Vulnerability in some files on our CMS
2 posts by 2 authors in: Forums > CMS Builder
Last Post: April 17, 2012 (RSS)
We have our site hosted on a standard shared platform and have been sent a report indicating that we have some insecure files that need to be resolved or our hosting account will be suspended. The details are as follows:
This email is to notify you that your website files residing at xxxxx.com.au hosting account have been identified by our virus and trojan scanning system as running a known malicious exploit. Your service will be suspended if you do not take immediate action.[/#000000] [/#000000]Your current service status: ACTIVE[/#000000]Days to suspension: 7[/#000000] [/#000000]Because the security of your web hosting account has been breached, your account is open to further malicious attacks, which may attempt to compromise other users on our shared hosting infrastructure or perform other illegal activities. Allowing the account to be used for malicious activities is in breach of the Terms and Conditions of your service.
The insecure files live in the following locations (I have marked the location as xxxxx for security reasons)[/#000000]
/clientdata/n5200-2-dynamic/a/a/xxxxx[/#000000].com.au/www/artman2/publish/Members_dining/categorImage.shtml
/clientdata/n5200-2-dynamic/a/a/xxxxx[/#000000].com.au/www/artman2/publish/Members_dining/include_categoryMenu.shtml
/clientdata/n5200-2-dynamic/a/a/xxxxx[/#000000].com.au/www/artman2/uploads/unsavedUploadExpiryTimes.dat
/clientdata/n5200-2-dynamic/a/a/xxxxx[/#000000].com.au/www/cgi-bin/artman2/templates/admin/popups/help/publishRulesPlaceholders.html
/clientdata/n5200-2-dynamic/a/a/xxxxx[/#000000].com.au/www/cgi-bin/artman2_test/data
/clientdata/n5200-2-dynamic/a/a/xxxxx[/#000000].com.au/www/cgi-bin/artman2_test/data/db_accounts.dat.cgi
/clientdata/n5200-2-dynamic/a/a/xxxxx[/#000000].com.au/www/cgi-bin/artman2_test/data/settings.dat.cgi
/clientdata/n5200-2-dynamic/a/a/xxxxx[/#000000].com.au/www/uploads
/clientdata/n5200-2-dynamic/a/a/xxxxx[/#000000].com.au/www/uploads/incoming
Infected files
/clientdata/n5200-2-dynamic/a/a/xxxxx[/#000000].com.au/www/artman2/uploads/createThisDir.php infected: Backdoor.PHP.WebShell.BD
We have to respond back soon to let them know we have fixed the vulnerability, can you plesae assist or contact me directly to discuss a course of action.
This email is to notify you that your website files residing at xxxxx.com.au hosting account have been identified by our virus and trojan scanning system as running a known malicious exploit. Your service will be suspended if you do not take immediate action.[/#000000] [/#000000]Your current service status: ACTIVE[/#000000]Days to suspension: 7[/#000000] [/#000000]Because the security of your web hosting account has been breached, your account is open to further malicious attacks, which may attempt to compromise other users on our shared hosting infrastructure or perform other illegal activities. Allowing the account to be used for malicious activities is in breach of the Terms and Conditions of your service.
The insecure files live in the following locations (I have marked the location as xxxxx for security reasons)[/#000000]
/clientdata/n5200-2-dynamic/a/a/xxxxx[/#000000].com.au/www/artman2/publish/Members_dining/categorImage.shtml
/clientdata/n5200-2-dynamic/a/a/xxxxx[/#000000].com.au/www/artman2/publish/Members_dining/include_categoryMenu.shtml
/clientdata/n5200-2-dynamic/a/a/xxxxx[/#000000].com.au/www/artman2/uploads/unsavedUploadExpiryTimes.dat
/clientdata/n5200-2-dynamic/a/a/xxxxx[/#000000].com.au/www/cgi-bin/artman2/templates/admin/popups/help/publishRulesPlaceholders.html
/clientdata/n5200-2-dynamic/a/a/xxxxx[/#000000].com.au/www/cgi-bin/artman2_test/data
/clientdata/n5200-2-dynamic/a/a/xxxxx[/#000000].com.au/www/cgi-bin/artman2_test/data/db_accounts.dat.cgi
/clientdata/n5200-2-dynamic/a/a/xxxxx[/#000000].com.au/www/cgi-bin/artman2_test/data/settings.dat.cgi
/clientdata/n5200-2-dynamic/a/a/xxxxx[/#000000].com.au/www/uploads
/clientdata/n5200-2-dynamic/a/a/xxxxx[/#000000].com.au/www/uploads/incoming
Infected files
/clientdata/n5200-2-dynamic/a/a/xxxxx[/#000000].com.au/www/artman2/uploads/createThisDir.php infected: Backdoor.PHP.WebShell.BD
We have to respond back soon to let them know we have fixed the vulnerability, can you plesae assist or contact me directly to discuss a course of action.
Re: [markrudloff] Vulnerability in some files on our CMS
By Dave - April 17, 2012
Hi Mark,
It looks like you're using Article Manager 2. There's no known security vulnerabilities in Artman2, usually how hackers gain access to a website is through old open-source scripts that has security vulnerabilities (email forms, wordpress, gallery scripts, etc). And once they are on your site, they often have the same access you would have when you FTP in, so they can add code anywhere.
Here's some steps to get you sorted:
1) Email your host and let them know you are looking into this and will have an update for them shortly. Also, can you ask them how they are detecting the hacked code and/or what program they are using?
2) We don't offer support for this situation because it's not caused by our software. However, I'm working on a new security scanner product so if you email me direct at dave@interactivetools.com with your FTP info I can use our beta version to detect issues and try to help. (Note: DO NOT post FTP info to the forum!).
3) Next, we need to either replace those infected files with originals (if you have a backup) or manually clean them.
4) You need to find the entry point, if you have any old script or script dirs you aren't using try removing them. Or even safer, just rename them to start with _old_. That will prevent hackers from finding them and make it easy to rename them back if you renamed the wrong thing.
5) If you have any 3rd party scripts that you need to use, make sure you're using the latest version and upgrade them if needed.
Hope that helps! Email me direct and we can work out the next steps.
It looks like you're using Article Manager 2. There's no known security vulnerabilities in Artman2, usually how hackers gain access to a website is through old open-source scripts that has security vulnerabilities (email forms, wordpress, gallery scripts, etc). And once they are on your site, they often have the same access you would have when you FTP in, so they can add code anywhere.
Here's some steps to get you sorted:
1) Email your host and let them know you are looking into this and will have an update for them shortly. Also, can you ask them how they are detecting the hacked code and/or what program they are using?
2) We don't offer support for this situation because it's not caused by our software. However, I'm working on a new security scanner product so if you email me direct at dave@interactivetools.com with your FTP info I can use our beta version to detect issues and try to help. (Note: DO NOT post FTP info to the forum!).
3) Next, we need to either replace those infected files with originals (if you have a backup) or manually clean them.
4) You need to find the entry point, if you have any old script or script dirs you aren't using try removing them. Or even safer, just rename them to start with _old_. That will prevent hackers from finding them and make it easy to rename them back if you renamed the wrong thing.
5) If you have any 3rd party scripts that you need to use, make sure you're using the latest version and upgrade them if needed.
Hope that helps! Email me direct and we can work out the next steps.
Dave Edis - Senior Developer
interactivetools.com
interactivetools.com