We use cookies to help make our site work properly and to analyze how our site is used. Some are optional, but none contain your personal information, and we don't use any for ads. You can view our cookies policy, manage your cookie preferences, or consent and dismiss this banner by clicking agree:

Agree
ExpressionEngine CMS
Open, Free, Amazing

Thread

This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.

The active forums are here.

site hacked (Pharma) -- advice about next steps, and possible access to clean copy of 1.6.8?

August 20, 2011 11:46pm

Subscribe [2]

  • #1 / Aug 20, 2011 11:46pm

    nadea.c

    83 posts

    (This topic is related to another one I posted yesterday.)

    A company has approached me to help with their site which was compromised by the Pharma hack on their site running EE 1.6.8.

    The upshot is that we’ve decided to move their presence to another host and get their site running in the current version. I’m hoping to get some advice on process.

    I’ve read through all the threads I could find here describing other users’ experiences, as well as articles on this particular type of hack in the greater web community. Very grateful to the community for sharing experiences, info and resources.

    Most of the articles online discuss this hack as it specifically pertains to WordPress, with the exception of Noah Stokes’ blog post which is specific to EE. My client’s situation is similar to Noah’s, with some variations.

    Whereas Noah cleaned his installation, I’m hesitant to take this route. The client reports that for the past five months, other developers have attempted to clean the site, declared the site clean, only to see the spammy content crop up again. Yes, back doors…

    Now, I’ve grepped and tracked down many files on the server with malicious code, and I see the back doors, and I can kind of trace what’s going on. But in my sleuthing, I can also see that the intruder has been clever (and continually, and recently, active), and I’m wary of missing something in my clean up and ending back at square one.

    So here is the approach I’m considering:

    1- export the current database and scan/clean it for malicious strings
    2- import sanitized copy of database on new host
    3- install fresh copy of 1.6.8 on new host and point it to cleaned database
    4- go through update/upgrade process to get EE current on new host

    I’m already into step 1, but I could use some help—whereas in the server files I knew to start with searching for “base64_encode” and then could track down other malicious code from there, I’m not sure what to look out for in the mysql export, that might prove harmul if I failed to catch it.

    I’ve searched for answers to this question online but could only find notes on how to clean mysql for the WP Pharma hack (e.g. Sucuri.net has one). The database cleanup didn’t seem to apply to EE databases, but I tried these searches just for kicks and turned up nothing. Does anyone have any advice to share on this? Also wondering if there are scanners (free or for purchase) that look for bad strings/code in mysql databases?

    I’d also love to hear if anyone thinks there’s a better overall approach, if I’m missing a critical step, or if some aspect of the steps I outlined above is not feasible.

    I welcome any feedback or advice anyone would like to share. Thanks in advance!

  • #2 / Aug 22, 2011 3:41am

    John Henry Donovan

    12339 posts

    Hi nadea.c,

    Thanks for reporting this. We take security very seriously and will do our best to work with you on figuring out what’s going on. To that, we need some additional information from you…

    I see that you have identified the source of the hack

    These types of hacks are usually file based so a scan of the database will usually show up nothing.

    My recommendation if your steps are to move to a new host an upgrade is this.

    Recreate the site locally by downloading all files and database.
    Do a search on all files locally for the know strings. These usually show up in index.php files of folders and the path.php and config.php files.

    Once you are sure everything is gone then perform the local upgrade to EE2.2.2

    When you are happy with that then push the upgraded site to your new host.


    Does that help?

  • #3 / Aug 25, 2011 5:19pm

    nadea.c

    83 posts

    John,

    Thank you for the advice. What you suggest makes sense. It would be awesome if I could work with a clean set of source files for 1.6.8 (the version of EE the hacked site is on). It would be really helpful in confirming I’ve found the rogue files that contain malicious code, as well as help me clean the malicious code from the EE system files—these malicous code instances are less obvious as they’re embedded within lines of legit code. If I had the clean 1.6.8 source, I could do diffs to help make sure I’ve identified all the code that doesn’t belong.

    Is it possible to get a clean version of 1.6.8? I would be using it solely for the purpose of cleaning this one site. The client does currently hold a valid 2.x license. (It looks like at some point they intended to upgrade, but didn’t complete that project, so they’re still in 1.6.8.) I could email you the license key separately.

    Thanks!

  • #4 / Aug 26, 2011 3:06am

    John Henry Donovan

    12339 posts

    nadea.c,

    We don’t keep an archive of older versions unfortunately.

    You could however upgrade to the most recent version of the EE1.x branch which is EE1.7.1
    In doing so you would be replacing any infected files in the process.

    What that work for you?

.(JavaScript must be enabled to view this email address)

ExpressionEngine News!

#eecms, #events, #releases

© Packet Tide, All Rights Reserved. Legal Notices

Username

Password

Forgot password?
or Register