Thread

Hi,

We’ve just experienced the same hack as another user reported here: http://ellislab.com/forums/viewthread/155721/

My client said to me that the domain is being hosted on a private server, so no ‘other domains’ could have caused this. So basically this could be narrowed down to two possible causes, the FTP password got compromised, or there is some vulnerability in our EE installation (1.6.8).

Any thoughts? We are currently in the process of fixing this, but still need to determine the cause so we can prevent this in the future, any help would be greatly appreciated.

Thanks!

My client said to me that the domain is being hosted on a private server, so no ‘other domains’ could have caused this. So basically this could be narrowed down to two possible causes, the FTP password got compromised, or there is some vulnerability in our EE installation (1.6.8).

Thank you for reporting this. We take security very seriously and will do our best to work with you to figure out what’s going on. To that, we need some additional information from you:

What version and build are you running? Are there any other scripts on your account, whether in use or not (php, etc…)? While we work through this, please check through these files:

- path.php
- config.php
- index.php

to ensure that there is no unusual code such as iFrames or Javascript includes; if you do find such code, please back-up the file and remove said code. If you are unsure of what does or doesn’t belong in these files, do not hesitate to ask. You may also wish to refresh your files by following the build update instructions, upgrading to the most recent version / build in the process.

Any thoughts? We are currently in the process of fixing this, but still need to determine the cause so we can prevent this in the future, any help would be greatly appreciated.

Is that a managed server? Your host should be able to pinpoint the vector of attack so that steps can be taken to prevent this in the future. My suggestion would be to replace all of EE’s files, and change all passwords (EE, MySQL, FTP).

Hi Ingmar,

Thanks for the quick response.

We’ve already re-uploaded all EE essential files /index.php, /core/index.php and the likes. Luckily we could compare the edit dates to pinpoint the infected files.

The server is indeed a managed server, but I doubt they can give us any additional insight (they were the ones that discovered the hack).

thx

We’ve already re-uploaded all EE essential files /index.php, /core/index.php and the likes. Luckily we could compare the edit dates to pinpoint the infected files.

I would suggest to replace all files, and what’s more, upgrade to 1.6.9. It’s a recommended update.

The server is indeed a managed server, but I doubt they can give us any additional insight (they were the ones that discovered the hack).

The server logs (FTP logs, eg) should give us a better idea. Unless you have access to them you’d have to talk to the server admin about it.

I’ve reviewed the FTP logs for the specific dates they messed with our server. It seems they indeed compromised our FTP password. At this point I’m cleaning up their mess, after that I’ll upgrade to 1.6.9, thanks!

Sounds good. You might also want to look into how the got the password in the first place: Sniffed? Consider using SFTP. Some malware / keylogger on your local machine? Make sure your anti-virus software is up to date.