Textpattern Support Forum

As a fair warning to anyone browsing this thread, please avoid opening that link. The site was previously infected and was used for installing malware on visitors systems using exploits in web browsers. If you go to the address you may get infected or information stolen if the attacker still has access to the server.

wetlandguy wrote:

We got hacked. Okay, okay, we were using an old version of Texpattern that you guys probably patched a million years ago (we had version 4.0.3), but seeing as how I am not really a programmer, I decided to leave well enough alone because it worked fine… until yesterday.

Yes, v4.0.3 is suspect of various security vulnerabilities. Some of those are very serious and allow, for instance, executing any type of code on the system. You should have updated, really. Really. Updating isn’t even just for you, but your users too. If your site is compromised, so can be your visitors.

Just using an old version of Textpattern doesn’t mean someone got in through Textpattern, and you should investigate where the used whole is.

Tried to do an upgrade. Followed the detailed directions. Now the site is completely down, and I cannot seem to log-in to the site. This seems to be what is left of my site:

It’s not completely down. It’s running, and the admin login-screen is well accessible under /textpattern/textpattern. You do notice you have installed Textpattern to sub-directory instead of the root, right? As updating goes, the updater runs when you log in, and your templates may use old, deprecated code or plugins that need to be updated.

As cleaning up that mess goes, just doing normal updating using the updating instructions won’t really cut it. The issue won’t solve on itself. You got hacked, and you will need to do clean up before anything.

If it’s shared/managed hosting package, contact your host to make sure nothing was modified, or that the attack wasn’t server wide. It’s possible that the server as whole was breached, binaries were modified and your hosting provider isn’t aware of it. They can also see (if they are capable) if something was touched and can clean the potential mess you can’t (and shouldn’t) touch. They could also be able to tell pointers where the attacker got in. If it’s your own server or rented rack, then all that’s is up to you (as in your organization etc).

Next step is to nuke. And I do hope you have backups. Your site is/was infected and you need a state which isn’t touched.

• Wipe all data from your MySQL database and remove your Textpattern installation from the file system.
• Change all of your user passwords. Everything that is connected with server. MySQL passwords, FTP passwords, ssh, keys, unix users, textpattern passwords. Anything and everything.
• Make sure every software running on the server is up to date. Like for example Apache, PHP, MySQL and all web-admin scripts including (for example) phpMyAdmin, Cpanel, DirectAdmin etc. If it is shared hosting and something is running old unsupported version (i.e. PHP running v4.x or old 5.x) then ask if the host could update those. If they refuse, consider changing hosting provider as old unsupported software may not be safe.

To update the Textpattern installation:

• Import your old Textpattern MySQL database in to your live server from a backup you know is clean. Do not copy the old Textpattern installation files (contents of /textpattern) as those are effected by security issues.
• Download new Textpattern version (4.4.1) and place the files from the package to your server.
• Create a config.php file to /textpattern directory (you can use your back up, just Make sure the file is unmodified and clean). Change the credentials to match the new ones (as you just changed all passwords including the MySQL user).
• Then log in to your Textpattern installation like you normally would. When you log in Textpattern will automatically update the installation.
• Now go to your Textpattern’s users panel (Admin/Users), and update all passwords.
• Then make sure all plugins are up to date. Update all plugins that are using older version.

Last edited by Gocom (2012-07-02 12:11:08)