My site this morning greeted me with a Warning from Google Chrome and then an AVG "we stopped this script" note. I seem to have infected my concrete5 site with a NeoSploit script somewhere...I cannot figure out without a clean reinstall where it might be. Has anyone else run into this and what did you do for a solution?
I dealt with a client with a hacking issue and it was that a virus on the computer where the FTP program was on.
In short we called up the hosting company and it was buried deep in some of the c5 core files. They did remove it.
After that occurred we changed all of the passwords and enabled ssh on the account so we could use SFTP.
Not sure if this helps or not...
Over c5 is pretty secure. However its really your host. In the past (like 2 or 3 months ago) BlueHost alerted that there had been a security breach on their hosting accounts, a very nasty worm...
So in the mean time try and search for the virus and also change all your account login credentials (also you might want to scan your computer just in case). Once you find it make sure its gone and you might want to then change your login credentials just in case its sending info to the hackers.
Keep in mind hacking is always a problem, even the most secure environments get hacked. On July 4, google and a few other companies were hacked. Heck even the US gov was hacked, by a 14 year-old.
So it does happen to all good people.
Hope that reassures you a bit to keep going with c5.
P.S. Sorry for the long post. Its a bit slow here!
The first thing I did was disable all my Chrome Extensions then it still happened so I tried a couple other browsers and it still happened then I isolated my Laptop and ran security check on it ...whew it was clean so I know it was not the browser or my PC it was my site on the HOST server...I replaced my index to see if it was strictly the host and I got no virus call so I knew it was something within the Concrete5 CMS core...sadly.
So I have now downloaded my files and will run some isolated testing to see what I find is making these calls and let my crappie host know and my fellow Concrete5 users/developers
Upon further review it is in the code. Dang it... it was not firing off for a second but I have it now..trapped on my laptop. I am not a Virus hunter so this may take a while I hear they obfuscate pretty good.
My Host found the core JQuery file had been hacked because my authority was not tightened down on that file so they were able to get in and plant a single line of script to hack my site and use it to propagate hate or something nefarious. I will post more information when I have time. My Site is back up and authority changed...will give more details later.
If you do find something amiss with concrete5, please do private message me.
1) was the ShareThis widget which appears to have added a flash script to track users use...(apparently this is a new purchase for clearspring who is causing the rucus.http://www.clearspring.com/about/press/clearspring-acquires-addthis...
I also had to remove a GOUSA widget that was to show my support for USA Soccer and point users to a pledge page etc. but clearspring has decided to add their own scripts under the covers and not tell me about it ...so GONE!
Recently I have been seeing more focus when developing to not just care about general security practices, but also if you are pulling content to have security around that.
This includes measure to ensure that if you
are reading a feed from some website that the code presented does not have any ability to execute code. Something like addons, widget/gadgets, or any sort of module that allows for outside code is a risk.
Of course, above anything is the importance of permissions and how they are configured. This is where policy writing and understanding can become helpful because off the top of my head I might not think to be as secure otherwise.