Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Blog Module

Discuss the Blog Module.

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

Posted Spam -> Blog module hacked!


35 Posts   4714 Views


6 July 2009 at 11:38pm Community Member, 75 Posts

Hm - no answers until 3 days... This is not a good sign.

I even deleted the tables of all members - but I still receive posted spam.

We run several sites on this server - but this is happen only inside one blog.

No ideas how to secure the blog module and how to stop that mess?

Keep Silverstipe save. Please help!


7 July 2009 at 12:26am Community Member, 787 Posts


Only thing I can come up with right now , is that the bot creates HTTP posts immediately to the server. And yes, that would be a security hole.

Try catching the full HTTP-post request from the browser and then manually sending it to the server... (log-out first).


7 July 2009 at 2:22am Community Member, 75 Posts

Thanx Fuzz10 - for helping me.

How can I realize this "Try catching the full HTTP-post request from the browser and then manually sending it to the server... "

What should I do exactly?


7 July 2009 at 2:32am 4085 Posts

Wow.. this is really strange. Are you sure you don't have any default username/passwords set up? A bot could just go to /news/post and log in with admin/password. I tried this and it didn't work, so it appears you've deleted the default admin account.

I wonder if you could put an IP restriction on the post() action until you figure out what's going on?


7 July 2009 at 3:35am (Last edited: 7 July 2009 3:35am), Community Member, 75 Posts

I really do not have an default admin user! I even deleted the Member and Member Password tables temporarily. But the spam posts still are comming in!
Your suggestion "put an IP restriction on the post()" -> can you post an example what to do?


7 July 2009 at 8:31am (Last edited: 7 July 2009 8:36am), Community Member, 901 Posts

Well, if the user gained access to your website control panel, database or ftp server, then he can easily bypass the SilverStripe security measures. I suggest you do the following, before trying to further shut-down/blame SilverStripe:

  • Change password to your Control Panel
  • Change password of your FTP Access
  • Ask your hosting provider for an FTP access log. Look for suspicious IPs
  • Disallow any database connections other than from localhost (should be the default, but you never know)
  • Change DB password
  • Look for suspicious cgi or php scripts on the server
  • Just to be sure, re-upload all your php files from a local, uncorrupted copy of the site

Update AFAIK if there's no admin user in the member database, one will automatically be created with username admin and password as password. What do you see in the CMS Security section after running /dev/build?


7 July 2009 at 9:16am Forum Moderator, 5511 Posts

I really do not have an default admin user! I even deleted the Member and Member Password tables temporarily

This is bad - this will provide a security hole to the site, as the hacker could then run /dev/build?isDev=1 and recreate a dev admin user. If your site has been in dev mode or if your database has gone down then your mysql connection details could have been leaked and this could have access to this.

Make sure you are running SS2.3.2 as this has a security fix for an issue related to this


7 July 2009 at 11:02am (Last edited: 7 July 2009 11:04am), Community Member, 75 Posts

@willr -> As written above I changed at first all user names and passwords without success (more spam was posted). Then I deleted the Member/MemberPasswords table just for a while to see and check the database if somone is going to create a new member with a trick. But no member was created (!) an we still received spam posts.
Than I re-imported all my members and passwords tables.
I have definitely no default "admin/password" User and you cannot create one by the "dev/build" way.
Guess the problem must be somewhere else.

Thanks, Im going to check out your instructions tomorrow morning (German time :-)) Hope to find some solution.