We use cookies to help make our site work properly and to analyze how our site is used. Some are optional, but none contain your personal information, and we don't use any for ads. You can view our cookies policy, manage your cookie preferences, or consent and dismiss this banner by clicking agree:

Agree
ExpressionEngine CMS
Open, Free, Amazing

Thread

This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.

The active forums are here.

EE pharma hack - index.php hacked

February 07, 2012 11:19am

Subscribe [3]

  • #1 / Feb 07, 2012 11:19am

    kwgray

    49 posts

    This question may be related to a resolved thread.

    Hello

    A colleague and i look after the EE site at http://www.scottish-gallery.co.uk/

    EE 1.6.9. Build: 20100430

    This morning it was drawn to our attention that an attack like the wordpress pharma hack had been made on the site.

    Three suspicious files were found in the system folder -
    cigs.php
    .httemp
    .inode

    Then it became apparent that the site’s main index.php file had been hacked with extra code added to the top.

    The attack may have happened during a period when phpthumb (which is used extensively on the site) was vulnerable.The phpthumb vulnerability is described here http://foxtrot7security.blogspot.com/2011/12/new-attempts-to-exploit-old-phpthumb.html

    But… is there a vulnerability in the core EE which is being exploited?

    regards

    Ken

  • #2 / Feb 07, 2012 12:25pm

    Arrae Developer

    27 posts

    The pharma hack is often used to search the webroot for all index files and modify the physical file, there are a few scripts and tutorials out there that will show you how to remove the hacked code, but it’s not likely that the exploit had anything to do with EE security.

    I recommend upgrading your timthumb scripts immediately, and then replacing your EE core with a fresh one, so that all you’ll have to manually comb through ideally is your theme and any custom plugins (which hopefully can just be re-installed too). Then I highly recommend learning basic source control like SVN or GIT and implementing that because in the event an attack happens any other time, your scm will show you what was effected and cleanup is EXTREMELY easy.

  • #3 / Feb 07, 2012 1:50pm

    JT Thompson

    745 posts

    I’m not support for EE but the first glaring problem is that website is not on the last 1.x version. it’s on a very old 1.6.9 which was released just short of two years ago (if i’m remembering right).

    That being said this thread doesn’t belong in the EE 2 support forum. it’s EE 1.

    Also, you are going to want to suggest to your client to consider upgrading because you’re only a few months away from EE stopping support for 1.x altogether, which means no security updates or any assistance. It’s an outdated product.

    I know it’s not ‘your’ site, but I’d highly recommend they upgrade.

  • #4 / Feb 07, 2012 3:02pm

    kwgray

    49 posts

    Thanks Clay and JT - appreciate the replies.

    Ken

  • #5 / Feb 08, 2012 2:00pm

    Dan Decker

    7338 posts

    Hi Ken,

    I must concur with the group here and recommend that you update to at least ExpressionEngine 1.7.1 Looking through the change log indicates there have been numerous bug and security fixes since 1.6.9 was the current release.

    If you can encourage the client to move to EE 2, that would be even better.

    Thanks!

  • #6 / Feb 08, 2012 2:12pm

    kwgray

    49 posts

    Cheers Dan, I know what you mean.

    Ken

  • #7 / Feb 10, 2012 8:12pm

    Sean C. Smith

    3818 posts

    Ken,

    have you performed the upgrade? Is there anything else I can assist you with?

    Sean

.(JavaScript must be enabled to view this email address)

ExpressionEngine News!

#eecms, #events, #releases

© Packet Tide, All Rights Reserved. Legal Notices

Username

Password

Forgot password?
or Register