Several concrete5 sites cracked. Please help pinpointing possible causes.
Permalink
Hey guys!
Several of our concrete5 websites have been cracked. I'd like to know if anyone has had security issues with c5 and how did they resolve them. I also have some specific questions too.
1) Is the presence of php files anywhere inside the files directory normal, under any circumstances? If yes, when?
2) Is there any process inside concrete5 core which could change the permissions of directories, even if temporarily? Specifically for example the updates directory to be world-writable?
3) Are there any KNOWN security issues with concrete5 or any of it's standard blocks or elements (TinyMCE?) which can open doors for crackers?
As of right now, we have set up centralized caching (ie. not the default files directory), set file and directory permission to be the least required to run the site, but some sites have been cracked for a second time in recent months nevertheless and we have no clue how they get in, but they've put malicious code inside the blocks and the files directory.
Any suggestions on taking security measures or anything related to how to make a concrete5 super-safe, would be nice. Thanks!
Several of our concrete5 websites have been cracked. I'd like to know if anyone has had security issues with c5 and how did they resolve them. I also have some specific questions too.
1) Is the presence of php files anywhere inside the files directory normal, under any circumstances? If yes, when?
2) Is there any process inside concrete5 core which could change the permissions of directories, even if temporarily? Specifically for example the updates directory to be world-writable?
3) Are there any KNOWN security issues with concrete5 or any of it's standard blocks or elements (TinyMCE?) which can open doors for crackers?
As of right now, we have set up centralized caching (ie. not the default files directory), set file and directory permission to be the least required to run the site, but some sites have been cracked for a second time in recent months nevertheless and we have no clue how they get in, but they've put malicious code inside the blocks and the files directory.
Any suggestions on taking security measures or anything related to how to make a concrete5 super-safe, would be nice. Thanks!
If they were all on the same server or with the same host, I would start by changing all your host account passwords and FTP passwords.
If you regularly access the servers from one PC or MAC, I would also look for trojans inside that PC.
Also think about any unsecured wireless networks you regularly use to login to the sites or access the host account.
Also think about any unsecured wireless networks you regularly use to login to the sites or access the host account.
Hey John! Thank you for your tips. Would you perhaps be aware of any security risks specific to concrete5? I tried searching the forum, but do not get too many results, most of the time the answers are concerned with web server and ftp/sql account security settings - but the hosting company tells us, that the security code must be in our code. That is why I am wondering here... :/
As long as you are running a reasonably up-to-date core you should be pretty safe w.r.t concrete5 itself.
The greatest risk within a site are one-off custom blocks or block templates that allow front end data entry, tasks or jobs. When coded the developer could neglect to take precautions with file or database access.
It is just about conceivable there could be very old addons in the marketplace that do not take adequate precautions, but I don't know of anything specific. All addons I am familiar with are pretty well defended from the front end.
You should also check there are no files with 666 access or directories with 777 access. In most cases it should be 644 and 755.
(see http://www.concrete5.org/documentation/how-tos/developers/sort-out-... )
Having said that about code and permissions, the usual way sites are compromised is that someone has got your host account or ftp details.
The greatest risk within a site are one-off custom blocks or block templates that allow front end data entry, tasks or jobs. When coded the developer could neglect to take precautions with file or database access.
It is just about conceivable there could be very old addons in the marketplace that do not take adequate precautions, but I don't know of anything specific. All addons I am familiar with are pretty well defended from the front end.
You should also check there are no files with 666 access or directories with 777 access. In most cases it should be 644 and 755.
(see http://www.concrete5.org/documentation/how-tos/developers/sort-out-... )
Having said that about code and permissions, the usual way sites are compromised is that someone has got your host account or ftp details.
I see. Well, then I shall do a double check on the computers and the custom codes we introduced. Thank you for your time.
