Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Blog Module /

Discuss the Blog Module.

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

Posted Spam -> Blog module hacked!


Reply


35 Posts   4787 Views

Avatar
cliersch

Community Member, 75 Posts

6 July 2009 at 11:38pm

Hm - no answers until 3 days... This is not a good sign.

I even deleted the tables of all members - but I still receive posted spam.

We run several sites on this server - but this is happen only inside one blog.

No ideas how to secure the blog module and how to stop that mess?

Keep Silverstipe save. Please help!

Avatar
Fuzz10

Community Member, 787 Posts

7 July 2009 at 12:26am

YHmmm...

Only thing I can come up with right now , is that the bot creates HTTP posts immediately to the server. And yes, that would be a security hole.

Try catching the full HTTP-post request from the browser and then manually sending it to the server... (log-out first).

Avatar
cliersch

Community Member, 75 Posts

7 July 2009 at 2:22am

Thanx Fuzz10 - for helping me.

How can I realize this "Try catching the full HTTP-post request from the browser and then manually sending it to the server... "

What should I do exactly?

Avatar
UncleCheese

Forum Moderator, 4092 Posts

7 July 2009 at 2:32am

Wow.. this is really strange. Are you sure you don't have any default username/passwords set up? A bot could just go to /news/post and log in with admin/password. I tried this and it didn't work, so it appears you've deleted the default admin account.

I wonder if you could put an IP restriction on the post() action until you figure out what's going on?

Avatar
cliersch

Community Member, 75 Posts

7 July 2009 at 3:35am

Edited: 07/07/2009 3:35am

I really do not have an default admin user! I even deleted the Member and Member Password tables temporarily. But the spam posts still are comming in!
Your suggestion "put an IP restriction on the post()" -> can you post an example what to do?

Avatar
banal

Community Member, 901 Posts

7 July 2009 at 8:31am

Edited: 07/07/2009 8:36am

Well, if the user gained access to your website control panel, database or ftp server, then he can easily bypass the SilverStripe security measures. I suggest you do the following, before trying to further shut-down/blame SilverStripe:

  • Change password to your Control Panel
  • Change password of your FTP Access
  • Ask your hosting provider for an FTP access log. Look for suspicious IPs
  • Disallow any database connections other than from localhost (should be the default, but you never know)
  • Change DB password
  • Look for suspicious cgi or php scripts on the server
  • Just to be sure, re-upload all your php files from a local, uncorrupted copy of the site

Update AFAIK if there's no admin user in the member database, one will automatically be created with username admin and password as password. What do you see in the CMS Security section after running /dev/build?

Avatar
Willr

Forum Moderator, 5513 Posts

7 July 2009 at 9:16am

I really do not have an default admin user! I even deleted the Member and Member Password tables temporarily

This is bad - this will provide a security hole to the site, as the hacker could then run /dev/build?isDev=1 and recreate a dev admin user. If your site has been in dev mode or if your database has gone down then your mysql connection details could have been leaked and this could have access to this.

Make sure you are running SS2.3.2 as this has a security fix for an issue related to this

Avatar
cliersch

Community Member, 75 Posts

7 July 2009 at 11:02am

Edited: 07/07/2009 11:04am

@willr -> As written above I changed at first all user names and passwords without success (more spam was posted). Then I deleted the Member/MemberPasswords table just for a while to see and check the database if somone is going to create a new member with a trick. But no member was created (!) an we still received spam posts.
Than I re-imported all my members and passwords tables.
I have definitely no default "admin/password" User and you cannot create one by the "dev/build" way.
Guess the problem must be somewhere else.

@banal
Thanks, Im going to check out your instructions tomorrow morning (German time :-)) Hope to find some solution.