Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Server Admin Advice / Security
Hello TXP Community
Turning to you guys for advice as I know you will be able to help.
I have been using TXP for over 10 years now and I am pretty sure I wouldn’t have a website design business without it, especially if I was using Wordpress…
I recently as a agency we have taken on a few wordpress sites on our server which about a month ago got compromised and effected our whole server, injecting malware into TXP files and causing the sites to redirect to all sorts of interesting websites.
We have now moved all the wordpress, drupal, opencast sites to their own server and kept all the TXP sites separate. However it seems like we haven’t completely got rid of the virus as the index.php keeps getting edited.
My questions are:
A: Does anyone know of any good server admin companies that will help deal with hackings and help clean the server completely?
B: How can I improve the security of TXP further? Has anyone known of these issue before?
Sorry this is all new to me as I have never had this trouble before and it’s costed me so dearly in time over the last few months.
Thank you
Offline
Re: Server Admin Advice / Security
Perhaps smd_prognostics can help you detect modifications to TXP files. I’m not sure what the state of play is with the most recent versions of Textpattern but it can notify you when Textpattern files have been modified.
Otherwise you should check all the usual candidates like:
- resetting ftp passwords and ssh connections
- resetting db passwords
- Tighten too-lax file/folder permissions
- Check for any hidden folders or files
- Check all non-txp files for files and other files like config.php that may not be found by smd_prognostics or files that are smuggled into sub-directories somewhere.
If I look at the server logs there are ton of attempts to reach wordpress login pages and plugins, so I think it’s pretty commonplace.
Greetings to your lovely corner of the world. I spent several summers in my childhood in Cawsand/Kingsand and many a sunny afternoon on Whitsand Bay.
TXP Builders – finely-crafted code, design and txp
Offline
Re: Server Admin Advice / Security
Sorry to hear about the state of your server. It’s not a nice situation to be in.
One thing to watch is PHP files hidden in your /images
directory. I’ve seen that before. The file even had a .jpg
extension but could be run as the PHP script it was by using another script as a launchpad.
So once you’ve taken a backup and cleaned up your Textpattern installation (replace everything with a clean copy if you can) and removed all files/directories that are not part of the base installation, just comb your /files
and /images
directories for files that look suspicious – e.g. odd datestamps or filenames. Check each image is one that you’ve uploaded.
Finally, change all your passwords on the server.
One addendum to what jakob says about smd_prognostics: it’s only of use once you know you have a clean site – a “known good” baseline. So when your hosting area is cleaned up, by all means let the plugin take a snapshot of this state and then it’ll dutifully tell you if anything changes.
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
#4 2018-05-12 15:41:39
- ax
- Plugin Author
- From: Germany
- Registered: 2009-08-19
- Posts: 165
Re: Server Admin Advice / Security
One thing that you could check is the file permissions. It happened to me once that another user on the same shared server could overwrite my files because of global write ‘777’ directories. You can check if this is the case by using this shell command:
find . -perm 777 -type d | grep -v "/logs/" | head -50
If there are any ‘777’ directories, they will be listed. If not, then no output.
Offline
Re: Server Admin Advice / Security
Bloke wrote #311717:
Sorry to hear about the state of your server. It’s not a nice situation to be in.
One thing to watch is PHP files hidden in your
/images
directory. I’ve seen that before. The file even had a.jpg
extension but could be run as the PHP script it was by using another script as a launchpad.So once you’ve taken a backup and cleaned up your Textpattern installation (replace everything with a clean copy if you can) and removed all files/directories that are not part of the base installation, just comb your
/files
and/images
directories for files that look suspicious – e.g. odd datestamps or filenames. Check each image is one that you’ve uploaded.Finally, change all your passwords on the server.
One addendum to what jakob says about smd_prognostics: it’s only of use once you know you have a clean site – a “known good” baseline. So when your hosting area is cleaned up, by all means let the plugin take a snapshot of this state and then it’ll dutifully tell you if anything changes.
Thank you all so for much for your advice. Its been like constantly putting out a fire for the last few weeks however I feel I have a good hold on it now. Your advice about the files being disguised really helped Stef… my server was injected with “.ico” files the following command got rid of them:
find . -type f -name “*.ico”
ax wrote #311718:
One thing that you could check is the file permissions. It happened to me once that another user on the same shared server could overwrite my files because of global write ‘777’ directories. You can check if this is the case by using this shell command:
find . -perm 777 -type d | grep -v "/logs/" | head -50...
If there are any ‘777’ directories, they will be listed. If not, then no output.
