Page 1 of 2

Update your PivotX immediately: you have been hacked

PostPosted: Sat Feb 12, 2011 10:04 am
by orangeek
I can't believe it! hansfn is capable of helping PivotX users even without being asked ! :)
I just got an email that my blog at orangeek.org has been hacked.
I had to reset my password and after logging in I saw in the dashboard that I had to delete some executable files (in the templates and images folders) and I did it.
Then I upgraded to 2.2.4.

I was wondering if I have to do anything else or not.
and I wanted to thank all the developers of this wonderful platform that is pivotx.

Thank you all
orangeek

Re: Update your PivotX immediately: you have been hacked

PostPosted: Sat Feb 12, 2011 11:16 am
by ranchox
my website has also been hacked tonight. Is there a security issue in pivotx that has been fixed with 2.2.4?

Re: Update your PivotX immediately: you have been hacked

PostPosted: Sat Feb 12, 2011 11:37 am
by orangeek
ranchox wrote:my website has also been hacked tonight. Is there a security issue in pivotx that has been fixed with 2.2.4?

in 2.2.3 two potential XSS issues were fixed. I was running 2.2.2.
It's great that there is this feature that notify you of the website being hacked (and also what files you're then supposed to delete).

Re: Update your PivotX immediately: you have been hacked

PostPosted: Sat Feb 12, 2011 12:20 pm
by Marza
Another hacked site here, but without notification, or instruction about which files to remove. I've updated tot 2.2.4, can access all pages in pivotX, except for the dasboard, that gets redirected to a 'hacked by...' page. Any tips?

Update: I found out access to the dashboard forced a redirect, because the title of an earlier hacked entry still occured in the list with latest events. Saving a couple of entries removed it from the list and thus the dashboard is 'restored'.
But I do wonder which files others were advised to remove, as I wonder whether they may still be present on my server.

Re: Update your PivotX immediately: you have been hacked

PostPosted: Sat Feb 12, 2011 12:45 pm
by Jacky
Another hacked site and got a mail from hansfn yesterday, thanks hans .. upgraded and everything looks fine. :D

Re: Update your PivotX immediately: you have been hacked

PostPosted: Sat Feb 12, 2011 11:06 pm
by Gerard113
One of my sites was also hacked. They only changed one entry to let me know my site was hacked.

Hans advised me to update tot 2.2.4. Thankx for the quick reply to my PM.

Greetings,

Gerard

Re: Update your PivotX immediately: you have been hacked

PostPosted: Sun Feb 13, 2011 11:50 am
by Bob
Marza wrote:Update: I found out access to the dashboard forced a redirect, because the title of an earlier hacked entry still occured in the list with latest events. Saving a couple of entries removed it from the list and thus the dashboard is 'restored'.
But I do wonder which files others were advised to remove, as I wonder whether they may still be present on my server.


Glad you fixed it. You should inspect all folders with FTP. Sort the folders by date, and you'll see the files that don't belong at the top. Delete them, or rename them to .bak and you should be fine.

Re: Update your PivotX immediately: you have been hacked

PostPosted: Sun Feb 13, 2011 12:20 pm
by orangeek
Bob wrote:
Marza wrote:Update: I found out access to the dashboard forced a redirect, because the title of an earlier hacked entry still occured in the list with latest events. Saving a couple of entries removed it from the list and thus the dashboard is 'restored'.
But I do wonder which files others were advised to remove, as I wonder whether they may still be present on my server.

Glad you fixed it. You should inspect all folders with FTP. Sort the folders by date, and you'll see the files that don't belong at the top. Delete them, or rename them to .bak and you should be fine.

Hello.
I have a recent backup (based on 2.2.2): can I upload it and then right away update to 2.2.4?

Re: Update your PivotX immediately: you have been hacked

PostPosted: Sun Feb 13, 2011 2:16 pm
by Bob
No, that will not do. If they left files behind, they will be new files, that will not be replaced if you overwrite the pivotx folder with a backup. Just browse through the folders. The most common places are in /images, /pivotx/db/ and /pivotx/templates/

Re: Update your PivotX immediately: you have been hacked

PostPosted: Sun Feb 13, 2011 2:35 pm
by Jackobli
Strange behavior at my site. After logging in into 2.2.3, I got a message, that there were 2 executables in my ../images. They are called cc.php and cc_1.php. The linux cmd "file" say's they are "cc.php: GIF image data 15457 x 28735". Scanning them via Avira says they are a Virus/Trojan PHP/Hide.A.
I removed the files (got a backup for any forensic).
My site looks not hacked, there have no changes but these 2 files been made. Strange or lucky?