Thread

Hey guys,

It looks like after years of using EE it’s finally gotten hacked. We were running an older version (2.1) and somehow our javascript files were modified (flat files on the server). The host says it’s not anything on their end - is this possible through one of the cross-site vulnerabilities? Seems odd for files with 644 permissions.

thanks for your help,

Jonathan

Adding to the saga, another of the same company’s sites has been hacked exactly the same way. We were running a bit newer version of EE (2.2.1), but much of the setup was the same. They both happened at the same time and were on the same server and same plesk installation. Now I’m starting to wonder if it was something on the hosting end. They’re still saying it wasn’t. Ideas?

Hey 47m,

Thanks for reporting this. We take security very seriously and will do our best to work with you on figuring out what’s going on. To that, can you tell me if there are any other scripts on your account, whether in use or not (phpBB, WordPress, etc…)*

* If this is a shared hosting environment, the host can make a determination if the attack came through scripts on another account on the server, which is commonly the case with these types of hacks.

While we work through this, please check through these files:

  * index.php
  * admin.php
  * system/index.php
  * system/expressionengine/config/config.php

to ensure that there is no unusual code such as iFrames or Javascript includes; if you do find that code, then please back-up the file and remove said code. If you are unsure of what does or doesn’t belong in these files, do not hesitate to ask.

You may also wish to refresh your files by following the build update instructions.

You mentioned that it’s happened to another site and on the same server. I do not want to point fingers at all, but I would ask the hosting company if they could dig a little deeper and look into the logs either with you over the phone or request they track down any abnormal behavior in the Apache logs or system logs and send you the pertinent lines. It may take some digging but if they are logging, something will be in there.

Moving forward, I would feel better if the root cause was known. You could get everything sorted just to be back here again if the reason for the hack is not found.

Again, I am sorry you have been hacked, it’s no fun.

Thank you,

Hey Shane,

Thanks for jumping in.

1. There should not be any other scripts unless it’s something pre-installed by the Plesk Panel. I’m not familiar enough with Plesk to know for sure.

2. I hadn’t thought about it coming through another account on the server. I would hope it is sandboxed but I’ll double check

3. I spent quite a bit of time yesterday updating both of the sites to the newest version of EE and all Add-Ons. I did notice there were various security updates moving up through the versions. The host, of course pointed me to this 😊

4. So all the code has been removed (it was just in two javascript files in my /js folder and not part of the templates or anything.

5. These two sites are for the same company and when the second was built, we actually copied the whole EE setup and made modifications from there. They link to each other publicly as well. So it’s hard to tell. How are these attacks usually done? Through a comment or contact form or something like that?

I’ll keep pushing on them to get details. I’ve never had an EE site hacked before and I’d like to keep it as secure as possible going forward 😊

Hey 47m,

The hacks I have seen latley have been through injection. These have been accounts that had other software installed and it turned out to be an easy fix, just cleaning the infected files and removing the other software.

It sounds to me like you are going to be good here on out, but getting info from your host would be good. They really should have the information on how this happened. Just keep an eye on the js files. Might not hurt to use a cron job and a simple script to check file sizes or mod times for a bit on the js files, just to make sure this was a one time thing.

Please keep me posted, would love to know if you get a definite answer from your provider.

Cheers,

Thanks, Shane we are definitely keeping an eye on it. Still waiting to hear back from the host.

Jonathan

Just to chime in, we too have just had a few sites hacked (on v2.2 installs). Waiting for the server hosts to look into it and get back to me.

Had a script injection on the index.php page, but the admin.php, system/index.php and system/expressionengine/config/config.php seem fine.

FYI, we’ve traced our hack down to a major flaw in the Plesk File Manager: http://www.scmagazine.com.au/News/308164,50000-sites-compromised-in-sustained-attack.aspx

It was indeed a host/control panel problem and and not an ExpressionEngine problem. Whew!

Hey 47m,

Awesome! Glad you got this tracked down!

So is everything good now?

Thank you,