My server was hacked

[bca]

hi

I dont know whether its just a coincidence but within a couple of hours after upgrading one of my sites to XH 1.0 all four of my cmsimple sites on the same hoster were hacked.

Coincidence?

B

[mvwd]

Coincidence?

...i hope so...

• Can you describe more detailed what happened?
• Which files have been hacked?
• Can you access the server-logfiles?
• Can you send the logs to us (me and/or Holger) via PM?

mvwd.

[bca]

I was working on a new site and decided to upgrade to the final. That all went OK.

When I looked at the site about 2-3 hours later there was a page saying my site was hacked by Heart hunter showing an image of a command box.

All my other sites were hacked aswell.

It SEEMS to be all index.php pages. I uploaded backup pages but although the page shows, above it is the hackers message.

I have looked at the code but cant see whats going on. On the sites i have replaced the index page, but still get the message, it seems like there must be a SSI somewhere.

I'll get the logs and email shortly.

[Tata]

If I remeber correctly, you have to look in cms.php,or in template.htm. There will be the redirecting code sure somewhere on the very beginning.
Think about:
1. root/index.php has only one call

Code: Select all

<?php include('./cmsimple/cms.php'); ?>

2. the control is thus given to cms.php. - try recopy this file. If this doesn't help, look in plugins/index.hp and template.htm

Maybe you find something. I am sorry for you. I went trough this all 3 times this summer.
And - if this helps and the website will run:
1. Make 100% backup on local drive
2. Change immediately all your passwords
3. chmod all index.php files to 444
4. as Holger suggested - ask your ISP to check/set allow_url_open and register_globals off.
EDIT:
Also I remember that on one of attacs there were uploaded files with names like P123456A789.php containing encoded script redirecting to some external webpage with the notice that the site has been hacked.

[mvwd]

Hi all,
i will take a further look in this issue, let's clarify this via PM.

A first look in the logfiles didn't confirm that it's a bug in CMSimple_XH, but i will inform the community if there is a reason found...

mvwd.

[bca]

Hi
Just an update.
I also found that both of my NON CMSimple sites were also affected.
My ISP is non committal at this stage!

Thanks Tata for your comments.

B

[Gert]

I also found that both of my NON CMSimple sites were also affected.

If you have other sites on your server, it is not so easy to find out, if CMSimple is the reason for the possibility of attack. If the other sites are having mailforms etc. ...

A good prevention is to chmod all index files to 444 (no writing permission), like Tata wrote.

[Tata]

It is basically possible to try chmod all index.php, index.htm, index.html and also all *.php files to 444 except of those in which the system needs write something in. I tried it r.g. with the entire cmsimple directory except of log.txt (even the config.php may be chmoded to 444, if one doesn't expect to change the basic configuration).
But WARNING - check also the config.php files - on one of the attacks these have been infected as well.

[mvwd]

Hi all,

bca did send me the logfiles of the last days (from the moment of last change until the hack was detected).
After studying the logfiles, research further informations in the net and the informations the hacker left on the pages in mind, we came to the result that the hack occured on a second page on this sharde-host-server.
Nothing points to an attack on CMSimple!

Facts:

• The logfiles look clean.
• bca's ISP stated that "one of our hosting servers was hacked" without delivering more informations
• Non-CMsimple-sites of bca were hacked as well
• Other pages on this ISP were hacked

mvwd.