Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

We've moved the forum!

Please use forum.silverstripe.org for any new questions (announcement).
The forum archive will stick around, but will be read only.

You can also use our Slack channel or StackOverflow to ask for help.
Check out our community overview for more options to contribute.

General Questions /

General questions about getting started with SilverStripe that don't fit in any of the categories above.

Moderators: martimiz, Sean, Ed, biapar, Willr, Ingo, swaiba

Repeatedly hacked


Go to End


3 Posts   1086 Views

Avatar
bones

Community Member, 110 Posts

14 May 2015 at 10:59pm

We're frequently finding lots of php files (for sunglasses, mainly) in amongst our SilverStripe files on one of our websites. I clear them out pretty regularly, and have instructed the client to remove all unnecessary users and have changed passwords on SS, hosting, FTP etc. SilverStripe itself seems OK - I've not found any pages or blog entries which seem to have been tampered with.

It's an older version of SS (2.4.9), but it's a huge site and upgrading to the current version isn't a practical option. The hosting isn't handled by us, and the hosting company isn't interested in helping us resolve the issue.

Is it likely to be a weakness in SS, the hosting, or something else, which is allowing unauthorised access to the webspace? Any advice or pointers would be gratefully received.

For obvious reasons, I'm not going to disclose which website is involved and I appreciate that this may limit any help or suggestions.

Thank you.

Avatar
swaiba

Forum Moderator, 1899 Posts

14 May 2015 at 11:25pm

Hi bones,

Sorry to hear that - but just because it is written in silverstripe - doesn't mean you shouldn't independently prove the security. I advise you hire externally to pen test and do it based on results - e.g. "I know we've been hacked, so if you cannot hack it - then you have failed". If you don't have the resource to do that... then it's up to you to do this... https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project is a good starter but it is a HUGE topic.

One note to make is that a large number of attacks come from internal disgruntled employees, so review those that have access and look to purge that where it can be purged (e.g. don't put everyone in Administrator group because "it works" in the short term.

Lastly upgrading to 2.4.13 (http://www.silverstripe.org/software/download/release-archive/) shouldn't be a large effort and would obviously be worth it.

Hope this helps

Avatar
Pyromanik

Community Member, 419 Posts

15 May 2015 at 12:20am

Edited: 15/05/2015 12:21am

Check your access logs.
Suspicious activity should show up on them if SS is allowing this to happen.

You can always upgrade to the latest 2.4 - 2.4.9 is quite out of date even for 2.4 branch.

I suspect it will be something else though, probably to do with FTP access. Depending on the control panel used it could be that too. Could be a whole range of things (outdated server software included!), but start with the access logs.
You could probably also inspect the files to see which user is the owner (usually the creator). If it's the web user, you need to investigate further (ie, if it matches uploads to assets/), if not then I suspect it'd be from the FTP side of things. Should hopefully provide an indication on where to look to find the attack vector.