Thread

Hi,

Unfortunately a website I produced using EE1x has been compromised and is sending false information to Googlebot.

Even more unfortunately I don’t have a solid backup to roll back to due to updates done on the site since development completed, so I have started the process of rebuilding the site from scratch with a fresh install of EE and all the Modules and Extensions used.

I’m not sure what other steps to take, and also I would like advice on how to protect the site from any further attempts to gain access.

I don’t want to name the site here, but can PM support any details they require.

Thanks,

Cormac

  Thanks for reporting this. We take security very seriously and will do our best to work with you on figuring out what’s going on. To that, we need some additional information from you…

  1. EE version and build (found at the bottom of your control panel)
  2. Other scripts on your account, whether in use or not (phpBB, etc…)*

  * If this is a shared hosting environment, the host can make a determination if the attack came through scripts on another account on the server, which is commonly the case with these types of hacks.

  While we work through this, please check through these files:

  * path.php (if using EE 1.x)
  * config.php
  * database.php (if using EE 2.x)
  * index.php

  to ensure that there is no unusual code such as iFrames or Javascript includes; if you do find that code, then please back-up the file and remove said code.  If you are unsure of what does or doesn’t belong in these files, do not hesitate to ask.

  You may also wish to refresh your files by following the build update instructions.

  Also please ensure that you report this to your host immediately as they can help identify where the attack originated from so that steps can be taken to prevent this in the future.

Hi Sue,

ExpressionEngine 1.7.0
Build:  20101018

There aren’t any other scripts or installs on the account.

I’ve checked the files you mentioned (path.php and config.php) but can’t see anything unusual. I use the Multi-Language Module from putyourlightson.com, so I’m using a modified path.php but I’ve checked those files too and everything seems normal.

My host has been pretty useless since I reported this, and have not be helpful at all, here was their response:

“Looking at our end we coudn’t see where the code is coming from, I would advise you to check if you are using latest version of expression engine on your website, also in regards with your website files, you will need to check them and see if there is any infected code there.”

I’ll look into doing a build update, has there been updates since my build to tackle this issue?

Edit: Forgot to mention, it’s Shared Hosting.

Thanks,

Cormac

Hi, Cormac.

Refreshing your files with EE 1.7.1 would be the next thing I’d do. You’re only one small build behind. 😊

Hi, just to give you an update on this, I completely rebuilt the site with new copies of EE and all the modules / extensions and plugins we’ve used, cleared off the server and redeployed the new version. In the process I updated everything to the latest builds / versions. I’ve scoured the database and can’t see anything that doesn’t directly relate to EE or our content. 

On the 18th October we relaunched the site and everything was fine, but when I checked on the 23rd the site had been compromised again. I redeployed the files from our SVN and this fixed the issue, but I am worried that it’s just going to happen again over the next few days.

The hosting company, Blacknight.com, are denying that it has anything to do with their server:

If your website is compromised then it is due to the coding or the script you are running on it, I can assusre you that our shared hosting is secured and if there is a compromise site on the server it cannot access your webspace/files at all.

I would advise you to check your coding and script and then upload clean files + database on the server.

Can you advise if it is possible that EE is vulnerable, and what we can do to protect our site?

Current build since the update:
ExpressionEngine 1.7.1
Build:  20110520

Thanks…

Hi, birdie.

You’ve done your due diligence, I personally would change hosts. Which file did you need to replace?

Hi Sue,

Sorry for delay getting back to you, it turned out we missed the backdoor access when we did the first clean out, but hopefully we have it sorted now.

They changed core.system.php, and added a file into a css directory that is obfuscated but is presumably their access path - This is the file we missed first time.

I have copies if you are interested, let me know and I’ll PM them to you - Since it is encoded, gzipped and password protected, I haven’t been able to decode it to see exactly what is in there but maybe you guys would be able to.

Thanks

They changed core.system.php, and added a file into a css directory that is obfuscated but is presumably their access path - This is the file we missed first time.

Hi - I would like to make sure that I’m not doing anything risky - can you explain what the above means?

thanks!
danielle

@birdie,

If the files are password protected then there’s not really going to be any way of us getting access to them without the password I’m afraid so we won’t be able to look at those.

When you say they are gzipped though are you referring to files that the host sent you or a file that was somehow stored on your server? I only ask as none of the ExpressionEngine files should be gzipped at all so I’m not really sure what they did here.

As to your host blaming ExpressionEngine for this I’m not really too sure what to say to this as ExpressionEngine on its own is very very secure and any sort of code injection is usually down to problems on the host. To just say that it can’t possibly be a problem with their site like that without even checking to see how this happened is a little suspect to me.

Any good host would check the server logs to see how and who by the files were changed by. They can then use that information to figure out how this happened. Most of the time this is down to some software on a shared host giving access to other domains. This is definitely not something that ExpressionEngine will ever do if installed and configured correctly so the host really should be looking into this some more for you or if it were me I would definitely hop, skip and jump away from that host as soon as I can.

@danielle,

I’m not too sure what you mean by your comment above? Are you also having the exact same problem here or something else?

Thanks,

Mark