C5 targeted in Hack
Permalink
Just thought I would report here about a back that occurred on one of my customers websites yesterday. Their main website is a custom CMS, and I installed the latest version of C5 in a sub directory for blog functionality. Whoever compromised the system targeted just the C5 directory with a php5.php file in the root which ended up serving modified versions of actual pages of the website to search engines.
The modified pages were held in a newly created /tmp directory also in the C5 root.
They also installed a Web Shell as models/cat.php
Not sure if any of these files were specifically written to target C5, but the attacker choose only to attack the c5 portion of this website.
-Guy
The modified pages were held in a newly created /tmp directory also in the C5 root.
They also installed a Web Shell as models/cat.php
Not sure if any of these files were specifically written to target C5, but the attacker choose only to attack the c5 portion of this website.
-Guy
I have seen attacks such as this. They are robot driven and look for specific folder names to hide their payload in allowing for better masking. You should review the ftp logs to look for irregular ftp traffic...as a start....
Also as a point of clarification. The php5.php file is not an override as I originally thought. The attacker had edited the index.php file and added a require(php5.php) command at the top just above the require call for the dispatcher.
Also, nothing looked specific to C5. I'd imagine the hack would work the same on pretty much any CMS that routes all requests through the index.php file.
