Concrete5 Hack opens up Dashboard to public

Permalink
Hey Community,

I have had to sites hacked with 5.6.3.1 and 5.6.3.2 which opens up my dashboard to the public. So far going in manually fixes the problem however there was some damage done with one of my sites.

Has anyone else encountered this issue and have they found a way to patch it up?

It looks like a hacker has taken advantage of a weakness in the C5 frame.

Thanks!

creativeorange
 
NickKN replied on at Permalink Reply
Can you be more specific about how this was done ?

One thing that I have immediately removed from the front end is the login invite - precisely because I don't want to encourage any hacking attempts.

What are the permissions on your directories ?
Maybe steps could be taken using .htaccess.
creativeorange replied on at Permalink Reply
creativeorange
Hey Nick: At this time, registration is closed to the public. Neither site has the option to register nor is the link readily available on the site (ie: 'login' or 'client login'). Looking through the Raw Logs there are little bots going in and trying to use a generic canonical search like "get /wp-admin" so I'm sure it's a hit and miss.

The first time it happened, I had no clue the dashboard was open to the public. Thankfully a developer came across the site and let me know that it was exposed.

Basically without warning the website (both set to advanced permission) adds the 'guest' group to access the main dashboard. You get limited access from the world.

That's the consistent issue.

As for htaccess, they're clean. I have C5's standard Pretty URLs, maybe a www or non-www rewrite. On the website where the theme randomly uninstalls (leadership-matters.biz), we put it a hack to prevent the script from uninstalling ANY themes:

# -- concrete5 urls start --
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php/$1 [L]
</IfModule>
# -- concrete5 urls end --
# -- concrete5 urls start --
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME}/index.html !-f


Thoughts?
WebcentricLtd replied on at Permalink Reply
hi,
by default switching on advanced permissions does not allow guest access.
Are you sure someone didn't add the guest to the pages view permissions. By default only Administrators group is added. I just checked this to make sure.

Do you have any add ons that add dashboard pages / any custom code?
creativeorange replied on at Permalink Reply
creativeorange
The site was pretty straightforward. I could have thought that it was an accident on my end trying to open up the Dashboard to the world on one site but not two. Two is super suspicious. The add-ons are unmanipulated aside from a couple of CSS changes to fit the design better and a custom designed theme which I have been making themes for C5 for over 5 years. *perplexed*

I did find a malicious file rooted in one of the websites called adminer.php so there was definitely someone in there and not just an ID10T error. :)
WebcentricLtd replied on at Permalink Best Answer Reply
Hi Creativeorange,
what sounds more suspicious to me (and would make me paranoid if I were you) is the fact that it has happened to 2 of your sites and nobody else has reported this even though 5.6.3.1 has been around for a while.

Are they on the same host? On the same VPS / Server? Are you sharing passwords between the two sites for convenience? Did you do fresh installs of each site or did you clone the first to create the second? Did you have a third-party working on the sites? Have you used themes/plug-ins or any code from outside of the curated marketplace?
Have you had a virus infection on your PC at all?

I haven't heard of the dashboard just being exposed like you've experienced. That said, you could just now be the first in a long list of casualties just about to happen so I'm going through now and testing things out on my client's websites.

What plugins do you have installed on the sites by the way?
creativeorange replied on at Permalink Reply
creativeorange
Well I use Mac, and I password anything that is passworded off. We use a dedicated server that has SSL protection. Everything is a fresh install from a zip file that always originated from Concrete5 along with the packages.

In all the year I've used C5, this is certainly very weird. I've already mentioned it to the C5 Dev Team to let them know about it JUST in case.

Current plug-ins being used are:
Fluid Gallery - 2.6
Designer Content - 3.1.1
Page Selector Attribute - 1.1
Page Redirect - 1.4
Pro Blog - 12.4.4
Stack Randomizer - 1.12
Forms With PayPal Payment - 2.0.5
Bootstrap Buttons - 3.0.0.2
Pro Forms - 7.5.8
Pro Events - 11.1.0
Restore Automated Jobs - 1.3

For now, I have setup a Wormly Notification to let me know if the Dashboard opens up which is good.
mesuva replied on at Permalink Reply
mesuva
In case you weren't aware, Adminer is actually a useful little script, it's a bit like phpMyAdmin, but all self contained in one file. It's handy when you don't have an easy way to get to access to a database, you just drop it in via FTP, use it and then delete it when done. It obviously can be use maliciously, but it's not a malicious file per se. (this is assuming it's actually adminer, it could be just named that)

Most website hacks tend to be ones where the scripts automatically go off and try doing a bunch of things, perhaps interfacing with some script by a hacker to trigger them off. Adminer on the other hand would require (as far as I understand it) someone to be manually visiting the script and copying in database credentials for your database(s).

You could hypothetically use Adminer to then manually manipulate concrete5's permissions however you wanted to, but it's a bit of a strange thing to do.

So it doesn't seem like your typical 'automatic' hack where it's just about trying to deface a website or inject some malicious scripts, it sort of seems like someone has manually gotten in (via FTP or some other exploit) and is manually trying to fiddle around with things.

AndyJ has pretty much summed up all the questions I'd be asking. :-)
creativeorange replied on at Permalink Reply
creativeorange
Sadly, I am certainly not a developer so I definitely don't have the know how to used Adminer to her fullest. But I only found it on one site out of two which has me worried about server access. We're on a dedicated system which I think we've overreached our grasp having a dedicated server without having proper IT Admin.
Mnkras replied on at Permalink Reply
Mnkras
Hi CreativeOrange,

I personally have yet to see any security reports relating to this, would you happen to have logs of any kind? Also is any other software besides concrete5 installed on these servers?

Mike
mhawke replied on at Permalink Reply
mhawke
Hi Roz. I was the developer who reported the original exploit to you. Here's a possibility. The unexplained presence of adminer.php means that someone has gained FTP access to the server and that means they can open config/site.php and find the database credentials needed to use adminer.php to log into your database. They seem to know just enough about the concrete5 database structure to alter the permissions to give Guest access to the dashboard but they don't know enough to give themselves full admin rights. Your FTP logs should show you the IP of the person who uploaded adminer.php

I assume you have deleted the adminer.php file and changed your cPanel and the FTP passwords to every FTP account on the server. If they really knew what they were doing, they could have easily changed your admin password in the database with a pretty simple script.

You mentioned that you were running your own server without an experienced IT administrator. This is something I think you might want to reconsider. Securing a server is a difficult thing these days (i.e. Sony)