Than you for this advice too, I think thats helped tighten the server further
jakob wrote #311714:
Perhaps smd_prognostics can help you detect modifications to TXP files. I’m not sure what the state of play is with the most recent versions of Textpattern but it can notify you when Textpattern files have been modified.
Otherwise you should check all the usual candidates like:
- resetting ftp passwords and ssh connections
- resetting db passwords
- Tighten too-lax file/folder permissions
- Check for any hidden folders or files
- Check all non-txp files for files and other files like config.php that may not be found by smd_prognostics or files that are smuggled into sub-directories somewhere.
If I look at the server logs there are ton of attempts to reach wordpress login pages and plugins, so I think it’s pretty commonplace.
Greetings to your lovely corner of the world. I spent several summers in my childhood in Cawsand/Kingsand and many a sunny afternoon on Whitsand Bay.
Great plugin, going to spend sometime putting this on all the sites! Thank you
PS. Love Whitsand too, my favourite beach.
Last edited by miles (2018-05-15 17:41:42)
Offline
Re: Server Admin Advice / Security
I just want to add that I honestly don’t think I would have business without Textpattern, I don’t know how companies cope with the constant updates and security of Wordpress.
What makes Textpattern so secure?
Offline
Re: Server Admin Advice / Security
Hey miles – greetings from about an hour north west of you!
If the server is compromised, it’s compromised. Nuke and repave. Find a new web hosting company if you need to. You can strip out the assets, user images, user files, and the database…then you’ve got a mostly-portable site you can take elsewhere with a known-good copy of Textpattern.
Take a copy of the site itself, strip out the big stuff that won’t be infected (images, etc), zip it up, and upload the zip to VirusTotal – see what crud it finds.
What makes Textpattern so secure?
It’s made by wizards.
Last edited by gaekwad (2018-05-15 19:16:16)
Offline
#8 2018-05-16 07:32:57
- Algaris
- Member
- From: England
- Registered: 2006-01-27
- Posts: 551
Re: Server Admin Advice / Security
If you’re still looking for a company to help clean up your server/sites you could try Wordfence They primarily deal with WordPress but should be able to help clean up the server any malicious code.
Offline
Re: Server Admin Advice / Security
gaekwad wrote #311788:
Hey miles – greetings from about an hour north west of you!
If the server is compromised, it’s compromised. Nuke and repave. Find a new web hosting company if you need to. You can strip out the assets, user images, user files, and the database…then you’ve got a mostly-portable site you can take elsewhere with a known-good copy of Textpattern.
Take a copy of the site itself, strip out the big stuff that won’t be infected (images, etc), zip it up, and upload the zip to VirusTotal – see what crud it finds.
It’s made by wizards.
Thank you mate, probably the most honest answer and that’s probably what I’m going to do and move servers. Am I missing something with VirusTotal though? It seems to only tell you what virus it is and not where?
Offline
Re: Server Admin Advice / Security
miles wrote #311885:
Thank you mate, probably the most honest answer and that’s probably what I’m going to do and move servers. Am I missing something with VirusTotal though? It seems to only tell you what virus it is and not where?
You are correct. It’s a useful tool for find something in a .zip file, especially since it uses 50+ engines to find things. If you do locate something, carve up the big .zip into smaller .zips and then rescan each one. Repeat the process until you’re dealing with a much small file set than ‘everything’ and you can use some diff
’ing to see what should be there with what is actually there.
I’ve sort of gravitated towards web ops in the past few years and I build servers on the proviso that they are sacrificial. The data inside it is as portable as it can be, and appropriately backed up, so that if a bad thing happens I can grab the stuff, restore the backups and have a new server built from scratch in under an hour.
(Drop me a line if you want to talk about this further – it’s a commercial offering if you’re interested.)
Offline
Re: Server Admin Advice / Security
gaekwad wrote #311901:
You are correct. It’s a useful tool for find something in a .zip file, especially since it uses 50+ engines to find things. If you do locate something, carve up the big .zip into smaller .zips and then rescan each one. Repeat the process until you’re dealing with a much small file set than ‘everything’ and you can use some
diff
’ing to see what should be there with what is actually there.I’ve sort of gravitated towards web ops in the past few years and I build servers on the proviso that they are sacrificial. The data inside it is as portable as it can be, and appropriately backed up, so that if a bad thing happens I can grab the stuff, restore the backups and have a new server built from scratch in under an hour.
(Drop me a line if you want to talk about this further – it’s a commercial offering if you’re interested.)
Thank you mate. PM’d you
Offline