Website Security
Permalink
Today one of my client's sites (which I am currently the sole person that works on it) got hacked and phishing links were added to a folder called "packages/paypal_payments_pro". What I am trying to figure out is how C5 works in this sort of thing.
I'm assuming that my hack was not through C5, but rather through my hosting provider or FTP. What is the likelihood that if someone hacked into and had access to our server that they would be able to figure out our concrete5 users info and e-mail addresses?
I'm just wanting to understand what the full scope of this breach means for all of his users...
Thank you so much!
~Kari
I'm assuming that my hack was not through C5, but rather through my hosting provider or FTP. What is the likelihood that if someone hacked into and had access to our server that they would be able to figure out our concrete5 users info and e-mail addresses?
I'm just wanting to understand what the full scope of this breach means for all of his users...
Thank you so much!
~Kari
Well if the hack knows it is a concrete5 website, they could open the site.php file and get the database information and get into the sql database. Then from here they can go the the Users table and get all the emails, but passwords are hashed (so those are safe). This would be pretty detail for a bot to do, but anything is possible. I suggest changing all passwords to the ftp and verify you know all the accounts, and change your SQL password and check the Users as well.
My experience has been that this historically has always been a stored
password in FTP, or shared server vulnerability.
That being said, if someone had full access to your filesystem and
database, they could get:
users emails.
anything else you track with custom attributes for users.
But never their passwords, as they are hashed.
best wishes
Franz Maruna
CEO - concrete5.org
http://about.me/frz
password in FTP, or shared server vulnerability.
That being said, if someone had full access to your filesystem and
database, they could get:
users emails.
anything else you track with custom attributes for users.
But never their passwords, as they are hashed.
best wishes
Franz Maruna
CEO - concrete5.org
http://about.me/frz
Thank you so much for responding. At this moment I feel hopeful about not having my users info stolen, (but obviously it's still possible).
My biggest problem is that I changed the database password and now the site isn't working as I forgot that I would have to update concrete cms to know what the new password is. Is this something I can easily do through my ftp?
Thank you - you all at Concrete are awesome!
~Kari
My biggest problem is that I changed the database password and now the site isn't working as I forgot that I would have to update concrete cms to know what the new password is. Is this something I can easily do through my ftp?
Thank you - you all at Concrete are awesome!
~Kari
No changing your database password will happen through your hosts control panel, or by command line
Best wishes
Pecked out on an iPhone
Best wishes
Pecked out on an iPhone
Perhaps I worded my question wrong...
I changed the database password with my hosting provider and now my whole site is down.http://www.medicimedicine.com (edit: except now it's working because I fixed it!)
I'm assuming I need to go into my ftp and update concrete with the new database password to get it back I went to the file/line number specified but I don't see where I could update my password there.
Thanks again,
Kari
I changed the database password with my hosting provider and now my whole site is down.http://www.medicimedicine.com (edit: except now it's working because I fixed it!)
I'm assuming I need to go into my ftp and update concrete with the new database password to get it back I went to the file/line number specified but I don't see where I could update my password there.
Thanks again,
Kari
Ah. /config/site.php
Best wishes
Pecked out on an iPhone
Best wishes
Pecked out on an iPhone
I found my answer here:http://www.concrete5.org/community/forums/usage/database-password-p...
Thank you all!
Thank you all!
