CMSimpleWiki has been hacked

[Till]

Hi,

a major disaster has happened with cmsimplewiki. The server hosting the wiki has been hacked yesterday. These jerks not only had fun to destroy the content of the server, but also - as I was informed - have traveled down to the backup server and destroyed it, too. The people in charge try to rescue what can be rescued. I don't know what the state of art is in the moment. They may be unable to recover anything as I was told. I will be informed this night.

I myself have a wiki backup from March this year. That means, if nothing will be recovered, wiki contend from March to November will be lost.

I am very sorry - and I am really pissed, too, since I have several customers running on this server including shops.

Till

[CMSimple-Styles.com]

Too bad, archive.org also does have no record. Do you know when the server will be back online. I think in the future i will create a copy of the contents on my server just as a backup, but not in wiki form.

[Till]

I have been informed that not only the file structure of the server has been killed but all content has been overwritten. That means that the wiki will start with the information of March 2009. I am sorry that I have not made backups myself more often.

According to the log file the hacker(s) entered via CMSimplewiki plus two or three form scripts of other customers. The note in German I received from the person in charge says:

leider wurde der Webserver heute 24.11.2009 von einem Hacker zerstört. Dieser konnte eine Datei über ein Webinterface einschleusen, mit dieser Datei hatte er vollen Rootzugriff auf den Server sowie auf den Tunnel zum Backup Server.
Es war nicht nur das Filesystem defekt, hier wurde versucht mit Filesystemattributen zu arbeiten die für ein ext3 nicht verfügbar sind, Massenhaft Blocks wurde doppelt zugeordnet und beschrieben, weiterhin wurde der Server auch gecracked da /bin/sh ein Shellscript war, das kann nicht funktionieren, alle Daten des Servers sind nicht mehr lesbar und vollkommen zerstört worden.

I have also been told that the people in charge collected three IPs which have been given to the police. If they are no proxys they may be uncovered. Last time it was a bored twelfe year old spanish boy who destroyed a shop - five years of work gone in 10 minutes.

The server is running already again. As soon as I have time I will build up the site and upload the data I have as backup. Since I have a teaching job in the moment, which keeps me pretty busy, it may take a few days.

Till

[johnjdoe]

Shit! A lot of work has been distroyed!

BUT, I don't understand why the hosting guys don't have backups? Isn't it so, that the have to make backups and give a guarantee that they could recover the data? My hoster does.

[Holger]

It's not only hard for the Wiki. Your own website and maybe websites of your customers are affected too.

But now is the time for you to think about the securitity concept of your hoster.
I can't believe that things like this

auf den Tunnel zum Backup Server

are usual with a shellscript, running on a customer server.
If so, the whole serverfarm of the company may be potentially compromised by hackers....
Anyway. You can never trust the security of a software not written by yourself, like the wiki-software.
And - on shared hosting - all the other customers may have unsecure scripts too.
And there are security issues in PHP itself, like the not binary-safe functions ereg / eregi.

So, for me, every admin handles really careless if he installs an unpatched PHP on a server, thought for shared hosting.
Till, you should look for a hoster which installs PHP with Suhosin.
Suhosin is not a hype or a project of some script-kiddies, it's state of the art technology.
Some more informations are available at the project-page: http://www.hardened-php.net/suhosin/why.html

Shit! A lot of work has been distroyed!

Don't worry Gerd, I've managed to get a almost complete collection (hope so) of all interested wiki-pages in html-format, dated Nov. 2009.
All the links and code-examples are included and could be easy restored by copy & paste .

@Till: I'm glad to help, after the wiki is running again. Just drop me a line.

Holger

[Till]

Hi,

CMSimpleWIKI is up and running again. Since I found a data backup from 15th September on my backup disk, we lost only data which have been added during the last 2 months. However, I believe during this time not very many things have been added. Users who registered in this time have to reregister.
There still may be some quirks using the wiki. It is possible that I did not make all required files and/or folders writeable. If you see errors, please report it here.

BUT, I don't understand why the hosting guys don't have backups? Isn't it so, that the have to make backups and give a guarantee that they could recover the data? My hoster does.

Yes, I thought their backups would be sufficiant. Now I learned the hard way that I was wrong. I was told that the hacker got root access and destroyed the backup server, too. They don't make backups on tapes anymore which can be shelved. They use servers which are open to the root.
As far as I know the big hosters do not give any warrenty. They say that you have to keep your own backups in case of total data loss.

But now is the time for you to think about the securitity concept of your hoster.

I will suggest your advise to the server guys. The site is hosted at IP-Exchange in Nürnberg (http://www.ip-exchange.de). They actually should know what they are doing. However, it is also possible that something burned out, exploded or whatever and they told me a fairy tale about hackers. They know that I am not a server person and may believe anything.

Till

[johnjdoe]

I've managed to get a almost complete collection (hope so) of all interested wiki-pages in html-format, dated Nov. 2009.
All the links and code-examples are included and could be easy restored by copy & paste .

@Till: I'm glad to help, after the wiki is running again. Just drop me a line.

Wow, that's really great!!

[Holger]

It is possible that I did not make all required files and/or folders writeable. If you see errors, please report it here.

Hi Till,

I've found this

Writing /var/www/web4/html/data/cache/3/3e01836a9241cd6e9b456474a4438e06.i failed
Unable to save cache file. Hint: disk full; file permissions; safe_mode setting.
Writing /var/www/web4/html/data/cache/3/3e01836a9241cd6e9b456474a4438e06.i failed
Unable to save cache file. Hint: disk full; file permissions; safe_mode setting.
Writing /var/www/web4/html/data/cache/3/3e01836a9241cd6e9b456474a4438e06.xhtml failed

at some plugin-subpages, e.g. here: http://www.cmsimplewiki.com/doku.php/pl ... ced_search

Holger

[Till]

Yep, sorry, I made a mistake with the cache folder. It should be fixed by now.
Thanx, Holger.

Till

[mvwd]

Hello Till,

Code: Select all

Writing /var/www/web4/html/data/cache/9/9bbcf6a8d30c4e4bac0f8086a9556b25.i failed
Unable to save cache file. Hint: disk full; file permissions; safe_mode setting.
Writing /var/www/web4/html/data/cache/9/9bbcf6a8d30c4e4bac0f8086a9556b25.i failed
Unable to save cache file. Hint: disk full; file permissions; safe_mode setting.
Writing /var/www/web4/html/data/cache/9/9bbcf6a8d30c4e4bac0f8086a9556b25.xhtml failed

Appears on Welcome-page...

Merry Christmas and a happy new Year!

mvwd.