Elxis CMS Forum
Support => Security => Topic started by: MadonaMady on June 26, 2012, 09:20:35
-
Hello
i am facing a seriose problems this weak and finally i thought about sharing it with you ppl
i used elxis cms in some of my clients websites
and iam using a hosting that gives me unlimited number of websites to host in the same account from justhost.com
and this days i got a hacker fucking my life the hacker name is ( aWaNg_v2 )
he can change all my index.php files in all my websites and the .htaccess file ( i attached both files he changed in my websites )
each day he do that and i go restore both files
note that in my elxis websites i pass the securety test means that defender is enabled and flood blocker and every thing is going good
so how he can go and change my index.php and .htaccess files ?
any one can help me and till me what to do please ? this cause me loss of my clients :(
-
Hello MadonaMady,
Are your files and folder / directories permissions set properly? They should be 644 and 755 accordingly except for the cache and tmp folders.
-
First of all , change all your passwords , strong passwords recommended.
Then , check the apache log files of the server
Then check your computer for viruses
Do you have the latest version of elxis installed?
Finally , is this the only site with problems? Are there any other of your sites hacked?
-
Hello MadonaMady,
Are your files and folder / directories permissions set properly? They should be 644 and 755 accordingly except for the cache and tmp folders.
yes all of them
-
First of all , change all your passwords , strong passwords recommended.
Then , check the apache log files of the server
Then check your computer for viruses
Do you have the latest version of elxis installed?
Finally , is this the only site with problems? Are there any other of your sites hacked?
i did changed my paswords but after i did that alsow hacked again not just one website but all the websites in my hosting account also
my computer is cleare of viruses
and i have the latest version of elxis yes
-
All your sites are elxis powered?
-
All your sites are elxis powered?
in that hosting yes
and one static website without any php programing on it just html files
-
check your server log files, to see how they get access to your files
-
check your server log files, to see how they get access to your files
what should i search for in my log files ?
-
it is not something specific you are looking for, there is a lot of work to be done is cases like this
-
I am decently sure that there are several CMSs on your Server than Elxis. Can you provide us a live url of one simple elxis site?
A senario:
Because of 90% of hacking case are between 3-4 different files. Change the permission of those to 444 from 644. These files are:
index.php
index2.php
configuration.php
templates/my_template/index.php
My site hacked. What can i do?
In case that your Elxis site hacked, don't try to connect to the administrator area! Don't even try to check this out even in front-end area. You can see the website only in case that you have deactivate the javascript through your browser. (firefox -> options-> content -> activate javascript on/off). This happens because in some cases may get your passwords or something else. Connect through FTP software, edit the configuration.php file -> $mosConfig_offline = 1 This change will set your site as offline.
- Logs (error and access). Check these files on your server.
- Check which files have been modified. This predisposes a Shell Access. For example : cd /path/to/elxis/root/folder/
find . -type f -mtime -1
- Check the database.
Check if there is any user has been created. Table users.
-
As Elxis itself does not give direct access to the hacked files (like htaccess, index.php, configuration.php) but only to the template's index.php, I believe that the problem is not with your CMS, but with your server, especially the file server. It is most probably that the hacker has access to the whole server.
So first of all change *ALL* your passwords, as @ndreas suggested; not only Elxis', but also the passwords for ftp, control panel etc (though I believe that it will not work, but do it anyway in case the hacker has only your account details).
Then check the log files as webgift instructed. First find about what time the last hack happend (checking when the hacked files were modified) and then check all server's logs to see what happened that time.
-
the hacker could change my index.php file and my .htaccess file
how could he do that :S
-
i done all of that and i added this code to my .htaccess file in every website
<Files php.ini>
order allow,deny
deny from all
</Files>
to stop him from viewing the php.ini code
and i changed the permissions as you told me
and i reviewed my site files to see what happen but i do that throw ftp coz iam not familiare with Shell Acces comands and i found a file that he added to one of the websites and it is in attachments
i deleted it and changed all the passwords again
what should i do now ?
-
and one static website without any php programing on it just html files
Was the static site also hacked?
-
and one static website without any php programing on it just html files
Was the static site also hacked?
no
-
the hacker could change my index.php file and my .htaccess file
how could he do that :S
I think your server has been "rooted". So I don't think there's much you can do except for changing hosting company.
-
Ivan is right, it is not an Elxis issue. You must search your server for a malicious script (most probably a shell script -or a perl/cgi or even php one).
This script is executed regularly so even if you restore the original files they will be modified again automatically.
You must locate and delete this script. Then restore the sites.
To prevent the modifications of index or other files you can temporary chown them to root (it wont help if the shell script runs also as root).
