dec 11, 2014 7:38 pm
by Jo Morg
r=&sv=0&sc=1&sf=all&sk=t&sd=d&sr=posts&st=0&ch=300&t=0&submit=Search
There are even a few topics about steps to recover from possible hacks.
Keep in mind that CMSMS is not the weak link in all the of occurrences I know of.
Re: Did my CMSMS get hacked ?
Posted: Thu Dec 11, 2014 7:45 pm
by thomahawk
Well, one of your team thinks its originally a wordpress virus. I would be very surprised if the problem was CMSMS, because I always take the recommended security measures, setting most limited ftp permissions to files, rename the admin folder and so on.
Re: Did my CMSMS get hacked ?
Posted: Thu Dec 11, 2014 7:51 pm
by Dr.CSS
If you found strange code in your index.php you can remove it and replace it with a fresh one from the tar.gz of the same cmsms version, unpack and upload to site...
Re: Did my CMSMS get hacked ?
Posted: Thu Dec 11, 2014 7:51 pm
by Jo Morg
Bummer I originally wanted to post this link:
http://forum.cmsmadesimple.org/posting.php?
Something went wrong sorry.
thomahawk wrote:Well, one of your team thinks its originally a wordpress virus.
Most possibly. And sorry for my previous quite cryptic post...
Re: Did my CMSMS get hacked ?
Posted: Thu Dec 11, 2014 7:56 pm
by thomahawk
Jo, the second link also seems to be wrong. For me it only opens a new post form.
Re: Did my CMSMS get hacked ?
Posted: Thu Dec 11, 2014 8:02 pm
by Jo Morg
Not on my best days... and the stupid keyboard is not helping either...
Let's try again:
http://forum.cmsmadesimple.org/search.p ... rds=hacked
Re: Did my CMSMS get hacked ?
Posted: Thu Dec 11, 2014 8:12 pm
by Jo Morg
Re: Did my CMSMS get hacked ? [SOLVED - kind of]
Posted: Fri Dec 12, 2014 8:36 pm
by thomahawk
Okay, it seems somehow there was a worpress installation running on that hosting, or however, a wordpress virus got in or was there and infected php files of the same name and location as they would be in a wordpress installation. This happened not just now, but about a year ago on first CMSMS install. About 11 php files where infected. Not a serious virus, just data collection as it seems, and the collectors server not active anymore.
However, we used that for making a upgrade of CMSMS and get rid of the infected files. Could have been done manually too on that 11 files. Hope that bugger does not come back again.