Jump to:

23368 Posts in 18143 Topics by 2863 members

General Questions

SilverStripe Forums » General Questions » SPAM - Injected everwhere!

General questions about getting started with SilverStripe that don't fit in any of the categories above.

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

Page: 1
Go to End
Author Topic: 804 Views
  • entercow
    Avatar
    Community Member
    13 Posts

    SPAM - Injected everwhere! Link to this post

    Hi guys. I am having a serious issue with spam and I'm not sure where it is coming from. Spam links are being injected into all pages on page load before the <doctype>, and in the CMS backend on every 'publish' spam being crammed into every space it can fill causing all sorts of errors. I fixed this a couple days ago by deleting the Sapphire directory and replacing it with a fresh version, but the problem is already back. I sent a security message off to the SS team a few days ago.

    Anyone know what's causing this? My client is going crazy - and rightly so. I've checked all file and directory permissions and everything looks good there. If replacing the sapphire directory fixes it then I guess the problem lies there. Any specific ideas of what to look at?

  • dalesaurus
    Avatar
    Community Member
    283 Posts

    Re: SPAM - Injected everwhere! Link to this post

    Sounds like your host been compromised or you've installed some rogue module. Are you sure it is happening in the Silverstripe CRUD operations and not some kind of cross loaded JS? Can you share the client site so we can see exactly what kind of 'spam' is happening here?

  • entercow
    Avatar
    Community Member
    13 Posts

    Re: SPAM - Injected everwhere! Link to this post

    The first time it happened it manifested itself like this:

    Call from client saying they can't 'Publish' any changes to pages.

    I log in, hit publish on a page, and get the 'Javascript Parse Error'

    I check firebug and see that all the form data is being submitted, but at the bottom of the submission is a giant mass of spam.

    I replaced the sapphire directory and the problem was temporarily solved.

    This time it happened like this:

    Call from client saying they can't log into the CMS backend.

    I check and indeed I can't. I view the source code and see a giant pile of spam at the very top of the document.

    I browsed around the site and saw that this spam was being put on the top of every single page.

    I replaced the sapphire directory and the problem has been temporarily solved.

    ----------------------

    We are running the DataObject_Manager module by UncleCheese, as well as the Calendar_Event module, the Has-Many File Manager, the User Forms module, and the Slide Show Gallery module (not officially released) by UncleCheese.

    All of these modules have been edited and customized by me, some more than others, but strictly the PHP.

    Has anyone seen this problem like I describe? Most of what I see when searching the forums for 'Spam' is the standard issues about captchas, etc. I'm going to compare my bad Sapphire directory side by side to a good one and try to find any file differences (that I didn't make myself).

    I unfortunately can't share the client site.

    Thanks all!

  • dalesaurus
    Avatar
    Community Member
    283 Posts

    Re: SPAM - Injected everwhere! Link to this post

    Hmm, offhand all I can think of is that someone has added a auto_append_file in the php.ini (or perhaps is setting something in an auto_prepend_file). If you're seeing this in every PHP processed request check the value of those with ini_get.

    However I don't think this is a common issue among SS'ers. Do let us know what you find.

  • zenmonkey
    Avatar
    Community Member
    527 Posts

    Re: SPAM - Injected everwhere! Link to this post

    I had this happen on one of my sites. My sys admins system was compromised by a Flash/PDF exploit, The exploit would take his FTP passwords and use them to modify web docments. On my SS sites it added the code to main.php. Try changing your FTP passwords and run a virus scan on your system and your clients.

    804 Views
Page: 1
Go to Top

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.