Security Breach?

Permalink
Hello C5 or is it Concrete5 Followers,
My site this morning greeted me with a Warning from Google Chrome and then an AVG "we stopped this script" note. I seem to have infected my concrete5 site with a NeoSploit script somewhere...I cannot figure out without a clean reinstall where it might be. Has anyone else run into this and what did you do for a solution?

damery
View Replies:
ideasponge replied on at Permalink Reply
ideasponge
It may be an issue with your host. I have seen these kind of "hacks" show up regardless of the CMS running on the site. Even with completely custom code.
damery replied on at Permalink Reply 1 Attachment
damery
Well I thought about that so I first tried to use the maintenance mode incase it was script in my content. But that still created the warnings and avg threat capture. Next I removed the index with the current html generic to see if it is indeed my host system and now my site is fine...by site I mean I can load the html file without and warnings or neosploit script running. So it has to be something in the CMS that kicks it off...something in the code...here is a png of the avg capture.
ThemeGuru replied on at Permalink Reply
ThemeGuru
Wow thats kinda nasty!

I dealt with a client with a hacking issue and it was that a virus on the computer where the FTP program was on.

In short we called up the hosting company and it was buried deep in some of the c5 core files. They did remove it.

After that occurred we changed all of the passwords and enabled ssh on the account so we could use SFTP.

Not sure if this helps or not...

Cheers,

Thomas
damery replied on at Permalink Reply
damery
Yeah I am afraid it is indeed deep in my C5 files. Once I removed the CMS calls any web page will run, so it has to be something within the core..scary indeed. I will try and download my current core and then run it in isolation to see where the infection is ... I was hoping to get information like that from the forum. What code to check or replace or delete and how to protect against future code grabs. Feeling a little worried about Concrete5...
ThemeGuru replied on at Permalink Reply
ThemeGuru
Having run over around 20 sites, im not really scared about security considering I've heard that the core team themselves actually have outsourced hacking this site for security holes.

Over c5 is pretty secure. However its really your host. In the past (like 2 or 3 months ago) BlueHost alerted that there had been a security breach on their hosting accounts, a very nasty worm...

So in the mean time try and search for the virus and also change all your account login credentials (also you might want to scan your computer just in case). Once you find it make sure its gone and you might want to then change your login credentials just in case its sending info to the hackers.

Keep in mind hacking is always a problem, even the most secure environments get hacked. On July 4, google and a few other companies were hacked. Heck even the US gov was hacked, by a 14 year-old.

So it does happen to all good people.

Hope that reassures you a bit to keep going with c5.

Cheers,

Thomas

P.S. Sorry for the long post. Its a bit slow here!
damery replied on at Permalink Reply
damery
I hear ya,
The first thing I did was disable all my Chrome Extensions then it still happened so I tried a couple other browsers and it still happened then I isolated my Laptop and ran security check on it ...whew it was clean so I know it was not the browser or my PC it was my site on the HOST server...I replaced my index to see if it was strictly the host and I got no virus call so I knew it was something within the Concrete5 CMS core...sadly.
So I have now downloaded my files and will run some isolated testing to see what I find is making these calls and let my crappie host know and my fellow Concrete5 users/developers
damery replied on at Permalink Reply
damery
Here is the latest!
**Update**
Upon further review it is in the code. Dang it... it was not firing off for a second but I have it now..trapped on my laptop. I am not a Virus hunter so this may take a while I hear they obfuscate pretty good.
damery replied on at Permalink Reply
damery
***Update***
My Host found the core JQuery file had been hacked because my authority was not tightened down on that file so they were able to get in and plant a single line of script to hack my site and use it to propagate hate or something nefarious. I will post more information when I have time. My Site is back up and authority changed...will give more details later.
alanski replied on at Permalink Reply
alanski
Please do tell us more about this without publishing the exploit for all the black hats ;)
damery replied on at Permalink Reply
damery
Well I found the 1 line of code and I know when and how they did it...their IP is currently blocked on my site.
frz replied on at Permalink Reply
frz
Just to be clear for anyone scanning this thread... This malware may now be in your concrete5 files, but that doesn't mean by default that a security hole in concrete5 let it in. Once something nefarious is on your server there's no reason it cant add itself to any PHP or JS file it finds, so it could be any number of system holes or other software you've installed that opened the door.

If you do find something amiss with concrete5, please do private message me.
damery replied on at Permalink Reply
damery
FYI- I got a new Security warning today and it was caused by a couple widgets I had on my page. These may only be advertising but they did throw up a warning message on my site from Chrome.
1) was the ShareThis widget which appears to have added a flash script to track users use...(apparently this is a new purchase for clearspring who is causing the rucus.http://www.clearspring.com/about/press/clearspring-acquires-addthis...
I also had to remove a GOUSA widget that was to show my support for USA Soccer and point users to a pledge page etc. but clearspring has decided to add their own scripts under the covers and not tell me about it ...so GONE!
djtaube replied on at Permalink Reply
My experience with developing and my separate experience with security points to a very easy understanding that the root cause can be anything.

Recently I have been seeing more focus when developing to not just care about general security practices, but also if you are pulling content to have security around that.

This includes measure to ensure that if you
are reading a feed from some website that the code presented does not have any ability to execute code. Something like addons, widget/gadgets, or any sort of module that allows for outside code is a risk.

Of course, above anything is the importance of permissions and how they are configured. This is where policy writing and understanding can become helpful because off the top of my head I might not think to be as secure otherwise.