Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Pages: 1
#1 2015-01-05 22:07:00
- b.rose
- New Member
- Registered: 2014-12-21
- Posts: 4
Website Hacked.
Hi there!
I updated to the latest version v4.5.7 about 10 days ago. Yesterday our website was hacked. Our hosting service managed to restored it about 12 hours after we noticed the hack. Our host couldn’t find a virus and said “your website software might be vulnerable and this is why it was hacked. It is vitally important you make software upgrade as soon as you can”. Does this mean there is a security flaw with the latest version of Textpattern? How can I avoid this happening again?
Thanks in advance for your help! :)
Offline
Re: Website Hacked.
Hi and sorry to hear this. We’re not aware of any serious security flaws in the latest stable version (4.5.7 at the time of writing) but I’m smart enough to never say never!
In this case, it may just be bad luck. Avenues of attack include:
- Someone correctly guessing a password for one of your accounts.
- A vulnerability in a plugin.
- They got in through someone else’s software, either because of a poor password in that system or a security vulnerability in some other software on your shared host.
First things first, change the passwords for all Textpattern user accounts, your MySQL users and you cpanel / plesk / FTP account. And make sure you use a very good password. Oh, and don’t tick the box to mail your Textpattern password to you: that’s something we really need to address one day in the software and do password change / reset authentication better.
Note that when you change your MySQL password, you’ll also need to update your config.php file to reflect the change on any sites hosted there.
As for avoiding this happening in future, well, minimising your attack surface is the best approach:
- Delete or disable all unused accounts (on the server and in Textpattern).
- Keep the number of Textpattern Publisher accounts to a minimum (preferably 1).
- Only grant enough permissions to users to perform the jobs they require: no more. In Txp, this means setting user account types appropriately for content authors.
- Use strong passwords, as mentioned above.
- Ensure you are using the latest versions of plugins.
- Delete or disable all plugins you are not using. For those that you might use occasionally (e.g. I sometimes use rss_admin_db_manager for making quick SQL backups), keep it disabled most of the time and temporarily enable it when you need to use it.
Hope that helps.
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
Re: Website Hacked.
b.rose wrote #287096:
Yesterday our website was hacked. Our hosting service managed to restored it about 12 hours after we noticed the hack.
Before restoring the website, did they make a snapshot of the hacked website (including log files), so we can investigate what happened?
Offline
#4 2015-01-06 23:30:00
- b.rose
- New Member
- Registered: 2014-12-21
- Posts: 4
Re: Website Hacked.
Bloke wrote #287097:
Thanks for this. I have updated and/or disabled plug-ins. Deleted user accounts thats were no longer used and reset the passwords for the remaining. Also set a much stronger password for the mySQL db.
I use CyberDuck for FTP but can’t seem to get sFTP to work. Have tried FileZilla as well with no luck. Is sFTP necessary?
ruud: Our host didn’t mention a snapshot but I’ll email them and ask.
Thanks again!
Offline
Re: Website Hacked.
If you use FTP then your username and password is transmitted in plain text. If someone is listening between your computer and your webhost, then they’ll know your login codes.
Offline
Re: Website Hacked.
The reason your SFTP does not work is because it might need a port to be specified in the connection. (it is usually 22 ).
Last edited by colak (2015-01-07 17:02:44)
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
Re: Website Hacked.
Not all hosts provide SSH access which would be needed for SFTP.
Piwik Dashboard, Google Analytics Dashboard, Minibar, Article Image Colorpicker, Admin Datepicker, Admin Google Map, Admin Colorpicker
Offline
Re: Website Hacked.
You don’t necessarily need SSH (shell access) to be able to offer SFTP.
Personally, I’d skip hosts that don’t offer SSH.
Offline
#9 2015-01-08 02:45:32
- GugUser
- Member
- From: Quito (Ecuador)
- Registered: 2007-12-16
- Posts: 1,473
Re: Website Hacked.
colak wrote #287133:
The reason your SFTP does not work is because it might need a port to be specified in the connection. (it is usually 22 ).
I have seen many different ports for SFTP, 22 (typically) or for example 5544 or 36521 etc. O don’t know if this is determined by the hosting company.
Offline
#10 2015-01-11 23:12:20
- scottishverdict
- New Member
- Registered: 2015-01-11
- Posts: 1
Re: Website Hacked.
I was also hacked in the last week or so. Discovered it a few days ago. I suspect it was via the server Dreamhost because all my Textpattern sites and my one WordPress site were hacked by the same person. I also think it might be connected to using Dreamhosts autoinstaller for both of these CMSs. Thoughts?
Also, how is it possible to salvage text? I plan to do a clean install with a different user profile but I would like to recover the text from the old site. Is this possible through the database or otherwise? Through the FTP view, I’m not sure where to look. (Photos are still there so I assume the text is too, just don’t know where.)
Thanks!
Offline
Re: Website Hacked.
The text (articles, templates and such) is stored in the database. There should be a way to backup the database. Be careful that you don’t copy infected stuff that may be in the database.
Offline
Pages: 1