Here is a way to do if for a web site index files automatically:
cd /to/website/root/folder/
find . -type f -name "index.php" -exec chown root:root {} \;
find . -type f -name "index.html" -exec chown root:root {} \;
Or chown everything to root:
cd /to/website/root/folder/
chown -R root:root *
A way to find the malicious script is to use the find command to search for files modified in the last X days. When this attack first occurred? Yesterday?
You can run:
cd /
find . -type f -mtime -1 (use -2 for the day before yesterday and so on)
If you get too many results you can also use the executable option to limit them down.
find . -type f -executable -mtime -1
Look carefully the results to locate the bad script. If you locate the script then search for it in the internet.
Find all the occurrences it might have and delete them all. Do a search by name of the bad script(s). Find and restore all affected files.
Strengthen the security in your we server (mostly the php installation). Take special attention to the web server access logs for the date the attack first occurred. There is maybe a bad outdated exploitable script somewhere on your server the attacker used to upload his scripts. I have seen such attacks against osCommerce for example. From your second attachment I see a mytickets script that it is exploitable. I think is the cause...
If I was in your case I would stop apache from running till I clean up the web server:
/etc/init.d/apache2 stop
Also delete the affected .htaccess files.
An other important tip is to change the port your ssh runs and disable direct login of user root. Create an other ssh user account, login with it and then use the su command to switch to root account.
To answer your question on how is possible for someone to change the htaccess file: It is very easy to change a file from the time you have uploaded a script on the server.
It is a simple as this:
$h = fopen('index.php', 'w');
fwrite ($h, 'write anything in the file...');
fclose($h);
A question: How your php runs? as mod_php, as fast cgi? do you use suexec?
-
thanks all for your help i found the security valnarbilty and fixed it and i am going to share how i did that
first i used shell access to find a ( base64_decode )
grep -r base64_decode *
in my root folder for each website
and i checked the results so good
i found that there is some strange code with base64_decode
at ( root/templates/ekebic/index.php ) with is an Elxis Template and it is not the default on even not in use
this is the code i found
<? eval(gzinflate(str_rot13(base64_decode('FJzHjq1Ksn897/TUJBQERVO......etc......57FJQ8=')))); ?>
i go to decode it and bingo this is how the hacker can do every thing that is done
this is the decoding result ( find in a txt file in attachments )
i cleared that code and restore the original index.php of that template code
can some one make it more clear for me about what this could could do coz iam afraid i understand it wrong :S
and started reading more about how hackers can hack the website
but what is strange is that i need to know from the first starting how could he put that code in my files ?
could he inject it into a site that i let users to make posts and articles in it ? or throw what can the hacker inject a code into a website ?
-
This is the result of the attack, not the cause...
-
This is the result of the attack, not the cause...
yes i know that but i don't know how he get into my server :S
-
If you don't know how to access your server, then it is sure that you don't know how to manage it, you haven't set it up at all and there is no security on the server. So, if you don't know how to manage a web server why you got a dedicated or virtual server? Find a good hosting company and buy normal hosting packages. You will only have to deal with your sites as the server will be managed by people they know their job. You will be less anxious and your sites much more secure.
For all: I see many people buying dedicated/virtual servers while they know nothing about managing a server. A control panel such as plesk or cpanel does not makes you a server admin. Buy normal hosting packages, don't pretend the server admin. Unfortunately there are professionals that also don't know how to manage web servers and sell hosting packages. This is awful. On the other hand there are experienced linux users who have small hosting companies with well configured web servers and excellent support. These are the best hosting solutions you will find on the internet for small to medium scale web sites.
-
I totally agree !!!
-
If you don't know how to access your server, then it is sure that you don't know how to manage it, you haven't set it up at all and there is no security on the server. So, if you don't know how to manage a web server why you got a dedicated or virtual server? Find a good hosting company and buy normal hosting packages. You will only have to deal with your sites as the server will be managed by people they know their job. You will be less anxious and your sites much more secure.
For all: I see many people buying dedicated/virtual servers while they know nothing about managing a server. A control panel such as plesk or cpanel does not makes you a server admin. Buy normal hosting packages, don't pretend the server admin. Unfortunately there are professionals that also don't know how to manage web servers and sell hosting packages. This is awful. On the other hand there are experienced linux users who have small hosting companies with well configured web servers and excellent support. These are the best hosting solutions you will find on the internet for small to medium scale web sites.
Dear this is not a dedicated server or virtual one this is a shared hosting from justhost.com :D
i don't know about managing servers so i will not buy a dedicated server
-
http://www.webhostingstuff.com/review/JustHost.html
i thing before you buy something just search in google p.e. search for problems justhost.com
from one post
"I signup with Just Host.com, since its started my all websites are Hacked, all index page replace with hackes page. Just Host says change Databse password etc...but my website static pages only, every 2month your website will he hack, Just Host Not S... read more ..."
-
If multiple sites hacked then the whole server was hacked and not only yours...