Site was hacked (screenshots added)
It looks like this:
Anyone else experience this? I'm trying to determine if it's a security hole in how I set up Concrete5 or if someone just hacked into FTP.
Some screenshots attached...
We haven't worked on our site at all in 2014, so it was pretty easy to find the changed files on the server.
1. I see a hell of a lot of activity in the files/tmp folder a couple days before the porno-dating site was added. Does this indicate some sort of activity trying to brute force into a Concrete5 weakness?
2. There are a few folders that seem to be altered randomly with blank index pages inserted. I am guessing a blank index is the jumping off point for some auto-installer to upload the porn-dating webpage.
passwords and some maleware took advantage of that to stick these HTML
We've never seen a security issue with concrete5 that would give someone
access to the file system to place this kind of trash around, and there are
quite a few viruses and whatnot out there that target FTP clients this way.
CEO - PortlandLabs Inc
Hmm! So, I am on a Mac using Coda 2 as my FTP client.
I just want to make sure of what you're saying: you think my computer has a virus which is accessing the stored password in Coda 2 and uploading HTML files?
Ideally a web server should be set up to reject such page requests, but many servers try to be helpful and if there is no index.php will give a directory list or even file/explorer interface.
So all those index.htm are an important security measure for many of the cheap host accounts.
Update after talking to support:
It looks like the CMS was compromised, according to tech support.
I couldn't delete the directory because I didn't have permissions. The reason why, tech support explained was because the directory was added with the username "nobody" under apache, which is what indicates to him that it was done through the CMS.
So, now I have two questions:
1. What is the best CHMOD permissions for the files directory? 775?
2. How do I change my superuser name? I'd like to change the main user AND the password. I tried going to Search Users and clicking the name and checking "edit properties" but a blank screen pops up that just says "user attributes" and there is no option to do anything.
Permissions for the files directory depends on how PHP is setup. If nobody has ownership of the files directory, 755. Alternatively you may need it set to 777.
After I reported the issue, they found out that some other installations on the same harddisk were affected in a similar way.
Since then, I stick to SFTP - seems much smarter.
btw, there was nothing in the C5 logs except email form submissions from new clients.