Thread

It looks like I may have a serious security issue. I just received a flurry of emails (5) related to a site I’m building. They all say:

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

.(JavaScript must be enabled to view this email address)
  Mail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings

I have replaced the email address above. Three of the 5 mails have the same address, the other two have a different address. I’m quite certain that these are stolen addresses and that the individuals have no idea this is happening in connection with their addresses.

I went into my log and found that a user “test” had logged in at that time. I do not have a public registration or log-in page for this site; it’s not a site with self-registered members (or is not intended to be, anyway). The CMS is used to build only publicly accessible pages.

In “View Members” I found user “test” in the Super Admins group. His “member since” date was the same as my own SuperAdmin account, so I assume that he somehow managed to clone my account. (The system log shows only one entry for “test” which is today’s login. There is no record in the log of the creation of “test’s” account.)

I immediately deleted the account. So far, no other evidence of tampering, but I can’t be certain.

How did this happen, and what do I do now? Thanks.

it’s not a site with self-registered members (or is not intended to be, anyway).

Be sure to turn off registration of new members, then. You might also want to restrict what members of the “Guest” group (your site’s target audience, by and large) see.

In “View Members” I found user “test” in the Super Admins group. His “member since” date was the same as my own SuperAdmin account, so I assume that he somehow managed to clone my account. (The system log shows only one entry for “test” which is today’s login. There is no record in the log of the creation of “test’s” account.)

Be sure to change all of your passwords immediately, including FTP and MySQL passwords.

How did this happen, and what do I do now? Thanks.

Please ask your host about it: they might have logs about logins, connection attempts, db access and the like. It sounds like a possible local issue, where your db was attacked directly.

One other thing: I know you deleted the account, but would it be possible to recover the IP that the test user used, perhaps from from a backup? Might be possible to trace that.

They just re-registered themselves. I thought I had this nailed. Where is registration of new members turned off in the CP?

Admin > Members and Groups > Member Preferences > Allow New Member Registrations?

You have changed all passwords, correct? You might want to change user names, too. Also, talk to your host right now, please. Please make a note of the IP adress if you can.

Also, make sure to be on the latest version and build of EE, although I have no reason to suspect an EE vulnerability at this point.

Admin > Members and Groups > Member Preferences > Allow New Member Registrations?

You have changed all passwords, correct? You might want to change user names, too. Also, talk to your host right now, please. Please make a note of the IP adress if you can.

Also, make sure to be on the latest version and build of EE, although I have no reason to suspect an EE vulnerability at this point.

Sure enough, I had “Allow New Member Registrations” set to “Yes”—for no good reason, just my oversight. But when you mentioned “direct db attack” were you saying that another pathway could have resulted in a member account being created? Such as cloning my SuperAdmin account directly in MySQL?

Yes, I also deleted the second registration of this attacker before noting the IP. However, I think I’ve been able to deduce it from raw server logs. The host is my client’s existing web hosting company. Just a typical commodity Linux shared hosting setup, but not a provider I know or love.

Have changed db access user and password so far. Now doing EE users and FTP.

But when you mentioned “direct db attack” were you saying that another pathway could have resulted in a member account being created? Such as cloning my SuperAdmin account directly in MySQL?

Yes, of course. It’s a regular MySQL database: if an attacker knows your database password (or has access to your account, since it can be found in config.php) he can manipulate your database without having to use EE to do it.

The host is my client’s existing web hosting company. Just a typical commodity Linux shared hosting setup, but not a provider I know or love.

I am afraid it will be rather difficult to track this down without assistance by your host.

Have changed db access user and password so far. Now doing EE users and FTP.

Very good. Please do keep us in the loop.

EE’s own Control Panel Log shows that the attacker first simply logged in as “test”. No previous record of him whatsoever (i.e., no record of his account being created in EE). I deleted that account.

Later he logged in as me (SuperAdmin) and then as the one other user on the account (me in a member group testing access for eventual hand-off to client staff members). Then he created his own “test” Member profile. Then logged out and logged in as “test”. No EE Log record of any activity. I’m hoping that he sniffed around, found nothing he wanted, and left without doing vandalism. The site seems to be working normally.

I’ve since changed passwords on both member accounts to new ones (I always use very strong random passwords). Also changed db user name and db access password on server and in EE config.

BTW, the EE log also clearly shows his IP, even though I deleted both “test” accounts.

I assume that his second appearance suggests access via EE rather than direct db manipulation, but that the first attack looks like direct db manipulation, probably by cloning my account.

I’m using EE 1.6.8 Build 20091002.

I’m getting on the phone to the hosting company right now.

No previous record of him whatsoever (i.e., no record of his account being created in EE).

Just note that as a Superadmin he can clear logs (although that in itself would leave an entry in the log); what’s more, if he has access to the database he can simply manipulate data in there directly.

I assume that his second appearance suggests access via EE rather than direct db manipulation, but that the first attack looks like direct db manipulation, probably by cloning my account.

That looks like a distinct possibility, yes.

I’m getting on the phone to the hosting company right now.

Please let us know what you find out.

Well of course I found out nothing in that particular phone call. I gave them (hosting.com) the attacker’s IP and a full description of what happened. They opened a ticket and promised to review server logs and see if “anything jumps out at them.” If they don’t get back to me as promised, I’ll chase them for a follow-up.

The only other time this happened to me, the host was so unresponsive that I just moved the whole installation to a better host.

But, for now, the bad person has not returned.

Hi spacewalk-
Please let us know, as soon as you hear anything from your host. Thanks!

spacewalk, any news? Did you hear back from your host?