Thread

CLient in a tizzy. EE site’s been hacked.

http://hsdm.harvard.edu/

I need immediate help!

First thing you should do is to close the site down and backup any database data you can. Can you do that?

Thanks for letting us know, Lynne. As you know, we take security very seriously. We will do our best to work with you on figuring out what’s going on. Please provide:

  1. EE version and build (found at the bottom of your control panel)
  2. Other scripts on your account, whether in use or not (phpBB, etc…)*

If this is a shared hosting environment, the host (or in your case perhaps the IT department, if this is self-hosted) should be able to determine the vector of attack.

Please back up your files as they are now, then replace all of your files the way you would with a build update. Finally check your config.php and path.php for any anomalies and change all your passwords (EE, MySQL, FTP).

Please ensure that you report this to your host / server admin immediately as they can help identify where the attack originated from so that steps can be taken to prevent this in the future.

OK this is weird. Client is on phone with tech support now.

The entire set of site files is wiped out. It appears as though someone got into the FTP. The client and tech support are going to change the passwords, then restore from backups. We have a backup database routine on this site so that shouldn’t be a problem.

However, is there a security breach possible that would wipe out all the files on a site like that through EE? Or does this really sound like another sort of hack that has nothing to do with EE?

My part on this site was doing the EE part, so if it had something possibly to do with the install, I’ll need to troubleshoot further.

As to direct info, right now I have no control panel to check until they restore the files! There are none left on the server.

As to other scripts, no. I believe if I recall we used TinyMCE but only for the CP. No other PHP scripts should be running, other than a couple of custom queries to the DB within EE templates for a couple spots.

Oh and as soon as they restore the files, I will change all passwords for mysql and the like. The only place I have to change that is in the path.php file right?

The entire set of site files is wiped out. It appears as though someone got into the FTP.

Yes, that would make sense. Again, the host would be able to track this down through FTP and other server logs etc. My guess is either a directory traversal attack (ie they came in via some other account on this shared server) or a sniffed or cracked FTP password.

The client and tech support are going to change the passwords, then restore from backups. We have a backup database routine on this site so that shouldn’t be a problem.

Sounds good. The database might not even be affected but a full restore certainly doesn’t hurt.

However, is there a security breach possible that would wipe out all the files on a site like that through EE?

I don’t see EE involved here at all, to be honest. Somebody gained access to the server and deleted your files, including EE files. This is not a flaw in EE, in fact there’s nothing that EE can do about it.

Or does this really sound like another sort of hack that has nothing to do with EE?

Based on what I’ve heard so far, that would be my guess. Let’s reserve judgement until we hear back from the host, though.

As to direct info, right now I have no control panel to check until they restore the files! There are none left on the server.

For EE as such you don’t have to restore the files from backup, just upload a fresh set of EE’s files (Custom images etc. would be in the backup, though).

I will change all passwords for mysql and the like. The only place I have to change that is in the path.php file right?

You mean apart from MySQL itself? Yes, for EE it’s only path.php.

Well, other than what has been uploaded since launch (like you said, uploaded images and PDF files and the like), I do have an at-launch version of the site in SVN version control. Worst case.

The stupid thing is, I wasn’t the one who installed EE on this project, it was handled by another guy, and so I can’t even find the info for a “real” path to mysql or PHPMyAdmin, so I can check the DB. Grrr! Just what’s in config, which of course won’t work.

The host is saying that it looks like a straight up brute FTP hack. I will mention to the client to get a log file or some sort of documentation regarding the breach. The FTP pw is changed now (and a much stronger password).

I’ve sent an email to the IT admin who was involved in the installation and has access to the host service control panels to change the mysql pw and the config file in EE. We will also change the EE passwords for admin users.

And apparently, the IT guy in question is saying we should switch hosts because the hacker might have put a file on the server somewhere where we can’t see it that might compromise the host. Ug.

But, once again, a security breach has nothing to do with EE. Phew!! 😊

The host is saying that it looks like a straight up brute FTP hack.

I am glad to hear that. Well, perhaps “glad” is the wrong choice of words here, but at least it’s straight forward, nothing mysterious about it.

The FTP pw is changed now (and a much stronger password).

Consider using sFTP as well, otherwise password sniffing could be a real concern, it’s transmitted in the clear.

But, once again, a security breach has nothing to do with EE.

Please let us know in case there’s anything else we can do for you. Thanks.