Jump to:

1778 Posts in 499 Topics by 534 members

Blog Module

SilverStripe Forums » Blog Module » Posted Spam -> Blog module hacked!

Discuss the Blog Module.

Moderators: martimiz, Howard, Sean, Ryan M., biapar, Willr, Ingo, swaiba, simon_w

Page: 1 2 3 4 5
Go to End
Author Topic: 4089 Views
  • cliersch
    Avatar
    Community Member
    75 Posts

    Re: Posted Spam -> Blog module hacked! Link to this post

    6 July 2009 at 11:38pm

    Hm - no answers until 3 days... This is not a good sign.

    I even deleted the tables of all members - but I still receive posted spam.

    We run several sites on this server - but this is happen only inside one blog.

    No ideas how to secure the blog module and how to stop that mess?

    Keep Silverstipe save. Please help!

  • Fuzz10
    Avatar
    Community Member
    783 Posts

    Re: Posted Spam -> Blog module hacked! Link to this post

    7 July 2009 at 12:26am

    YHmmm...

    Only thing I can come up with right now , is that the bot creates HTTP posts immediately to the server. And yes, that would be a security hole.

    Try catching the full HTTP-post request from the browser and then manually sending it to the server... (log-out first).

  • cliersch
    Avatar
    Community Member
    75 Posts

    Re: Posted Spam -> Blog module hacked! Link to this post

    7 July 2009 at 2:22am

    Thanx Fuzz10 - for helping me.

    How can I realize this "Try catching the full HTTP-post request from the browser and then manually sending it to the server... "

    What should I do exactly?

  • UncleCheese
    Avatar
    4085 Posts

    Re: Posted Spam -> Blog module hacked! Link to this post

    7 July 2009 at 2:32am

    Wow.. this is really strange. Are you sure you don't have any default username/passwords set up? A bot could just go to /news/post and log in with admin/password. I tried this and it didn't work, so it appears you've deleted the default admin account.

    I wonder if you could put an IP restriction on the post() action until you figure out what's going on?

  • cliersch
    Avatar
    Community Member
    75 Posts

    Re: Posted Spam -> Blog module hacked! Link to this post

    7 July 2009 at 3:35am Last edited: 7 July 2009 3:35am

    I really do not have an default admin user! I even deleted the Member and Member Password tables temporarily. But the spam posts still are comming in!
    Your suggestion "put an IP restriction on the post()" -> can you post an example what to do?

  • banal
    Avatar
    Community Member
    901 Posts

    Re: Posted Spam -> Blog module hacked! Link to this post

    7 July 2009 at 8:31am Last edited: 7 July 2009 8:36am

    Well, if the user gained access to your website control panel, database or ftp server, then he can easily bypass the SilverStripe security measures. I suggest you do the following, before trying to further shut-down/blame SilverStripe:

    • Change password to your Control Panel
    • Change password of your FTP Access
    • Ask your hosting provider for an FTP access log. Look for suspicious IPs
    • Disallow any database connections other than from localhost (should be the default, but you never know)
    • Change DB password
    • Look for suspicious cgi or php scripts on the server
    • Just to be sure, re-upload all your php files from a local, uncorrupted copy of the site

    Update AFAIK if there's no admin user in the member database, one will automatically be created with username admin and password as password. What do you see in the CMS Security section after running /dev/build?

  • Willr
    Avatar
    Forum Moderator
    5208 Posts

    Re: Posted Spam -> Blog module hacked! Link to this post

    7 July 2009 at 9:16am

    I really do not have an default admin user! I even deleted the Member and Member Password tables temporarily

    This is bad - this will provide a security hole to the site, as the hacker could then run /dev/build?isDev=1 and recreate a dev admin user. If your site has been in dev mode or if your database has gone down then your mysql connection details could have been leaked and this could have access to this.

    Make sure you are running SS2.3.2 as this has a security fix for an issue related to this

  • cliersch
    Avatar
    Community Member
    75 Posts

    Re: Posted Spam -> Blog module hacked! Link to this post

    7 July 2009 at 11:02am Last edited: 7 July 2009 11:04am

    @willr -> As written above I changed at first all user names and passwords without success (more spam was posted). Then I deleted the Member/MemberPasswords table just for a while to see and check the database if somone is going to create a new member with a trick. But no member was created (!) an we still received spam posts.
    Than I re-imported all my members and passwords tables.
    I have definitely no default "admin/password" User and you cannot create one by the "dev/build" way.
    Guess the problem must be somewhere else.

    @banal
    Thanks, Im going to check out your instructions tomorrow morning (German time ) Hope to find some solution.

    4089 Views
Page: 1 2 3 4 5
Go to Top

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.