ok I think I have removed the offending iframe, but what I want to know was how did someone access the admin account change my password and put an iframe in the default.php file.

I thought c5 was secure?!

try the security wall addon.

That isn't concrete5s fault if you have another web app on the server update it or remove it and change your hosting passwords.

Yo don't need the security wall add-on, it cause as much havoc as help for on techs.

There's a thousand ways someone could have got into your webspacee, but not likely through c5

This isn't a matter of Concrete 5. The default.php file was likely hacked and an iframe (not iframe block) was added to our file).

Be wary, usually there are more files affected. Do a search for files modified recently from the attack. Also notify your hosting provider, they can usually run a script and remove many common hacks.

Make sure to change all passwords on your site (not concrete 5, but ftp/ssh/email etc.) YOu can change the c5 login passwords especially if they are the same as your ftp/ssh/email.
-Phil

I dont have anything else running on this server, just C5. I did notify my host any they tried to put the blame on scripts I was running!

I quote
"This is most likely due to a script inject on your site. If you run any scripts such wordpress and plugins please make sure it is up to date and any unused plugins are disabled."!!

I have emailed them again requesting to have run a scrpit looking for attacks

but anyway google seems to be happy with it now, and all passwords changed!

Thanks for the advice everyone! :)

Well my brother's site did get hacked one time and it had nothing to do with c5. In fact it was actually his unsecure connection ftp.

They added some js around the site.

As for your host you might want another. We were at bluehost at one time but they didn't provide any answers until one rep actually said that there was a security breach on several servers.

You should look into using the sftp for your file transfers. And change your cpanel/ftp/c5 credentials every so often.

-Thomas

--
c5bundle - You Gotta Get It
http://c5bundle.net/buy

I had something very similar happen to two clients, both times it was a virus on their computer that accessed ftp apps passwords then started screwing up files. it was nothing to do with C5 or the hosting server, it was all coming from their local computers. Scan for viruses and change your passwords.

I checked the FTP logs and according to them, no one had accessed the FTP for a couple of months.

Looks like I have spoke to soon, now the whole site has been deleted! I am glad its not a "live" site

I seem to have an infection problem athttp://constitution.org . I have reported it athttp://www.google.com/support/forum/p/Google+Analytics/thread?tid=6...

I have inspected every file hit when someone visits the site except the C5 index.php, which is compressed/compiled, and could be hiding a virus. Is there a security update for critical C5 files?

Needless to say, this is very annoying. Ours is a controversial site with many powerful enemies, and we get intrusion attempts often, but this one seems more difficult to fix. Any help would be appreciated.

Hi Jon, this appears to be a problem within godaddy shared hosting:

http://blog.sucuri.net/2011/02/hilary-kneber-godaddy-and-welcometot...

That article talks about what is actually going on. I suggest getting in touch with your hosting provider, whether it is godaddy or not.
You should also change all of your passwords immediately. I also suggest you run various spyware / malware removal programs like hijackthis.de and spybot. I am not a security expert or Windows technician. If you notice your personal computer is behaving oddly you should probably take it to a professional.

It is unlikely that a hacker is targeting you for political reasons, or that you have even been targetted. Like most other crimes, cybercrime is primarily financially motivated and random.

As for your index.php, it should not contain any other code than

Okay, I should have compared the index.php file to others on other sites where I have installed Concrete5. Evidently the hacker replaced it with one containing the virus, so I renamed it and replaced it with a copy of the correct ones, which works fine. Now I will check to make sure that solved the problem.

If anyone would like to inspect the hacked index.php file I can send it to you or attach it to a message on this board.

Perhaps needless to say if you had followed and read the links I provided, I had already done the other recommended security measures. The hosting provider and I both use Linux, so we have no Windows vulnerabilities. I absolutely would never use godaddy for anything. I also don't use insecure ftp. How anyone got in remains a mystery.

Forgot to mention. Two files were hacked. Besides index.php concrete/dispatcher.php was similarly hacked. This suggests the hacker was targeting a concrete5 installation, because he had to know to hack both those files.

Suggestion: Create a mirror of your site that is not exposed to the Net and run a cron script that compares the sizes of key files whose sizes shouldn't change, reporting on any changes.

Really there are a lot of ways webservers can be compromised , and when they are any php file is likely to be "infected" with malicious code. Just because it has been changed, doesn't mean it was an entry point

That being said, I don't know of any major security vulnerabilities in concrete5 today but certainly if anyone discovers something I urge them to private message me or Andrew

Best wishes
Pecked out on an iPhone

C5 doesn't have to be an entry point to become a battleground. That's why I suggested a file size monitor script. I found the problem by comparing files between three different C5 installations. If one doesn't know how the intrusion occurred, it may still be necessary to have security tools to clean out at least the C5 files.