CMSB install hacked

7 posts by 5 authors in: Forums > CMS Builder
Last Post: April 16, 2012   (RSS)

Re: [rjbathgate] CMSB install hacked

By (Deleted User) - March 16, 2012

Hi rjbathgate,

A couple of things come to mind:

1 - Check all your files for malicious code and note the locations of any files that have it (if it's not just the two mentioned)
2 - Make a note of the last modified date of each affected file (this may help isolate the injection event)
3 - Zip up and send the affected files to us (so we can explore the code and see what it was intended to do and help create a defense against it)
4 - Change all your ftp usernames/passwords, database usernames/passwords etc where possible (just in case)

We've never had a security issue with our software, but have heard of lots of hacked site reports. The culprit is often common open-source scripts. These are so popular that hackers spend the time to write automated scanners that check thousands of sites for known vulnerable scripts.

Once we've got a copy of the malicious code we can be more certain of what it is and what it's intent was, meanwhile the changing of your usernames and passwords is always a good security measure (once you've replaced the affected files with known good copies!).

Hope this helps,

Tom

Re: [Tom P] CMSB install hacked

By rjbathgate - March 18, 2012 - edited: March 19, 2012

Hi Tom,

Thanks for the help and reply.

Have sent to support@interactivetools.com

Thanks :)
Rob

Re: [rjbathgate] CMSB install hacked

By Damon - March 19, 2012

Thanks Rob for emailing in the details and link.

I will forward that to Dave to look into.
Cheers,
Damon Edis - interactivetools.com

Hire me! Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/

Re: [Damon] CMSB install hacked

By Toledoh - April 16, 2012

Hi Guys,

I've got a similar issue with one of my sites. Temporarily I've removed the injected code and re-loaded the files, but periodically the injected code returns and I just upload the "clean" versions again.

The site is hosted on a cheapest-they-can-find host, they also have 2 other CMSB (not effected) on the same host.

Any ideas on what I can tell them?
Cheers,

Tim (toledoh.com.au)

Re: [Toledoh] CMSB install hacked

By Dave - April 16, 2012

Hi Tim,

We've seen this a number of times and can also offer security auditing services through consulting.

The entry point is typically an outdated open-source script installed on the site (wordpress, email forms, galleries, etc). Even if the script isn't being used, or installed by default by the host, hackers use automated scanners to find known paths to old vulnerable software. Check for anything like that.

Another possibility is that the hackers have compromised another account on the shared hosting server and are attacking the client's site after gaining access through another shared hosting account. If this is the case, there's nothing you can do but switch hosting.

One of the ways we detect entry points when we do security audits is to check the web server logs to see who accessed the exploited files. Once we determine the IP of the attacker we can then check the logs to see what other files that user accessed, check modified timestamps on files, etc.

So, the short and simple answer is to go through all the folders on FTP and remove any software you don't need, upgrade any other software in use, then if it happens again switch hosts.

Also, I have a scanner in development which might help. If you email me direct I can tell you more about that.

Hope that helps!
Dave Edis - Senior Developer
interactivetools.com

Re: [Dave] CMSB install hacked

By Toledoh - April 16, 2012

Thanks Dave!
Cheers,

Tim (toledoh.com.au)