Thread

Greetings~

I woke up this morning and checked on our EE 2.3.1 site and none of the thumbnails were working on the index page. I checked the file permissions and sure enough the entire images folder had been changed to 555. Quick Fix… Then I realized that all permissions on the entire site (Dir and Files) was set to 555 (including config.php and database.php and our config_bootstrap.php). This is obviously wrong, and I’m currently the only one in the studio with FTP access. Checking out the logs didn’t bring much light to the situation.

Now, we’ve been dealing with the pharma hack for quite some time. Every time I believe i’ve made a step forward, a few days go by and I find a dubious file with a base encoded string attached and a modified htaccess file.. Rinse and repeat.

I’m wondering if this overhaul of permissions has something to do with the Pharma hack, and if anyone can lend any insight into what they’ve done in a similar situation. It’s really frustrating. I see this all the time with Wordpress sites, but I’m seeing it more with Expressionengine now than ever. We use Brilliant Retail for our shop and just yesterday I was searching for some information in google and low and behold Brilliant Retails site is infected, causing their google results to include viagra etc in Title and Description.

I’m not throwing blame at EE (we love ee), at this point it’s in the depths of our somewhat large database.
I now know of about 20 variations of Viagra on the market if you guys need advice on that front ; )

Cheers,

Scott

I’ve fought similar battles, and feel your pain. For us it was another PHP script that was installed in the same directory as EE - once the attacker had accessed the script they gained control over various parts of the server and started to alter core EE files. The solution ended up being moving the site to a new server, and replacing all EE core files with new versions (we also moved the culprite PHP script to its own subdomain).

Are you sure your database was effected? For us nothing was changed in the database.

Best of luck!

Hey Phillip ~

Thanks for the response! I’m not completely sure about the database, that’s the impression we’ve had for a while now though.

> Every week or so as I’m combing through the files I’ll find something within the root directory for the site or within the system folder.
90% of the time I’ll find a php file with a base encode string and a modified .htaccess file that I’m assuming is sending googles robots our information through.
I’ve read the proper approach is to remove the new code from the modified htaccess and then remove the file. But after every attempt it just comes back eventually..
Googles developer tools says we’re Not compromised every time I check, but sure enough as you start to be more specific on google searches regarding our site, the prescription names are all emblazoned on our results. We have about 30 bloggers on an arts related site and needless to say some of them are a bit disappointed with these results haha.. and come knocking on my door.

> I’ve tried grep searches and found some malicious code and also tried this script to find malicious code on our site, and it was sort of helpful, but brought up a huge list of false positives.

http://25yearsofprogramming.com/php/findmaliciouscode.htm

> We’ve had some problems with our server too, so perhaps moving it wouldn’t be such a bad idea…. It’s such a drag.. feel so powerless.
If anyone else has any suggestions please let me know. There are obviously a few threads regarding this, but it might be beneficial if a there is a comprehensive list of approaches for dealing with this.  Th

In the past we’ve done similar things, used grep to find nasty code and so on…

All of that was to no avail as the hacker had added dozens of backdoors to the server.

If you are using phpMyAdmin make sure you get the latest version with fixes etc. and change the folder to something other than phpMyAdmin. We had an attacker almost successfully take over our machine but wasn’t able to because our firewall stop it. Basically the hacker used a vulnerability in the phpMyAdmin version we were running to upload a base64 perl script to execute commands and download more stuff on the server. Mind you our phpMyAdmin was password protected and the attacker was still able to do this. But I feel your pain. Good luck with everything.

Mike

Hi Scott,

Really sorry to hear about your trouble. I can imagine how stressful this is for you.

Thanks for reporting this. We take security very seriously and will do our best to work with you on figuring out what’s going on. To that, we need some additional information from you…

1. EE version and build (found at the bottom of your control panel)
You said 2.3.1, but which build is it?

2. Other scripts on your account, whether in use or not (phpBB, etc…)*

* If this is a shared hosting environment, the host can make a determination if the attack came through scripts on another account on the server, which is commonly the case with these types of hacks.

While we work through this, please check through these files:

* path.php
* config.php
* index.php

to ensure that there is no unusual code such as iFrames or Javascript includes; if you do find that code, then please back-up the file and remove said code.  If you are unsure of what does or doesn’t belong in these files, do not hesitate to ask.

You may also wish to refresh your files by following the build update instructions.

Also please ensure that you report this to your host immediately as they can help identify where the attack originated from so that steps can be taken to prevent this in the future.

Thanks also to Philip and Mike for helping out here.

Do keep us informed with your progress in overcoming this situation.

Sean