Security problem - repeated hacking

Hi there,

I'm using Power CMS (I think 1.02) on a client site.

Today is the third day in a row we've been hacked with exactly the same exploit.

We've spoken to server support (InMotion Hosting) and have changed file permissions to lock them.

But somehow the hack keeps happening. They're deleting all the files and creating their own files which include something called "egy_spider" exploit. I don't know if that's related to the vulnerability their exploiting or if it's simply the exploit they're pursuing, but I am attaching that file as a zipped PDF with this post, in case it's useful for reference.

Anyway, InMotion hosting has told us that they believe it's a vulnerability in the CMS that's allowing a PHP injection.

I've browsed the forum and the only related post I can find is about the security issue - server asset folder (showthread.php?t=22506).

I've applied that fix, but am wondering if there's something else I should be doing to secure the installation.

Please help if you can.

Cheers,
Jade

Hi again,

I've been looking into this since posting and I think I've isolated the hacker in the server logs.

It seems they began by performing GET and then POST operations on "HTMLEditor/editor/plugins/kfm/index.php" and then the "get.php" and "upload.php" from the same directory.

I can't say with complete certainty, but that seems like the exploit referenced in the other thread that I've now fixed.

So, hopefully I've got it secured. I've kept the relevant entries from the log file if they're of any use in helping me know for certain that it's been solved.

Cheers,
Jade

I've also had problems getting hacked. I'm using PowerCMS 2.01 (will change over to cms builder when all this settles) with iPower hosting and getting hacked on a daily basis. I've run a vulnerability test and it comes up with the following on both the admin and users log in pages:

Severity : Medium
Vulnerability Class : Cross-Site Scripting
Target URL : [withheld until secure posting]
Post Data : N/A

I want to make sure this isn't a false positive & will run another type of vulnerability scanner, but I need to stop getting hacked.

I probably opened the door for every cracker hacker out there. Sorry!

@debbie, what checker are you using? I would love to find a good utility to test my sites.

I've just started using N-Stalker and Acunetix Web Vulnerability Scanner -- both free editions. I've found that using the WA DataAssist Insert, I'm getting the below, however, from what I'm reading on deciphering this and their recommendations, the WA code has the necessary post restrictions, including the real escape string & mysql escape string. I don't know how to make my user input safe...

----------
Vulnerability description
This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.

Attack details
URL encoded POST input rfpHOpages was set to " onmouseover=prompt(929000) bad="
The input is reflected inside a tag element between double quotes.

Attack details
URL encoded POST input rfpAVReq was set to 1</textarea>1<ScRiPt >prompt(959056)</ScRiPt>
The input is reflected inside <textarea> tag.

thanks for those, I will check them out

I am far from a security expert, but one thing I do on my scripts that process form data is this....before it accepts any post data I have something like this

<?php
//Prevent form script hijack by serving only request from this domain
$myReferer = "http://mywebsite.com/";
$referer = ($_SERVER['HTTP_REFERER']);
if ($myReferer != $referer) {
echo "Unauthorized Request";
die;
}
?>

Just change the $myReferer to your url.
It seems to help with cross site scripting by killing the script if the referal does not come from your domain. Is there a way around this....I dunno.
And I have not really looked at WA's cms code to see if it already has something like this in place, it may....not sure.

edit... i just did a find and replace search for 'HTTP_REFERER' and didn't find any instances.
so I opened up the WA_Globals file and added this
$mysite = "http://www.mysite.com/myCMSfolder/admin/contents_insert.php"
(you need to edit that to point at your site files)
then I opened contents_insert, and directly below this line
<?php require_once( "../WA_Globals/WA_Globals.php" ); ?>
I added this
<?php
if (isset($_POST["Insert_x"])){
$referer = ($_SERVER['HTTP_REFERER']);
if ($referer != $mysite) {echo "Unauthorized Request"; die;}
}
?>

I tested it and it seemed to work....I tried to attack it, but it passed my tests
(again..not an expert, lol.. a hacker I am NOT)
you would need to do this again for the contents_update page.
maybe someone will know of a better approach

Be aware that a hacker can spoof your URL so this is not a fool proof method of protecting your site.

yeah, I was just reading about that. Is there a way to fix that? I was reading something about using the global server environment...but way over my head

All: There are fixes for the CMS Access issue in the known issues section of the download center for PCMS1 and PCMS2, this is not an issue in Power CMS Builder.

Debbie: I have created a support ticket so we can look into this issue further.

To view and edit your support ticket, please log into your support history:
supporthistory.php

If anyone else is experiencing this same issue, please append to this thread.