PivotX Support Community

[hansfn]

PS! This thread will be moderated - only post that are highly relevant will be listed. Other posts will be deleted.

OK, as you might have noticed, many, many PivotX installs have been hacked. The vulnerability used by the hackers is fixed in PivotX 2.2.5 that was just released, but what exactly do you?

Added February 2012: Many PivotX installs were hacked in October 2011 using another vulnerability - the TimThumb exploit (which has been fixed since version 2.3.0).

1. Download a copy of the pivotx/db and pivotx/templates folders (using FTP). Just to be safe.
2. Then check your images, pivotx/templates and pivotx/db folders. (The integrity checker in PivotX Tools will help you - see last item in this list.) Are there any unknown/strange files created after February 11th? (This is easily done using the FileZilla FTP client and the "Search remote files" function in the "Server" menu. It's most effective if you do the search three times - when standing ech of the three folders.) You'll find some files modified because the hacker has logged in to your site - at least db/ser_events.php, db/ser_logins.php, db/ser_sessions.php, db/ser_users.php and maybe a file inside db/standard-00X00 since the hacker made a post.
3. Upgrade to the latest PivotX. That means downloading the zip/tar.gz file and installing the files. Basically you just overwrite the old files.
4. Select "Reset my password" in stead of logging in normally to your site. This will send you an e-mail with a link to get the new password - the hackers have most likely changed your old password. (If you don't get the e-mail or PivotX replies "PivotX was not able to send a mail with the reset link.", don't hesitate to contact me at hansfn@pivotx.net for more help.)
5. Finally, install the PivotX Tools extension - download, unzip and upload the pivotx_tools folder to your pivotx/extensions folder. After enabling the extension, select the "Check Integrity" under the new main menu item "PivotX Tools". All files reported as unknown or suspicious, can be malicious - so called remote shells. Download the files (to be sure) and delete them from your server.

OK, now you should be safe again, and we are truly sorry for all your trouble.

[Robbert]

So how do I know what files are unknown or strange? They are all unknown to me and I find them all strange.

[hansfn]

That can be a good question, but:
1) In the images folder, you should know what everything is because you put it there - images and similar.
2) In the templates folder, you should know what everything is because you put it there - it's HTML files, CSS files and maybe some images.
3) In the db folder, there are indeed many (to you) strange files, but you could understand "strange" as "different". So if there are many files named ser_whaterer.php and one file name a.php, you know which is really strange, right?

And don't forget I said which creation/modification dates to look for.

[DAOWAce]

Has our database password been compromised by this hacker?

Edited by hansfn.

[hansfn]

The hacker had full admin access to your PivotX, so he could have read your database password. It's sound advice to change it. Thx for raising this issue.

[hansfn]

Many PivotX sites were hacked in October 2011 using the TimThumb exploit. It seems the attackers have been uploading remote shells to the db folder, often named ser_plugins.php (which isn't a file PivotX uses), To help people look for such files, I have just released version 0.9.3 of the PivotX Tools extension which can look for suspicious files in the images, db and templates folder.

I actually recommend everyone to run the new integrity checker just to be sure. (You might have been hacked long time ago without noticing it.)

[rabbeltje]

it seems i've been hacked recently. I am using the latest pivotx-version, but the following file was somehow found in my pivotx-directory:
pivotx/read.php
pivotx/includes/uploader/wp-item.php

According to my host, these are files uploaded by a hacker. I have the content of the files, but they're quite extensive, should i post them here..?

[hansfn]

Are you sure that the files were created after you upgraded to PivotX 2.3.6? Very often, the files have been there for a long time and just discovered by accident.

If you are sure someone has hacked PivotX 2.3.6, please send me the webserver access logs so I can find the attack vector. Contact me directly at hansfn@pivotx.net (or security@pivotx.net).