This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.
The active forums are here.
March 08, 2011 9:50am
Subscribe [2]#1 / Mar 08, 2011 9:50am
I seem to be having a hack/phishing attempt on my site. I am getting an unusual number of unlikely new member registrations. I’ve checked for malicious files, but being a new EE user I’m not sure if this is a legitimate file or not: pureftpd.4c091fda.3b… It seems suspicious but I don’t want to delete it until I have that confirmed!
Please help!
#2 / Mar 08, 2011 10:37am
Hi, Nancy.
I’m going to answer your question out of our usual order…
The file you’re referring to is a failed upload file. You can probably just delete it.
As far as the unlikely number of new member registrations go - that can come about when you use the defaults built into EE - like the member register being at a predictable place with the default trigger word.
It won’t hurt to check the rest of your site for potential problems.. I’m posting a boilerplate response to you about what to do if you are hacked.
==============================
Thanks for reporting this. We take security very seriously and will do our best to work with you on figuring out what’s going on. To that, we need some additional information from you…
1. EE version and build (found at the bottom of your control panel)
2. Other scripts on your account, whether in use or not (phpBB, etc…)*
* If this is a shared hosting environment, the host can make a determination if the attack came through scripts on another account on the server, which is commonly the case with these types of hacks.
While we work through this, please check through these files:
* path.php
* config.php
* index.php
to ensure that there is no unusual code such as iFrames or Javascript includes; if you do find that code, then please back-up the file and remove said code. If you are unsure of what does or doesn’t belong in these files, do not hesitate to ask.
You may also wish to refresh your files by following the build update instructions.
Also please ensure that you report this to your host immediately as they can help identify where the attack originated from so that steps can be taken to prevent this in the future.
#3 / Mar 08, 2011 10:46am
Thank you for the quick reply! I will do as you suggest. I appreciate the boiler plate info as well, I’ll tuck it away and hope never to need it!!
Thanks again,
Nancy
#4 / Mar 08, 2011 1:48pm
Sounds good, let us know what you find out. We’ll be here.
#5 / Mar 09, 2011 9:11am
I have not found any malicious code in my site files, though I’m still concerned that there is some type of persistent attack in progress. The new member registrations I’m getting have been steady since this past Sunday, I’ve been getting approximately one an hour. This is unusual since we started the site live in January.
Could you explain a bit more about the possible cause you suggested?
Thanks,
Nancy
#6 / Mar 09, 2011 10:54am
Hi, Nancy.
It’s probably just a group of spammers that have figured out you’re using EE and that you haven’t locked down registrations.
Take a look at this wiki article: http://expressionengine.com/wiki/Fighting_registration_spam/
#7 / Mar 11, 2011 5:18pm
Hi, Nancy - just following up.. how are things going?
#8 / Mar 14, 2011 10:48am
Much better thank you!
#9 / Mar 14, 2011 11:05am
Were you able to turn off new member registration or change the trigger word to reduce the number of bogus registrations?