Concrete 5 sites read more link hack
Permalink
Hi
A couple of our Concrete 5 sites have been hacked on the home page. All of the 'read more' links have been changed to botoflegends.com. It only appears to be on the home page.
This is not an FTP hack as there has been no damage to any files, and only the read more links have been affected on the site.
Has anybody else had this issue, or has a fix for it.
Many thanks in advance,
Labber
A couple of our Concrete 5 sites have been hacked on the home page. All of the 'read more' links have been changed to botoflegends.com. It only appears to be on the home page.
This is not an FTP hack as there has been no damage to any files, and only the read more links have been affected on the site.
Has anybody else had this issue, or has a fix for it.
Many thanks in advance,
Labber
you have any links we could look at?
Sorry there are no websites we can show you since we had to change them as soon as possible. We have looked through the concrete5 logs. There was nothing in there to suggest unknown people have accessed the website. We seem to feel like it was a cache hack. Could someone have hacked the cache?
When we were logged into concrete5 the links were fine and once we republished the page, the links changed back to normal.
When we were logged into concrete5 the links were fine and once we republished the page, the links changed back to normal.
FTP is very insecure, they could have logged in via FTP and hacked the cache files - someone correct me if I'm wrong. :)
I checked the cache files now and none have been edited recently
A virus on your computer can locate ftp details on your machine as they are stored as plain text and use them to login to your websites - scarey! I had it happen years ago when I wasn't to savvy.
Keeping your PC/Mac protected and up to date with good anti-virus software is a must...
Keeping your PC/Mac protected and up to date with good anti-virus software is a must...
i do not have ftp details store on my pc
Good to eliminate that :)
Were the links in a block?
Were the links in a block?
They were in a designer block. An extension I downloaded from the concrete5 market place. I was advised to download this block by Concrete5 DEVELOPER TUTORIALS
Is this Designer Content PRO? If so I think there was a security issue and an update was issued to fix it.
I am not sure. I downloaded the block mid way through last year.
I would update that block/package to the latest version.
Ok I will. Do you have any idea how this hack works though. While I was logged in, the read more link was fine, but when I was not logged in the link washttp://botoflegends.com/about-us...
The "about-us" was my page name that the read more link was linking to.
The "about-us" was my page name that the read more link was linking to.
No idea to be honest, but updating that block is the easiest and quickest thing to do and hopefully it won't be hacked again.
Hi,
I'm sorry to hear that you site files were compromised somehow. I unfortunately do not know how it could have been caused, but I would like to clarify some info about the Designer Content addon.
If you downloaded it for free, and if it was midway through last year, it must have been the free version (not the "Pro" version), because the Pro version costs money and wasn't released until the end of September last year (2013). The free version of Designer Content creates blocktypes for you, and once the blocktypes are made, they are completely separate files and no longer "connected" to the addon itself... so upgrading Designer Content will not have any effect (and there probably isn't an upgrade available for that anyway since the last update was before you downloaded it).
In regards to the recent Designer Content Pro update, for the record it was not a security issue -- rather it was a problem where the C5 marketplace updater was overwriting addon files when an upgrade is performed through the dashboard, and because I was (foolishly) storing user-generated addon settings in the addon directory, these settings were getting overwritten when upgraded. The problem has since been fixed, but it doesn't have anything to do with security-related issues.
Again, I don't think this has anything to do with your situation because you're using the free version (but I just wanted to explain that more clearly for other people reading this in the future).
If this happens again, what you will want to investigate is *where* exactly the bogus links are coming from. Are they "hardcoded" into the block's view.php file? Was the database updated (as if a user had logged in as admin and edited the block on the page)? Or is it none of that and perhaps instead there was some javascript injected onto the page and the javascript code was rewriting the links AFTER the page was sent to the browser. Knowing the answer to this will help narrow down the possibilities of how the attacker gained access.
Best of luck,
Jordan
I'm sorry to hear that you site files were compromised somehow. I unfortunately do not know how it could have been caused, but I would like to clarify some info about the Designer Content addon.
If you downloaded it for free, and if it was midway through last year, it must have been the free version (not the "Pro" version), because the Pro version costs money and wasn't released until the end of September last year (2013). The free version of Designer Content creates blocktypes for you, and once the blocktypes are made, they are completely separate files and no longer "connected" to the addon itself... so upgrading Designer Content will not have any effect (and there probably isn't an upgrade available for that anyway since the last update was before you downloaded it).
In regards to the recent Designer Content Pro update, for the record it was not a security issue -- rather it was a problem where the C5 marketplace updater was overwriting addon files when an upgrade is performed through the dashboard, and because I was (foolishly) storing user-generated addon settings in the addon directory, these settings were getting overwritten when upgraded. The problem has since been fixed, but it doesn't have anything to do with security-related issues.
Again, I don't think this has anything to do with your situation because you're using the free version (but I just wanted to explain that more clearly for other people reading this in the future).
If this happens again, what you will want to investigate is *where* exactly the bogus links are coming from. Are they "hardcoded" into the block's view.php file? Was the database updated (as if a user had logged in as admin and edited the block on the page)? Or is it none of that and perhaps instead there was some javascript injected onto the page and the javascript code was rewriting the links AFTER the page was sent to the browser. Knowing the answer to this will help narrow down the possibilities of how the attacker gained access.
Best of luck,
Jordan
I just want to add - your designer content add-on is awesome, very very useful!
I have checked when everything was last modified. It seemed to be some sort of js injection, but I couldn't investigate for too long since we had to correct the site asap
As I remember, to create an new block with designer content (no-pro), you need to set the permissions for /blocks to 777, which is a security issue, so you should return them as soon as you've done creating that new block.
Have you maybe forgot the secure the /blocks directory after block creation?
Have you maybe forgot the secure the /blocks directory after block creation?
