Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Pages: 1
my site has been hacked
I have a small site that was just hacked. I checked the settings file and it was set with no write permissions. I am using PHP 5, and MySQL 4.0 for the textpattern database. They seemed to have changed the index.php since when I replaced it with a backup copy, it went back to normal. When I run diagnosis I get the following errors:
mysql_table_errors:
txp_log: Error: Incorrect file format ‘txp_log’,
txp_log: error: Corrupt
How can I prevent this from happening again, and making sure my site is not vulnerable.
Any help greatly appreciated.
Juan
Offline
Re: my site has been hacked
If it’s shared/managed hosting package, contact your host to make sure nothing was modified, or that the attack wasn’t server wide. Might be it was and your hosting provider isn’t aware of it. They can also see (if they are capable) if something was touched and can clean the potential mess you can’t (and shouldn’t) touch. They could also be able to tell pointers where the attacker got in.
Then let’s start the clean up by nuking everything.
- Wipe all data from your MySQL database and remove your Textpattern installation from the file system.
- Change all of your user passwords. Everything that is connected with server. MySQL passwords, FTP passwords, ssh, keys, unix users. Anything and everything.
- Make sure every software running on the server is up to date. Like for example Apache, PHP, MySQL and all web-admin scripts. Like for example phpMyAdmin, Cpanel, DirectAdmin etc. If it is shared hosting and something is running old unsupported version (i.e. PHP running v4.x or old 5.x) then ask if the host could update those. If they refuse, consider changing hosting provider.
Now, if you were running older version of TXP (anything else than TXP v4.4.1), you will need to update it. TXP versions older than 4.4.0 are affected by major security issues. If you were running old TXP version, that itself doesn’t necessarily mean they got in by that route, the hole used might be elsewhere, and could still be there (thus contacting host would be a good thing).
To update the Textpattern installation:
- Import your old Textpattern MySQL database in to your live server from a backup you know is clean. Do not copy the old Textpattern installation files (contents of /textpattern) as those are effected by security issues.
- Download new Textpattern version (4.4.1) and place the files from the package to your server.
- Create a config.php file to /textpattern directory (you can use your back up, just Make sure the file is unmodified and clean). Change the credentials to match the new ones (as you just changed all passwords including the MySQL user).
- Then log in to your Textpattern installation like you normally would. When you log in Textpattern will automatically update the installation.
- Now go to your Textpattern’s users panel (Admin/Users), and update all passwords.
- Then make sure all plugins are up to date. Update all plugins that are using older version.
Now when updating is done, could you post your high diagnostics (TXP/Admin/Diagnostics > Select High from the options)? Just making sure that nothing apparent is outdated, and that you are not running any plugins that could contain security issues.
Offline
Pages: 1