Thread

Hi there,

I am running 1.6.8 and this site continues to be hacked.

When I go to the URL there is a new site there and it’s typically something Middle Eastern in content. I changed the FTP password and removed all of the files that had been added to the server. I replaced the index.php, path.php and the config files to what they should be. The site worked for a day.

The next day the hosting service disable the site due to exploit content. They have indicated that I should check with EE to make sure that there aren’t any security patches that I should be aware of. I can always update to EE2 but I am uncertain of whether or not some of the plug-ins that I have installed will still be able to work.

Speaking of plug-ins, I am guessing that THOSE could be part of the issue as well?

What route should I take to get this site back up again and functioning safely so that it won’t be continually hacked?

Thanks!

You haven’t got all your files CHMOD’d to 777 have you? When i used to run wordpress, if i had the wrong files running 777, it was continuously exploited.

I’ve never heard of EE being hacked before, nor have i ever had any spam/hacking. Strange one.

Who do you host with?

Hi Robin,

Thanks for reporting this. We take security very seriously and will do our best to work with you on figuring out what’s going on. To that, we need some additional information from you…

1. Build date for your EE 1.6.8 installation (found at the bottom of your control panel)
2. Other scripts on your account, whether in use or not (phpBB, etc…)*

If this is a shared hosting environment, the host can make a determination if the attack came through scripts on another account on the server, which is commonly the case with these types of hacks.

Please also check through these files:

  * path.php
  * config.php
  * index.php

  to ensure that there is no unusual code such as iFrames or Javascript includes; if you do find that code, then please back-up the file and remove said code.  If you are unsure of what does or doesn’t belong in these files, do not hesitate to ask.

  I would suggest you completely refresh your files by following the build update instructions.

  Also please ask your host to help identify where the attack originated from so that steps can be taken to prevent this in the future. Keep us posted please.

What are the proper permission settings for the config.php file? Is the default rw-rw-rw? Is that proper?

Thanks for the replies…

I have only got the files that are supposed to be 777 set to that based on the EE instructions.

The current build we are running for this client is 20090723 (1.6.8)

I have gone through a couple of times now and refreshed the index.php, path.php, and config.php as funky coding was being placed into those files over and over again within 24 hours.

I was going through some of the plugins and extentions that I had loaded into the site and in the admin panel of the backend when I went to the plug ins manager page there was this funky heading that said MASS MAILER and some text fields. So, I then refreshed the plugins index.html page and got rid of that mess.

I am unsure of what other php files I should be looking for?? When this originally happened there was a mess of arbitrary php files that I went in and deleted. They have not since returned.

What else do you need to know?

Thanks!

The current build we are running for this client is 20090723 (1.6.8)

Please upgrade to 1.6.9 and replace all of your files.

I have gone through a couple of times now and refreshed the index.php, path.php, and config.php as funky coding was being placed into those files over and over again within 24 hours.

That points to a more serious issue, perhaps some compromised account on the server, or a backdoor of some sort. Have you notified your host? It’s imperative that you work with them. What have they replied?

I have to purchase/renew the license in order to upgrade, correct?

Dreamhost replied with:

You need to make sure that the version of Expression Engine you’re
running does not have security problems.  You should be able to contact
Expression Engine with your version number and have them determine this
for you.  They may possibly provide you a security patch for your current
version free of charge if you have a valid license for the version you’re
using, but I’m not familiar with their business practices.  Regardless,
it is unsafe to run vulnerable software and if the hacks continue we’ll
have to disable the domain again.

If you’re running any other web software, you need to pro-actively check
those as well.

Robin,

I have gone through a couple of times now and refreshed the index.php, path.php, and config.php as funky coding was being placed into those files over and over again within 24 hours.

Your FTP username and password may have been compromised. So change them as a matter of course and refresh those files again.

Are you able to see your FTP logs as part of your hosting package. Voice your concern to your host and they may be able to check for you. Give them your IP so they can rule yours out.

To renew your license yes you will need to purchase a renewal via your Purchases at expressionengine.com

Robin, you should also note that a common way of getting FTP infor is through viruses on your machine.  You should run virus scan on your own computer ASAP.

Robin,

Following up on eyevariety’s advice, you need to determine if a) you are the only user with FTP account details on their machine b) run a virus scan on your own machine. Once you are certain you are clean and only then change your FTP password