CMSB install hacked

7 posts by 5 authors in: Forums > CMS Builder
Last Post: April 16, 2012   (RSS)

Hello,

One of my CMSB installs was recently compromised, with code injection into /data/settings.dat.php and a schema file.

The injection was base64 code, directly onto the files - so when I pulled them from FTP the code is physically on the file.

The top of settings.dat.php (and a schema file) looked like this:
<?php eval(base64_decode(
"ZXZhbChiYXNlNjRfZGVjb2RlK.... (and continued string like this for 30 odd lines)
")); ?>


The host gave us this:
I have reviewed some other data in the account, and it looks like the issue may be happening because of insecure file permissions on your folder at /public_html/cmsAdmin/data/ -- Please note that if a folder is writable by anyone other than the primary user for the account, our server will not allow php scripts to run from the folder. Your data folder is currently set at 777 permissions, meaning any user on the server can write changes to files within that folder.

In addition, there is a suspicious line of code at the beginning of the file at /public_html/cmsAdmin/data/settings.dat.php encoded in base64 -- I suspect that your account may have been compromised, and this code is hacked code that has been placed on your account, which isn't functioning as the hacker intended. I would highly recommend replacing the files in your account with a clean copy of your local backup.


What would allow this to happen? settings.dat.php and /schema/ is chmod 777, which is required by CMSB, but then would that not allow the above to occur?

I know little about this type of thing and what would allow it to happen so any advice so we can prevent it from happening again would be most appreciated.

Thanks all

Re: [rjbathgate] CMSB install hacked

By (Deleted User) - March 16, 2012

Hi rjbathgate,

A couple of things come to mind:

1 - Check all your files for malicious code and note the locations of any files that have it (if it's not just the two mentioned)
2 - Make a note of the last modified date of each affected file (this may help isolate the injection event)
3 - Zip up and send the affected files to us (so we can explore the code and see what it was intended to do and help create a defense against it)
4 - Change all your ftp usernames/passwords, database usernames/passwords etc where possible (just in case)

We've never had a security issue with our software, but have heard of lots of hacked site reports. The culprit is often common open-source scripts. These are so popular that hackers spend the time to write automated scanners that check thousands of sites for known vulnerable scripts.

Once we've got a copy of the malicious code we can be more certain of what it is and what it's intent was, meanwhile the changing of your usernames and passwords is always a good security measure (once you've replaced the affected files with known good copies!).

Hope this helps,

Tom

Re: [Tom P] CMSB install hacked

By rjbathgate - March 18, 2012 - edited: March 19, 2012

Hi Tom,

Thanks for the help and reply.

Have sent to support@interactivetools.com

Thanks :)
Rob

Re: [rjbathgate] CMSB install hacked

By Damon - March 19, 2012

Thanks Rob for emailing in the details and link.

I will forward that to Dave to look into.
Cheers,
Damon Edis - interactivetools.com

Hire me! Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/

Re: [Damon] CMSB install hacked

By Toledoh - April 16, 2012

Hi Guys,

I've got a similar issue with one of my sites. Temporarily I've removed the injected code and re-loaded the files, but periodically the injected code returns and I just upload the "clean" versions again.

The site is hosted on a cheapest-they-can-find host, they also have 2 other CMSB (not effected) on the same host.

Any ideas on what I can tell them?
Cheers,

Tim (toledoh.com.au)

Re: [Dave] CMSB install hacked

By Toledoh - April 16, 2012

Thanks Dave!
Cheers,

Tim (toledoh.com.au)