Websites Hacked

Permalink
All of my Concrete5 websites hacked:

Hacked By TheCur3. "United, we'll fail. Divided, we'll fall."

View Replies:
Blenderite replied on at Permalink Reply
Blenderite
The easiest way to change your password is to use this script:https://gist.github.com/jamesshannon/2993547...

Hope that helps.
jshannon replied on at Permalink Reply
jshannon
As great as that script is, the op needs to figure out the source of the problem. It probably wasn't through the concrete 5 site (including an easy to guess password) and almost certainly wasn't through some "hole" in c5 itself.

It's like complaining that your glove compartment didnt do a good job of securing your car. And then changing the lock on the glove compartment.

The op needs to evaluate other passwords (like FTP), services running on the server, etc. once these are fixed, a c5 password reset is in order.

Best,
James SHANNON

Sent from my phone
Blenderite replied on at Permalink Reply
Blenderite
Technically, if he could find the IP of the hacker, he could put it on the IP Blacklist.
jshannon replied on at Permalink Reply
jshannon
Yeah. And to continue my car analogy, that's like having a busted door which won't lock, but parking in a different neighborhood so that whoever broke into it yesterday won't get another opportunity.
Blenderite replied on at Permalink Reply
Blenderite
True.
jshannon replied on at Permalink Reply
jshannon
DNP: Sometimes I get bogged down in the big picture.

Yes, your site was hacked. But I seriously doubt it was via concrete5. The only thing that would make me question that assumption is if the "hack" was clearly within concrete5. Like on a block or something.

More than likely it was through the filesystem. There are scripts that will change your PHP files directly, without any knowledge of c5 or wordpress or anything else. And there are scripts that will try to figure out how to get in in the first place. Maybe your host has you on an old version of an FTP client or something. Really, there are lots of possibilities. So just blocking the original hacker's IP or changing your domain name won't do much. There are 1000 other "kids" running the same script.

The best thing to do is figure out the source of the hack. Failing that (which can be difficult), make sure your entire server is upgraded to the latest operating system, services, etc. It wouldn't hurt to start from scratch. Once you have some confidence that the initial exploit is gone, then go ahead and reset your c5 password. (Or clean it now to get your site looking reasonable, but reclean it later, too). If you can't figure out how they got in, you can change your passwords and hope for the best. (It's possible they guessed/listened to one of your passwords, too....)

You really should talk to your host about this. They're likely to be the ones upgrading the software anyways....
mhawke replied on at Permalink Reply
mhawke
It's also possible that the username and password were too simple like 'admin' & '12345'. Lately, Wordpress and Joomla sites have been under brute-force attacks and apparently a huge chuck of sites still have 'admin' as the username (like a bunch of C5 sites as well).

Was the hack done at the PHP file level or the C5 level? By that I mean did the hacker add stuff to the .php Page Type files in your theme directory or did they edit the content of your site through the C5 front-end?
dnp replied on at Permalink Reply
Thank you for replying. My Concrete5 sites have been hacked 3 times since Friday and today they were vandalized. I am trying to work with the website host Arvixe but am not getting any resolution.
Arequal replied on at Permalink Reply
Arequal
Version?
Do you know which kind of attack did you suffer?
Any customized add on (backdoor or something similar)?
What do you want exactly?
mhawke replied on at Permalink Reply
mhawke
Did they hack the PHP files or did they gain access to your concrete5 admin functions?

You are not alone:

http://www.hack-db.com/hacker/TheCur3/all.html...
mnakalay replied on at Permalink Reply
mnakalay
You said "all of my Concrete5 websites hacked". If all the websites were on the same server it's probably a good indication that it has nothing to do with C5