23364 Posts in 18125 Topics by 2862 members
|Go to End|
23 September 2009 at 2:13am Last edited: 23 September 2009 2:14am
Hi guys. I am having a serious issue with spam and I'm not sure where it is coming from. Spam links are being injected into all pages on page load before the <doctype>, and in the CMS backend on every 'publish' spam being crammed into every space it can fill causing all sorts of errors. I fixed this a couple days ago by deleting the Sapphire directory and replacing it with a fresh version, but the problem is already back. I sent a security message off to the SS team a few days ago.
Anyone know what's causing this? My client is going crazy - and rightly so. I've checked all file and directory permissions and everything looks good there. If replacing the sapphire directory fixes it then I guess the problem lies there. Any specific ideas of what to look at?
23 September 2009 at 2:47am
Sounds like your host been compromised or you've installed some rogue module. Are you sure it is happening in the Silverstripe CRUD operations and not some kind of cross loaded JS? Can you share the client site so we can see exactly what kind of 'spam' is happening here?
23 September 2009 at 7:18am
The first time it happened it manifested itself like this:
Call from client saying they can't 'Publish' any changes to pages.
I check firebug and see that all the form data is being submitted, but at the bottom of the submission is a giant mass of spam.
I replaced the sapphire directory and the problem was temporarily solved.
This time it happened like this:
Call from client saying they can't log into the CMS backend.
I check and indeed I can't. I view the source code and see a giant pile of spam at the very top of the document.
I browsed around the site and saw that this spam was being put on the top of every single page.
I replaced the sapphire directory and the problem has been temporarily solved.
We are running the DataObject_Manager module by UncleCheese, as well as the Calendar_Event module, the Has-Many File Manager, the User Forms module, and the Slide Show Gallery module (not officially released) by UncleCheese.
All of these modules have been edited and customized by me, some more than others, but strictly the PHP.
Has anyone seen this problem like I describe? Most of what I see when searching the forums for 'Spam' is the standard issues about captchas, etc. I'm going to compare my bad Sapphire directory side by side to a good one and try to find any file differences (that I didn't make myself).
I unfortunately can't share the client site.
23 September 2009 at 7:56am
Hmm, offhand all I can think of is that someone has added a auto_append_file in the php.ini (or perhaps is setting something in an auto_prepend_file). If you're seeing this in every PHP processed request check the value of those with ini_get.
However I don't think this is a common issue among SS'ers. Do let us know what you find.
28 September 2009 at 5:40am
I had this happen on one of my sites. My sys admins system was compromised by a Flash/PDF exploit, The exploit would take his FTP passwords and use them to modify web docments. On my SS sites it added the code to main.php. Try changing your FTP passwords and run a virus scan on your system and your clients.
|Go to Top|