Textpattern CMS

#1 2013-09-27 14:37:47

GugUser

Member

From: Quito (Ecuador)

Registered: 2007-12-16

Posts: 1,473

Malicious software on the server

My provider informed me that malicious software was installed on the server. I made a clean installation and changed the passwords. Could be affected the database? Has anyone had similar experiences?

html/xy/grafiken/73b76.php
html/xy/plugins/glz_custom_fields/jquery.datePicker/e8079.php
html/xy/textpattern/theme/classic/1bf44.php
html/xy/textpattern/theme/4f927.php
html/xy/textpattern/theme/hive/img/svg/0f629.php
html/xy/textpattern/theme/hive/img/5b779.php
html/xy/textpattern/theme/hive/img/hidpi/b7c2d.php
html/xy/textpattern/theme/hive/css/custom/fa181.php
html/xy/textpattern/include/import/bd843.php

#2 2013-09-27 15:08:31

colak

Admin

From: Cyprus

Registered: 2004-11-20

Posts: 9,011

Website GitHub Mastodon Twitter

Re: Malicious software on the server

Hi,

I moved your post to dev support just in case they need to check for vulnerabilities.

---

Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

#3 2013-09-28 14:42:53

GugUser

Member

From: Quito (Ecuador)

Registered: 2007-12-16

Posts: 1,473

Re: Malicious software on the server

No comments? It seems that all the installed script files are the same WSO (web-shell) 2.5.1.

I do not know how that came to the server. The password was before “X/$qayy?vgNm”, seemingly safe.

How can I find out if the database is still affected?

Last edited by GugUser (2013-09-28 14:45:32)

#4 2013-09-28 14:49:03

colak

Admin

From: Cyprus

Registered: 2004-11-20

Posts: 9,011

Website GitHub Mastodon Twitter

Re: Malicious software on the server

GugUser wrote:

How can I find out if the database is still affected?

Coming from a non-programmer, download your db as a gzip file and ran it through an anti-virus software.

---

Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

#5 2013-09-28 16:21:35

Gocom

Developer Emeritus

From: Helsinki, Finland

Registered: 2006-07-14

Posts: 4,533

Website

Re: Malicious software on the server

colak wrote:

Coming from a non-programmer, download your db as a gzip file and ran it through an anti-virus software.

That won’t do anything (avs don’t work like that).

---

Rah | GitHub

#6 2013-09-28 18:56:07

colak

Admin

From: Cyprus

Registered: 2004-11-20

Posts: 9,011

Website GitHub Mastodon Twitter

Re: Malicious software on the server

Gocom wrote:

That won’t do anything (avs don’t work like that).

So what should GugUser do?

---

Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

#7 2013-10-02 01:44:32

GugUser

Member

From: Quito (Ecuador)

Registered: 2007-12-16

Posts: 1,473

Re: Malicious software on the server

Today I was warned by Google about a second site with malicious software:

/textpattern/theme/remora/international/update/paypal.com/Pool=0/identification.php
/textpattern/theme/remora/international/update/paypal.com/Pool=0/log.php
/textpattern/theme/remora/international/update/paypal.com/Pool=0/login.php

The hosting company is the same, but the sites are in different accounts from different owners. Both sites works with Textpattern 4.5.4.

The hosting company support says there are no FTP logs. They think it is a security problem in the CMS. But I seem to be the only one this happens, and the same two times in a few days. Strange.

Is it theoretically possible to hack the admin part and install from there additional files on the server in the textpattern folder?

I notice little interest in this problem. Am I an isolated case?

Last edited by GugUser (2013-10-02 01:47:01)

#8 2013-10-02 05:41:14

colak

Admin

From: Cyprus

Registered: 2004-11-20

Posts: 9,011

Website GitHub Mastodon Twitter

Re: Malicious software on the server

Do you have any other software installed in the sites other than txp?

---

Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

#9 2013-10-02 07:14:43

Gocom

Developer Emeritus

From: Helsinki, Finland

Registered: 2006-07-14

Posts: 4,533

Website

Re: Malicious software on the server

Clean up and change all your password associated with the server. If hosting provider is uninterested and goes for the default answer without actually looking into it, you may want to convince them otherwise or look for greener lands.

GugUser wrote:

Is it theoretically possible to hack the admin part and install from there additional files on the server in the textpattern folder?

You can log in to it using your username and password, right? If then, yes. Anything you can get into, whether it be a CMS or your cPanel, theoretically anyone else can too, given enough time; passwords are time currency. Stronger the password, the more time it buys you.

colak wrote:

Do you have any other software installed in the sites other than txp?

Of course there is. Its managed hosting account with various admin-panel scripts, not to mention its a web server; running stuff like a web server, SSH, FTP etc. All which need to be updated and maintained on a weekly basis.

Last edited by Gocom (2013-10-02 07:15:22)

---

Rah | GitHub

#10 2013-10-02 12:29:11

GugUser

Member

From: Quito (Ecuador)

Registered: 2007-12-16

Posts: 1,473

Re: Malicious software on the server

colak wrote:

Do you have any other software installed in the sites other than txp?

I, for my part, for the website no, only Textpattern.

Gocom wrote:

Clean up and change all your password associated with the server.

I did this, of course. Textpattern and the plugins are all in the latest versions.

Gocom wrote:

You can log in to it using your username and password, right? If then, yes. Anything you can get into, whether it be a CMS or your cPanel, theoretically anyone else can too, given enough time; passwords are time currency. Stronger the password, the more time it buys you.

I meant the admin part of Textpattern. Is it possible to install from there any file in any directory on the server? This is what the support from the hoster says. I can’t believe it.

#11 2013-10-02 12:51:45

Gocom

Developer Emeritus

From: Helsinki, Finland

Registered: 2006-07-14

Posts: 4,533

Website

Re: Malicious software on the server

GugUser wrote:

I meant the admin part of Textpattern. Is it possible to install from there any file in any directory on the server? This is what the support from the hoster says. I can’t believe it.

Once you are logged in, you can do pretty much anything from Textpattern’s control panel; after all you can run any PHP code from there.

---

Rah | GitHub

#12 2013-10-04 20:19:02

ruud

Developer Emeritus

From: a galaxy far far away

Registered: 2006-06-04

Posts: 5,068

Website

Re: Malicious software on the server

Assuming the files weren’t uploaded through FTP, I’d check the creation dates for the directories where the malicious files were stored. That should give an indication of when the hack occurred. Then look in the webserver logs for anything suspicious.

GugUser wrote:

How can I find out if the database is still affected?

If you know when the hack presumably occurred, take a backup of the database that’s slightly older and compare it to the current database. Then check if the modifications were due to your own actions or by someone else.

The fact that 2 TXP websites were hacked doesn’t necessarily indicate a problem with TXP, but it would be nice to exclude that possibility. Someone has to be patient zero.

If you can’t get FTP logs with your current hosting provider. Go somewhere else. Consider switching to a VPS, no control panel, just SSH and having full control over keeping things up to date and what is logged.