I have been hacked - now what?

Get help with installation and running PivotX 2.0.x here. Please do not post Extension or Theme related questions here.

I have been hacked - now what?

Postby hansfn » Thu Feb 17, 2011 10:29 pm

PS! This thread will be moderated - only post that are highly relevant will be listed. Other posts will be deleted.

OK, as you might have noticed, many, many PivotX installs have been hacked. The vulnerability used by the hackers is fixed in PivotX 2.2.5 that was just released, but what exactly do you?

Added February 2012: Many PivotX installs were hacked in October 2011 using another vulnerability - the TimThumb exploit (which has been fixed since version 2.3.0).

  1. Download a copy of the pivotx/db and pivotx/templates folders (using FTP). Just to be safe.
  2. Then check your images, pivotx/templates and pivotx/db folders. (The integrity checker in PivotX Tools will help you - see last item in this list.) Are there any unknown/strange files created after February 11th? (This is easily done using the FileZilla FTP client and the "Search remote files" function in the "Server" menu. It's most effective if you do the search three times - when standing ech of the three folders.) You'll find some files modified because the hacker has logged in to your site - at least db/ser_events.php, db/ser_logins.php, db/ser_sessions.php, db/ser_users.php and maybe a file inside db/standard-00X00 since the hacker made a post.
  3. Upgrade to the latest PivotX. That means downloading the zip/tar.gz file and installing the files. Basically you just overwrite the old files.
  4. Select "Reset my password" in stead of logging in normally to your site. This will send you an e-mail with a link to get the new password - the hackers have most likely changed your old password. (If you don't get the e-mail or PivotX replies "PivotX was not able to send a mail with the reset link.", don't hesitate to contact me at hansfn@pivotx.net for more help.)
  5. Finally, install the PivotX Tools extension - download, unzip and upload the pivotx_tools folder to your pivotx/extensions folder. After enabling the extension, select the "Check Integrity" under the new main menu item "PivotX Tools". All files reported as unknown or suspicious, can be malicious - so called remote shells. Download the files (to be sure) and delete them from your server.
OK, now you should be safe again, and we are truly sorry for all your trouble.
hansfn
Developer
 
Posts: 3228
Joined: Sun Nov 25, 2007 7:48 pm
Location: Molde, Norway

Re: I have been hacked - now what?

Postby Robbert » Sun Feb 20, 2011 8:50 am

So how do I know what files are unknown or strange? They are all unknown to me and I find them all strange.
Virtutis est domare quae cuncti pavent
www.robbertbaruch.nl
User avatar
Robbert
 
Posts: 56
Joined: Sat May 10, 2008 8:00 pm

Re: I have been hacked - now what?

Postby hansfn » Sun Feb 20, 2011 11:46 pm

That can be a good question, but:
1) In the images folder, you should know what everything is because you put it there - images and similar.
2) In the templates folder, you should know what everything is because you put it there - it's HTML files, CSS files and maybe some images.
3) In the db folder, there are indeed many (to you) strange files, but you could understand "strange" as "different". So if there are many files named ser_whaterer.php and one file name a.php, you know which is really strange, right?

And don't forget I said which creation/modification dates to look for.
hansfn
Developer
 
Posts: 3228
Joined: Sun Nov 25, 2007 7:48 pm
Location: Molde, Norway

Re: I have been hacked - now what?

Postby DAOWAce » Sat Feb 26, 2011 11:24 am

Has our database password been compromised by this hacker?

Edited by hansfn.
I don't mean to sound rude, but I can't help the way people interpret my words.
DAOWAce
 
Posts: 6
Joined: Sun Nov 07, 2010 8:38 am
Location: US East

Re: I have been hacked - now what?

Postby hansfn » Sat Feb 26, 2011 6:00 pm

The hacker had full admin access to your PivotX, so he could have read your database password. It's sound advice to change it. Thx for raising this issue.
hansfn
Developer
 
Posts: 3228
Joined: Sun Nov 25, 2007 7:48 pm
Location: Molde, Norway

Re: I have been hacked - now what?

Postby hansfn » Wed Feb 29, 2012 1:38 am

Many PivotX sites were hacked in October 2011 using the TimThumb exploit. It seems the attackers have been uploading remote shells to the db folder, often named ser_plugins.php (which isn't a file PivotX uses), To help people look for such files, I have just released version 0.9.3 of the PivotX Tools extension which can look for suspicious files in the images, db and templates folder.

I actually recommend everyone to run the new integrity checker just to be sure. (You might have been hacked long time ago without noticing it.)
hansfn
Developer
 
Posts: 3228
Joined: Sun Nov 25, 2007 7:48 pm
Location: Molde, Norway

Re: I have been hacked - now what?

Postby rabbeltje » Thu Apr 04, 2013 2:19 pm

it seems i've been hacked recently. I am using the latest pivotx-version, but the following file was somehow found in my pivotx-directory:
pivotx/read.php
pivotx/includes/uploader/wp-item.php

According to my host, these are files uploaded by a hacker. I have the content of the files, but they're quite extensive, should i post them here..?
User avatar
rabbeltje
 
Posts: 355
Joined: Mon Aug 25, 2008 11:54 am
Location: Neerbeek, The Netherlands

Re: I have been hacked - now what?

Postby hansfn » Fri Apr 05, 2013 8:33 am

Are you sure that the files were created after you upgraded to PivotX 2.3.6? Very often, the files have been there for a long time and just discovered by accident.

If you are sure someone has hacked PivotX 2.3.6, please send me the webserver access logs so I can find the attack vector. Contact me directly at hansfn@pivotx.net (or security@pivotx.net).
hansfn
Developer
 
Posts: 3228
Joined: Sun Nov 25, 2007 7:48 pm
Location: Molde, Norway


Return to 2.x Support Forum

Who is online

Users browsing this forum: No registered users and 4 guests

cron