Concrete5 header files hacked
Permalink
I posted this earlier today as a response to another thread that was started in June. However, in retrospect, I think this hack is a bit different so I'm starting a new discussion. Here's the info - any suggestions/insights would be appreciated.
All files that contain the text "header" anywhere in the file name (i.e. header.php, header_newsflow.php) AND are in a theme/elements directory have been hacked. Div tags are being added to the bottom with links advertising cheap cialis, etc. The divs keep reappearing after I delete them and they've been added to all themes (including /concrete/themes) in over a dozen websites. All websites have been updated to the latest version of c5 (5.6.2.1) but the vulnerability continues.
The websites are all hosted under the same hosting account (though I changed the password after the first hack) and concrete5 files are definitely being targeted. I have two wordpress sites under the same account and they have not been touched, despite the fact that they have numerous files with the text "header" in the file name. The host says: "ssh and ftp look clean so I think it was a web based attack, but I haven't found it in the access logs yet."
Is it possible that there is a new vulnerability being exploited in c5? Any suggestions would be appreciated. I will refrain from posting the malicious div unless someone thinks it would be helpful. It's plain html with links to stupid sites.
All files that contain the text "header" anywhere in the file name (i.e. header.php, header_newsflow.php) AND are in a theme/elements directory have been hacked. Div tags are being added to the bottom with links advertising cheap cialis, etc. The divs keep reappearing after I delete them and they've been added to all themes (including /concrete/themes) in over a dozen websites. All websites have been updated to the latest version of c5 (5.6.2.1) but the vulnerability continues.
The websites are all hosted under the same hosting account (though I changed the password after the first hack) and concrete5 files are definitely being targeted. I have two wordpress sites under the same account and they have not been touched, despite the fact that they have numerous files with the text "header" in the file name. The host says: "ssh and ftp look clean so I think it was a web based attack, but I haven't found it in the access logs yet."
Is it possible that there is a new vulnerability being exploited in c5? Any suggestions would be appreciated. I will refrain from posting the malicious div unless someone thinks it would be helpful. It's plain html with links to stupid sites.
In case anyone else is interested in this topic, we discovered that it was one of the WordPress sites that was the culprit. Weird that the script targeted only the concrete5 files, but we found the smoking gun - a php script that had been added inside wp-admin. If you want more info let me know. Apparently it's a bad idea to host c5 alongside wp sites owed to the wp vulnerabilities.
Good to know. Thanks for sharing!
heh... sounds like someone doesn't like the competition.
Good catch finding it. You should really send all information (including the script from wp-admin) to Julia for her to take to the core dev team so they can have a look at it: http://www.concrete5.org/profile/-/view/84403/...
Good catch finding it. You should really send all information (including the script from wp-admin) to Julia for her to take to the core dev team so they can have a look at it: http://www.concrete5.org/profile/-/view/84403/...
