close ad
WARNING: Do Not Install the DREAMWEAVER CC 2017 or 2018 Update »
open ad
View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

rating

Security problem - repeated hacking

Thread began 9/17/2011 2:24 pm by Jade but not jaded | Last modified 9/19/2011 12:20 pm by Jason Byrnes | 2676 views | 11 replies |

Jade but not jaded

Security problem - repeated hacking

Hi there,

I'm using Power CMS (I think 1.02) on a client site.

Today is the third day in a row we've been hacked with exactly the same exploit.

We've spoken to server support (InMotion Hosting) and have changed file permissions to lock them.

But somehow the hack keeps happening. They're deleting all the files and creating their own files which include something called "egy_spider" exploit. I don't know if that's related to the vulnerability their exploiting or if it's simply the exploit they're pursuing, but I am attaching that file as a zipped PDF with this post, in case it's useful for reference.

Anyway, InMotion hosting has told us that they believe it's a vulnerability in the CMS that's allowing a PHP injection.

I've browsed the forum and the only related post I can find is about the security issue - server asset folder (showthread.php?t=22506).

I've applied that fix, but am wondering if there's something else I should be doing to secure the installation.

Please help if you can.

Cheers,
Jade

Attached Files
hacked-file.zip
Sign in to reply to this post

Jade but not jaded

Hacking details

Hi again,

I've been looking into this since posting and I think I've isolated the hacker in the server logs.

It seems they began by performing GET and then POST operations on "HTMLEditor/editor/plugins/kfm/index.php" and then the "get.php" and "upload.php" from the same directory.

I can't say with complete certainty, but that seems like the exploit referenced in the other thread that I've now fixed.

So, hopefully I've got it secured. I've kept the relevant entries from the log file if they're of any use in helping me know for certain that it's been solved.

Cheers,
Jade

Sign in to reply to this post

debbie295402

Repeated Hacking

I've also had problems getting hacked. I'm using PowerCMS 2.01 (will change over to cms builder when all this settles) with iPower hosting and getting hacked on a daily basis. I've run a vulnerability test and it comes up with the following on both the admin and users log in pages:

Severity : Medium
Vulnerability Class : Cross-Site Scripting
Target URL : [withheld until secure posting]
Post Data : N/A

I want to make sure this isn't a false positive & will run another type of vulnerability scanner, but I need to stop getting hacked.

Sign in to reply to this post

debbie295402

hacking

I probably opened the door for every cracker hacker out there. Sorry!

Sign in to reply to this post

gruant2000381341

@debbie, what checker are you using? I would love to find a good utility to test my sites.

Sign in to reply to this post

debbie295402

I've just started using N-Stalker and Acunetix Web Vulnerability Scanner -- both free editions. I've found that using the WA DataAssist Insert, I'm getting the below, however, from what I'm reading on deciphering this and their recommendations, the WA code has the necessary post restrictions, including the real escape string & mysql escape string. I don't know how to make my user input safe...

----------
Vulnerability description
This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.

Attack details
URL encoded POST input rfpHOpages was set to " onmouseover=prompt(929000) bad="
The input is reflected inside a tag element between double quotes.

Attack details
URL encoded POST input rfpAVReq was set to 1</textarea>1<ScRiPt >prompt(959056)</ScRiPt>
The input is reflected inside <textarea> tag.

Sign in to reply to this post

gruant2000381341

thanks for those, I will check them out

I am far from a security expert, but one thing I do on my scripts that process form data is this....before it accepts any post data I have something like this

<?php
//Prevent form script hijack by serving only request from this domain
$myReferer = "http://mywebsite.com/";
$referer = ($_SERVER['HTTP_REFERER']);
if ($myReferer != $referer) {
echo "Unauthorized Request";
die;
}
?>

Just change the $myReferer to your url.
It seems to help with cross site scripting by killing the script if the referal does not come from your domain. Is there a way around this....I dunno.
And I have not really looked at WA's cms code to see if it already has something like this in place, it may....not sure.

edit... i just did a find and replace search for 'HTTP_REFERER' and didn't find any instances.
so I opened up the WA_Globals file and added this
$mysite = "http://www.mysite.com/myCMSfolder/admin/contents_insert.php"
(you need to edit that to point at your site files)
then I opened contents_insert, and directly below this line
<?php require_once( "../WA_Globals/WA_Globals.php" ); ?>
I added this
<?php
if (isset($_POST["Insert_x"])){
$referer = ($_SERVER['HTTP_REFERER']);
if ($referer != $mysite) {echo "Unauthorized Request"; die;}
}
?>

I tested it and it seemed to work....I tried to attack it, but it passed my tests
(again..not an expert, lol.. a hacker I am NOT)
you would need to do this again for the contents_update page.
maybe someone will know of a better approach

Sign in to reply to this post

Dave BuchholzBeta Tester

Be aware that a hacker can spoof your URL so this is not a fool proof method of protecting your site.

Sign in to reply to this post

gruant2000381341

yeah, I was just reading about that. Is there a way to fix that? I was reading something about using the global server environment...but way over my head

Sign in to reply to this post

Jason ByrnesWebAssist

All: There are fixes for the CMS Access issue in the known issues section of the download center for PCMS1 and PCMS2, this is not an issue in Power CMS Builder.

Debbie: I have created a support ticket so we can look into this issue further.

To view and edit your support ticket, please log into your support history:
supporthistory.php

If anyone else is experiencing this same issue, please append to this thread.

Sign in to reply to this post
loading

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...