I just received the “A core file was modified on your site.” email from an install and the instructions said to start a thread here. The file does not seem to be altered. Is there something else I can help do or report? Thanks!
This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.
The active forums are here.
August 15, 2012 1:54pm
Subscribe [2]#1 / Aug 15, 2012 1:54pm
I just received the “A core file was modified on your site.” email from an install and the instructions said to start a thread here. The file does not seem to be altered. Is there something else I can help do or report? Thanks!
#2 / Aug 16, 2012 6:01pm
Hi rockthenroll,
Thanks for following directions!
Did you or a client make any changes to index.php or config.php? ExpressionEngine keeps a checksum of those files since the CP was last loaded. If the file doesn’t pass the checksum, it triggers this alert.
You would also receive a notice in the Control Panel homepage if you login as a Super Admin.
I suggest double-checking index.php, admin.php and /system/expressionengine/config/config.php to make sure no changes were made - even a space might throw off the checksum.
~
#3 / Aug 17, 2012 11:53am
No one altered the file before this was sent. It’s a personal testing install, so no clients or anyone else with access.
#4 / Aug 17, 2012 5:05pm
Hey Travis,
Hrm… OK - was *any* change made *anywhere* before the email was sent? New add-on? Installation moved? Version control?
~
#5 / Aug 17, 2012 7:07pm
This happened to us today - our index.php was hacked and defaced. We didn’t get the “core file modified” email for quite a while, though (6+ hours later).
Here’s my question: How is this alert triggered? If it’s a cron job, where can we set the interval? I’d think hourly would be the minimum interval.
Any other automated EE hacking tools hitting the streets that you guys know of?
#6 / Aug 17, 2012 7:08pm
No one altered the file before this was sent. It’s a personal testing install, so no clients or anyone else with access.
Hi Travis, I’m a friend of Jack McDade’s (waves).
I presume this is on an external server, not your localhost, right?
#7 / Aug 20, 2012 11:14am
Dan - Nothing was changed and I had not even logged in for almost 3 days. Everything seems fine, I’m not too worried about it, but thought I would notify like the instructions asked.
Hi Allan! Yep, external server.
#8 / Aug 20, 2012 5:28pm
Travis - excellent! Still bizarre though, but thanks for following instructions 😊
Allan,
I went on a hunt with Robin to get you a proper answer.
The checksum is performed when a user visits the site. Basically if index.php is loaded at all. If a change is detected, it is logged. Then the notification is triggered the next time the Control Panel is loaded. If able, ExpressionEngine will send an email in addition to the notification in the Control Panel homepage.
So, no cron job or interval to adjust - just a visit to the Control Panel.
Now, my question is, what host are you on? And is it a shared-hosting account?
~
#9 / Aug 20, 2012 5:36pm
The checksum is performed when a user visits the site. Basically if index.php is loaded at all. If a change is detected, it is logged. Then the notification is triggered the next time the Control Panel is loaded. If able, ExpressionEngine will send an email in addition to the notification in the Control Panel homepage. So, no cron job or interval to adjust - just a visit to the Control Panel.
Now, my question is, what host are you on? And is it a shared-hosting account?
No, it’s a custom box at RackSpace. The new server is incredibly fast! <squee!> It’s also running on Nginx (more speed!).
I’m still getting notifications, but nothing seems to be modified. That could be our people logging in. Does EE keep an IP log anywhere?
I’ll do a file checksum/compare and see if anything’s being changed. We deploy with Capistrano - if another hack occurs, we can just redeploy and it’s back to normal. Scary though!
#10 / Aug 21, 2012 5:10pm
It’s also running on Nginx (more speed!).
Hrm - I really need to spend some time digging into that. More folks are running ExpressionEngine on Nginx and we haven’t tested it. Obviously, it runs fine, but the devil is always in the details, no?
Indeed! Have a look in Tools-> Logs-> Control Panel Log
It tracks username, IP address, Date/Time and even if a Super Admin logs in as a user via the Control Panel.
I’ll do a file checksum/compare and see if anything’s being changed. We deploy with Capistrano - if another hack occurs, we can just redeploy and it’s back to normal. Scary though!
What did you see in the files themselves? What kind of defacement was evident? And lastly, what were/are the file permissions on index.php and admin.php?
~