My server was hacked
My server was hacked
hi
I dont know whether its just a coincidence but within a couple of hours after upgrading one of my sites to XH 1.0 all four of my cmsimple sites on the same hoster were hacked.
Coincidence?
B
I dont know whether its just a coincidence but within a couple of hours after upgrading one of my sites to XH 1.0 all four of my cmsimple sites on the same hoster were hacked.
Coincidence?
B
Re: CMSimple_XH 1.0 available for download
...i hope so...bca wrote:Coincidence?
- Can you describe more detailed what happened?
- Which files have been hacked?
- Can you access the server-logfiles?
- Can you send the logs to us (me and/or Holger) via PM?
Re: CMSimple_XH 1.0 available for download
I was working on a new site and decided to upgrade to the final. That all went OK.
When I looked at the site about 2-3 hours later there was a page saying my site was hacked by Heart hunter showing an image of a command box.
All my other sites were hacked aswell.
It SEEMS to be all index.php pages. I uploaded backup pages but although the page shows, above it is the hackers message.
I have looked at the code but cant see whats going on. On the sites i have replaced the index page, but still get the message, it seems like there must be a SSI somewhere.
I'll get the logs and email shortly.
When I looked at the site about 2-3 hours later there was a page saying my site was hacked by Heart hunter showing an image of a command box.
All my other sites were hacked aswell.
It SEEMS to be all index.php pages. I uploaded backup pages but although the page shows, above it is the hackers message.
I have looked at the code but cant see whats going on. On the sites i have replaced the index page, but still get the message, it seems like there must be a SSI somewhere.
I'll get the logs and email shortly.
Last edited by bca on Wed Dec 16, 2009 1:59 pm, edited 1 time in total.
Re: CMSimple_XH 1.0 available for download
If I remeber correctly, you have to look in cms.php,or in template.htm. There will be the redirecting code sure somewhere on the very beginning.
Think about:
1. root/index.php has only one call
2. the control is thus given to cms.php. - try recopy this file. If this doesn't help, look in plugins/index.hp and template.htm
Maybe you find something. I am sorry for you. I went trough this all 3 times this summer.
And - if this helps and the website will run:
1. Make 100% backup on local drive
2. Change immediately all your passwords
3. chmod all index.php files to 444
4. as Holger suggested - ask your ISP to check/set allow_url_open and register_globals off.
EDIT:
Also I remember that on one of attacs there were uploaded files with names like P123456A789.php containing encoded script redirecting to some external webpage with the notice that the site has been hacked.
Think about:
1. root/index.php has only one call
Code: Select all
<?php include('./cmsimple/cms.php'); ?>
Maybe you find something. I am sorry for you. I went trough this all 3 times this summer.
And - if this helps and the website will run:
1. Make 100% backup on local drive
2. Change immediately all your passwords
3. chmod all index.php files to 444
4. as Holger suggested - ask your ISP to check/set allow_url_open and register_globals off.
EDIT:
Also I remember that on one of attacs there were uploaded files with names like P123456A789.php containing encoded script redirecting to some external webpage with the notice that the site has been hacked.
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.
Re: CMSimple_XH 1.0 available for download
Hi all,
i will take a further look in this issue, let's clarify this via PM.
A first look in the logfiles didn't confirm that it's a bug in CMSimple_XH, but i will inform the community if there is a reason found...
mvwd.
i will take a further look in this issue, let's clarify this via PM.
A first look in the logfiles didn't confirm that it's a bug in CMSimple_XH, but i will inform the community if there is a reason found...
mvwd.
Re: CMSimple_XH 1.0 available for download
Hi
Just an update.
I also found that both of my NON CMSimple sites were also affected.
My ISP is non committal at this stage!
Thanks Tata for your comments.
B
Just an update.
I also found that both of my NON CMSimple sites were also affected.
My ISP is non committal at this stage!
Thanks Tata for your comments.
B
Re: CMSimple_XH 1.0 available for download
If you have other sites on your server, it is not so easy to find out, if CMSimple is the reason for the possibility of attack. If the other sites are having mailforms etc. ...bca wrote:I also found that both of my NON CMSimple sites were also affected.
A good prevention is to chmod all index files to 444 (no writing permission), like Tata wrote.
Re: CMSimple_XH 1.0 available for download
It is basically possible to try chmod all index.php, index.htm, index.html and also all *.php files to 444 except of those in which the system needs write something in. I tried it r.g. with the entire cmsimple directory except of log.txt (even the config.php may be chmoded to 444, if one doesn't expect to change the basic configuration).
But WARNING - check also the config.php files - on one of the attacks these have been infected as well.
But WARNING - check also the config.php files - on one of the attacks these have been infected as well.
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.
Re: CMSimple_XH 1.0 available for download
Hi all,
bca did send me the logfiles of the last days (from the moment of last change until the hack was detected).
After studying the logfiles, research further informations in the net and the informations the hacker left on the pages in mind, we came to the result that the hack occured on a second page on this sharde-host-server.
Nothing points to an attack on CMSimple!
Facts:
bca did send me the logfiles of the last days (from the moment of last change until the hack was detected).
After studying the logfiles, research further informations in the net and the informations the hacker left on the pages in mind, we came to the result that the hack occured on a second page on this sharde-host-server.
Nothing points to an attack on CMSimple!
Facts:
- The logfiles look clean.
- bca's ISP stated that "one of our hosting servers was hacked" without delivering more informations
- Non-CMsimple-sites of bca were hacked as well
- Other pages on this ISP were hacked