Security Problems

Permalink
I have been informed that I have malware on my C-5 site. Can anyone help resolve security problems?

closetplace
View Replies:
victorcis replied on at Permalink Reply
Hi,

Sure, I can help. Please add me over Skype : cis.victor1 and write me an email " [email protected] "

Regards,
Victor
edbeeny replied on at Permalink Reply
edbeeny
I've usedhttp://sitecheck.sucuri.net/ in the past.

Run a scan, it used to tell you where the malware was so you can replace the files.
mnakalay replied on at Permalink Reply
mnakalay
A quick Google check on your site doesn't find anything but that's not necessarily meaningful.

Can I ask you how it came to your attention that you had a malware problem?
TMDesigns replied on at Permalink Reply
TMDesigns
Your hosting company may be able to do a scan of your files. I would raise a request with them.

The hosting companies I use will all do this. This will then give you an idea of what files are affected.

I would be more than happy to take a look at this for you. What domain do you have the malware issue on?
closetplace replied on at Permalink Reply
closetplace
I have signed on to a program through my web host using Site Lock Security. They have marked the threat as serious and posted the following on my account:
Synopsis: A CGI application hosted on the remote web server is potentially prone to SQL injection attack.

Description: By sending specially crafted parameters to one or more CGI scripts hosted on the remote web server, SiteLock was able to get a slower response, which suggests that it may have been able to modify the behavior of the application and directly access the underlying database.

An attacker may be able to exploit this issue to bypass authentication, read confidential data, modify the remote database, or even take control of the remote operating system.

Note that this script is experimental and may be prone to false positives.

Solution: Modify the affected CGI scripts so that they properly escape argument

We are a small local business--the monthly fee requested by Site Lock is beyond our budget.

Thanks all for the replies.
stewblack23 replied on at Permalink Reply
stewblack23
1. What version of C5 are you using?
2. Who is your web hosting company?
3. Do you have a backup of the site before it was attacked?

I actually had this happen with a client that was on wordpress. He did not secure the git-hub repo I created and a hacker saw the source code and was able to to get it.
FaganSystems replied on at Permalink Reply
FaganSystems
Ok so thats good news, you haven't been infected, yet, but sitelock has found that by doing something strange they get a response that they didn't like or expect.

The not so good news is that concrete 5.6.3.5 is old and has a long list of well documented and known vulnerabilities.

What scares me a lot more is what I have just found on your site, which I am not prepared to discuss on a 'public' forum even amongst friends because you never know who is listening.

I will send this privately as well if you want to know more.

Regards
FS
frz replied on at Permalink Reply
frz
If sitelock has an actual vulnerability in concrete5, they should submit it to us via email or hackerone:http://www.concrete5.org/developers/security...

We do still actively maintain v6 for serious security issues.

Making someone's site slow is not a good gauge of a security threat.
pixelhero replied on at Permalink Reply
pixelhero
Have you installed any packages with things like contact forms in them?

Usually a contact or other type of form which triggers those CGI issues. Let us know what packages you have installed, odds are one of those has a security flaw rather than Concrete5 itself.
closetplace replied on at Permalink Reply
closetplace
I do have contact forms installed on my site.This is the main way my business get new leads: from potential customers requesting a consult via one of the forms. The Block name used is simply titled Form in my dashboard.

As I mentioned I have no tech ability other than using the front end editor. Concrete 5 is the best marketing tool I have found. I have found no local developers who think much of C5, so I always get grief about changing. Site Lock is very pricey, so I posted here to get other opinions as to what direction to take.

I do sincerely thank everyone who has taken the time to respond.
mnakalay replied on at Permalink Reply
mnakalay
I don't know them personally so I can't vouch for them but they are based in New Hampshire:http://www.danconia.com/concrete5-ecommerce-development/...
mhawke replied on at Permalink Reply
mhawke
First off, Site Lock is trying to sell you something which means there needs to be some sort of 'need' put into a client's head which they successfully did with their warning. To me (only my personal opinion) the text in their 'warning' could easily be generic boilerplate stuff meant to scare folks into signing up. They even cover themselves by saying "Note that this script is experimental and may be prone to false positives". As Franz mentioned above, the C5 team take security seriously and if Site Lock REALLY found something then they should be good corporate citizens by reporting it first to concrete5 instead of exploiting the vulnerability (if it even exists) to drum up business. Just my 2 cents.
mnakalay replied on at Permalink Reply
mnakalay
@mhawke, I agree with you.
mnakalay replied on at Permalink Reply
mnakalay
And 5.6.3.5 has only been out for 2 months so it's not old and as far as I know, there is no "long list of well documented and known vulnerabilities"

FaganSystems, care to tell us where that list is?
FaganSystems replied on at Permalink Reply
FaganSystems
I agree 5.6.3.5 was the lastest 5.6 release but is 2 Major versions behind.

The lists I refer to are
https://www.cvedetails.com/vendor/11506/Concrete5.html...
https://www.cvedetails.com/vulnerability-list/vendor_id-11506/Concre...
jbx replied on at Permalink Reply
jbx
Not really a long list and none of the listed vulnerabilities relate to 5.6.3.5.
5.6 branch is still maintained from a security point of view. It just isn't receiving new feature updates. I don't see anything at all in the one list you posted that indicates a security issue in 5.6.3.5.
JohntheFish replied on at Permalink Reply
JohntheFish
I did the same and had a quick review of the listed 'vulnerabilities'. The vast majority were historical rather than current. Even with those, many could only be exploited by a user that already had dashboard or file manager access. Whilst vulnerabilities need to be taken seriously, reading the small print is more important than succumbing to the headline and high impact graphics.

If I want the latest features, 8.2.x has them all. If I want stability and cheap and easy development, 5.6.3.5 is still a good bet.
manup replied on at Permalink Reply
manup
Hello,

I faced this issue before. I dod the following steps.

1. Move the entire source code to a different server and include only index.html with sample data, test that file for any malware affected from any inner/outer directories.
2. Check config db-table for any malware injected code.
3. Compare the source code with equivalent c5 core using https://atom.io/packages/compare-files...

4. if any mismatches found, replace it with downloaded source code.
5. Run the site in new server for any malwares.
6. Include RSS attack prevention php class .

I recommend compare source code with downloaded c5 core (Version should matches)

Thanks
mnakalay replied on at Permalink Reply
mnakalay
What intrigues me most is this sentence: "What scares me a lot more is what I have just found on your site, which I am not prepared to discuss on a 'public' forum even amongst friends because you never know who is listening"

While I applaud the precaution, I wonder what can be found that can be that worrying simply by visiting a website with no access to its files or dashboard?

I'd love to know and learn something.
stewblack23 replied on at Permalink Reply
stewblack23
Agreed. I want to understand as well. What can be found without any access to the file server or dashboard?
FaganSystems replied on at Permalink Reply
FaganSystems
I understand I would feel the same if the position was reversed.

I have explained my findings to the site owner, once it has been addressed I would be happy to disclose here.

Sorry for the clock and dagger.
stewblack23 replied on at Permalink Reply
stewblack23
No problem at all. Just trying to learn more and get better as a front end dev and UI Designer.