Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#13 2016-08-16 16:07:42

rossharvey
Member
From: Earth. Sometimes.
Registered: 2005-03-16
Posts: 233
Website

Re: I think my TXP install is hacked!

Very kind of you to say so :¬)

I’ll install smd_prognostics, looks like a great plugin!

Sure, here is my plugin list from diagnostics:

Active plugins: ob1_title-4.1, adi_gps-0.2, zem_contact_reborn-4.0.3.20m, zem_contact_lang-4.0.3.6m, ob1_pagination-2.5, smd_horizon-0.1, etc_query-1.2.6, etc_pagination-0.3.5, upm_savenew-0.4.2, gho_comment_tools-2009.1b, rah_sitemap-1.2, tru_tags-3.6m, hak_tinymce-1.0.2.3, arc_youtube-1.0.1, smd_featured-0.41, soo_plugin_pref-0.2.2, smd_lib-0.36, smd_image_selector-0.10, abl_droploader-0.20

Let me know if there is anything else you’d find interesting.

Offline

#14 2016-08-16 17:20:11

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,007
Website GitHub Mastodon Twitter

Re: I think my TXP install is hacked!

Hi Ross,

There is another thing, I think you should do is get in touch with your hosting provider and ask them if there was a problem in the cluster where your site resides.

The hack might have been on another site from where the hacker gained access to yours.

Your server must have some records of the activity in the server which might pinpoint to the problem.


Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

#15 2016-08-16 17:28:20

rossharvey
Member
From: Earth. Sometimes.
Registered: 2005-03-16
Posts: 233
Website

Re: I think my TXP install is hacked!

colak wrote #300674:

Hi Ross,

There is another thing, I think you should do is get in touch with your hosting provider and ask them if there was a problem in the cluster where your site resides.

The hack might have been on another site from where the hacker gained access to yours.

Your server must have some records of the activity in the server which might pinpoint to the problem.

Will do! Thanks.

Offline

#16 2016-08-16 18:51:26

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,250
Website GitHub

Re: I think my TXP install is hacked!

rossharvey wrote #300671:

there is nothing out of place in any .htaccess.

Hmmm, well that’s me fresh out of ideas then. Maybe someone else’ll be able to shed some light on how that file is being served without actually existing in the filesystem nor, presumably, being symlinked from anywhere. Happy to take a look if you’re comfortable throwing some credentials at me, but I doubt I’ll turn anything up you haven’t already as the .htaccess thing was my best hope.

Thanks for the plugin list. I’ll have a squiz through them. Looks like you don’t need smd_lib any more, btw. At least, none of the other plugins of mine in your list require it.

The thing colak mentioned about contacting your host is why it’d be handy to know the datestamp of any of the hacked files we just deleted / replaced, as it potentially narrows their search window (as long as the file stamps weren’t faked). But if there’s no traces left, they’ll have to work for their money.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#17 2016-08-17 09:11:15

rossharvey
Member
From: Earth. Sometimes.
Registered: 2005-03-16
Posts: 233
Website

Re: I think my TXP install is hacked!

Bloke wrote #300678:

Hmmm, well that’s me fresh out of ideas then. Maybe someone else’ll be able to shed some light on how that file is being served without actually existing in the filesystem nor, presumably, being symlinked from anywhere. Happy to take a look if you’re comfortable throwing some credentials at me, but I doubt I’ll turn anything up you haven’t already as the .htaccess thing was my best hope.

Thanks for the plugin list. I’ll have a squiz through them. Looks like you don’t need smd_lib any more, btw. At least, none of the other plugins of mine in your list require it.

The thing colak mentioned about contacting your host is why it’d be handy to know the datestamp of any of the hacked files we just deleted / replaced, as it potentially narrows their search window (as long as the file stamps weren’t faked). But if there’s no traces left, they’ll have to work for their money.

I’d really appreciate even a few mins of your time having a root around! Is your email the same? :¬)

Offline

#18 2016-08-17 09:26:56

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,250
Website GitHub

Re: I think my TXP install is hacked!

rossharvey wrote #300682:

I’d really appreciate even a few mins of your time having a root around! Is your email the same?

