I have been using PMachine Pro for many years, but purchased EE some time ago intending to change, but never got around to it. However, 5 days ago PMachine was hacked and most of my data was removed from the database as a result. Fortunately I have a complete backup of all data and my server can do a restore when I ask for it. This seems like the ideal time to install my copy of EE and begin using it. But I need to find out some things first.
The hacker has gained access to the PMachine control panel and deleted all members, weblog entries etc. The first thing i tried to do was to go into control panel and change my password, but now I find that I cannot type into the change password/confirm password fields. I need to find out what procedure I should follow to install EE and then migrate the data from my old weblogs over to it securely
Greetings, royby - sorry to hear about your difficulties. Have you alerted your host to the hack, and in what way have you confirmed that the hack came through pMachine?
Now, to get you moved over to ExpressionEngine: first - what version of pMachine were you running? You can find migration instructions here.
Since you have a backup, you’ll need to get that online to perform the migration.
I have notified my host. I am not sure yet whether the hack came through PMachine but it seems likely because nothing else is touched. However, I have asked the host to check things out, as they no doubt will want to anyway.
I was using PMachine Pro 2.4 (the last version before it was discontinued??)
In addition to my previous information about the hack, I tried to access the change password page but that has been hacked also, so I cannot change the password.
I’ve had a quick look at the information on migrating the data. If I ask my host to restore the PMachine sql files once I have installed EE, will I be able to migrate from those OK?
You certainly should be able to, assuming that they are working backups. I’d recommend taking a backup of the database in this state; and not taking action until your host has investigated, of course.
You could certainly get the backups working on a local development installation and test out the migration process that way. =)
yep, I see that. the database is still there, but some of the data was removed by the hacker via PMachine control panel. So i figure if I get the host to restore that database to how it was before the hack I should be OK??
In theory, yes, you should be ok with a restored database. You can always test it on a local development machine so that you understand the process first. =)
just one other thing. Can you tell me where PMachine would store uploaded images? and would all weblog entries be stored in the database under pm_weblog regardless of which weblog they were uploaded to?
the installation went smoothly, no problems, up and running but have not tried to migrate PMachine files as yet.
the host, when asked “how will we know for sure that the hack was through PMachine?” said
“Your installation of pmachine is a local instance - it’s not installed server-wide.”
direct but not really answering my question too well.
However, evidence suggests that the host is correct. Nothing else on the site has been touched and once in control panel the hacker was able to alter templates, delete members and entries etc. One question though, would the hacker be able to make it impossible for me to change my password through the control panel? Currently I am unable to type into the password fields.
next question, how does a hacker discover a password to hack in and does that mean the EE control panel will be at similar risk?
It almost sounds like the field is set to read only. If you do a ‘reveal code’ on the login page- can you paste back the full ‘<form>’ tag? Which seems like a massively weird hack to make. Nobody else has had login access on purpose, have they?
The EE cp shouldn’t be at risk in general. But it depends a bit on how they gained access. If it was through the server- and the server is still vulnerable- it could happen again. Or a simple password could be guessed. I would most definitely change all passwords upon moving to EE- ftp, database, everything. Might want to use a password generator to make sure the passwords are tricky.
I just had a look at the source code of the profile page and the maximum length on password and confirm password has been set to “0”. Can the code on this page be accessed and changed from the control panel?
everything the hacker has done has been through the control panel, so it just begs the question how did they know the password? also, it seems clear that whoever did this is familiar with pmp.
anyway, back to the drawing board, i didn’t really need the learning curve of EE right now
royby, if the hacker gained file system access via another script on the server via directory traversal, he could have read your database config file, logged into the database, changed the password, done his thing, and either set the password back or left it. It’s unclear to me whether when you logged into your CP if you were already logged in with cookies or if you actually typed in your user and password. Passwords are stored as encrypted hashes in the database, so if he gained access to the database he could either replace it with a hashed value of his own desired password, or if you are using a simple dictionary word based password, there are brute force scripts which could through trial and error stumble upon your password by comparing the hash values.
As a side note, I’d probably recommend change hosts, as unless you’re leaving out details, they don’t seem to be taking this very seriously, and the most likely scenario is a directory traversal based attack on the shared server. They should be able to tell you how this attack was carried out, even if just to say that a different IP address or range than what you normally use connected to your site’s control panel and/or database. They would have logged, afterall, every HTTP request to your control panel.
I was already logged in with cookies. the hacker did not change the password and I think that’s because they wanted me to be able to gain access so I could read the small messages left for me. Someone in need of recognition I guess.
re the hosts, yes i will speak with them more about this today and consider moving
Glad you spotted it. It’s been a long time since I used pmp. Will likely have to go code diving to ferret things out.