Yep. Drop me a line directly, or via the forum, or my website. Will see what I can dig up.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#19 2016-08-17 10:59:17

rossharvey
Member
From: Earth. Sometimes.
Registered: 2005-03-16
Posts: 233
Website

Re: I think my TXP install is hacked!

Bloke wrote #300683:

Yep. Drop me a line directly, or via the forum, or my website. Will see what I can dig up.

Done! Thanks :¬)

Offline

#20 2016-08-17 11:28:36

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,134
GitHub

Re: I think my TXP install is hacked!

rossharvey wrote #300671:

There’s also an old online image gallery (buy photography prints) on that server but it’s not been used for a long time. I’ve checked that folder, galleries it’s called, and couldn’t find anything that looked out of place.

If it’s old, it might be out of date, and it may have been compromised. Don’t rule out noisy neighbours if you’re on shared hosting – may be something else compromised on the same host.

Edit: actually, ignore that bit about being out of date, it appears to be 3rd party-hosted on zenfolio.

Last edited by gaekwad (2016-08-17 11:36:33)

Offline

#21 2016-08-17 11:42:58

rossharvey
Member
From: Earth. Sometimes.
Registered: 2005-03-16
Posts: 233
Website

Re: I think my TXP install is hacked!

gaekwad wrote #300685:

If it’s old, it might be out of date, and it may have been compromised. Don’t rule out noisy neighbours if you’re on shared hosting – may be something else compromised on the same host.

Edit: actually, ignore that bit about being out of date, it appears to be 3rd party-hosted on zenfolio.

Actually it is old and out of date, it’s called Photo Cart, and I’ve not used it for about 3 years. I set up a redirect on the URL. It has some old orders and data I need (that you can’t export fully!) hence I’ve left it lingering. I’ve wanted to delete it a few times.

Offline

#22 2016-08-18 06:30:14

bici
Member
From: vancouver
Registered: 2004-02-24
Posts: 2,072
Website Mastodon

Re: I think my TXP install is hacked!

just a wild stab. but are there any .gif files in your directory or in root? I had some weird hack on one my textdrive/joyent accounts a few years ago and i tracked it down to some custom php code and the uploading of a corrupt gif file This may not be your case, but thought i would mention it. see this also


…. texted postive

Offline

#23 2016-08-18 08:04:13

rossharvey
Member
From: Earth. Sometimes.
Registered: 2005-03-16
Posts: 233
Website

Re: I think my TXP install is hacked!

Pete and Stef have looked into it and cleaned the server! Legends.

Oddly, the troublesome png file/inject was only accessible via ‘go to folder’ via FTP. Pete found that out! Even with hidden items visible the folder was not visible (to all three of us!). Which is why we were convinced it was an .htaccess file located elsewhere on the server.

Thanks Stef for cleaning all the other files. You guys helped me very quickly and efficiently without asking for anything, although I shall donate some fun money your way as a thanks :¬)

Offline

#24 2016-08-18 08:26:21

jakob
Admin
From: Germany
Registered: 2005-01-20
Posts: 4,578
Website

Re: I think my TXP install is hacked!

Good work guys!

rossharvey wrote #300696:

Oddly, the troublesome png file/inject was only accessible via ‘go to folder’ via FTP. Pete found that out! Even with hidden items visible the folder was not visible (to all three of us!). Which is why we were convinced it was an .htaccess file located elsewhere on the server.

It’s not happened to me (yet!) but I’ve trawled hacked WP sites for files that “weren’t there”. Any tips on how to find – and then delete – that kind of thing?

I guess here you knew what you were looking for. But if you’re not sure, and an ftp client won’t show it, could you copy the folder contents to a parallel folder (presumably then not including the “rogue file”), then delete the whole folder (and the “rogue file” with it), then rename the folder back to the previous name? Would something like that work?
Would it be discoverable via SSH if FTP doesn’t show anything?


TXP Builders – finely-crafted code, design and txp

Offline

Board footer

Powered by FluxBB