Symphony.

I have a serious spam issue within Symphony 2.0.5. I need assistance in removing the spam and patching the hole which is causing it.

Spam is appearing in the site search, I can’t find any injected or malicious code. I also can’t find any reference to the spam in the database.

Here is an example: http://www.classicist.org/search/?q=cialis

If you copy and paste the URL and the page shows up fine. If you click the link you get a spam page.

I found this:

Any advice? Thank you.

Looks like a htaccess hack. Can you post the contents of that file here?

EDIT: the file can be found in your document root, it may be hidden, so tell your ftp client to unhide hidden files.

There’s nothing abnormal in the .htaccess file.

Symphony 2.0 - Do not edit

RewriteEngine on RewriteBase /

### DO NOT APPLY RULES WHEN REQUESTING "favicon.ico"
RewriteCond %{REQUEST_FILENAME} favicon.ico [NC]
RewriteRule .* - [S=14] 


### IMAGE RULES 
RewriteRule ^image/(.+.(jpg|gif|jpeg|png|bmp))$ /extensions/jit_image_manipulation/lib/image.php?param=$1 [L,NC]


### CHECK FOR TRAILING SLASH - Will ignore files
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !/$
RewriteCond %{REQUEST_URI} !(.*)/$
RewriteRule ^(.*)$ /$1/ [L,R=301]

### MAIN REWRITE - This will ignore directories
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/$ /index.php?symphony-page=$1&%{QUERY_STRING}    [L]

DirectoryIndex index.php

IndexIgnore *

The other thing to look for is a base64_decode() function somewhere in your site files. Spammers tend to hide their calls in an obfuscated function so they’re harder to find.

I’m familiar with those type of attacks and already did a search for base64_decode functions.

hmm, this is odd.. Can you show your access logs to see where the calls to the infected pages are actually routed to?

Also, is any of your page templates changed in the last few days (assuming you haven’t)?

EDIT: Advice removed in favour of my more recent post.

EDIT: Extra advice removed in favour of my most recent post…

I see from your previous thread that this keeps happening on your site, and a thorough investigation was done by the core team, with no apparent Symphony flaws.

May I suggest, as Craig mentioned, that if you haven’t already moved hosts, move hosts. It seems more likely to be a security flaw on their setup rather than Symphony itself.

Sometimes, with these things, it’s much easier to cut off the attack at the jugular than try and second guess how they’re doing it and plug the hole.

Who is the host? Have they got other clients having the same problem?

Edit: Are you still on Rackspace? They have a history. Are there any other PHP apps running on the hosting account?

Did you see this:

http://forums.cnet.com/7726-6132_102-3374234.html

I’ve never had any trouble with Rackspace, but I continue to have these problems with Symphony and only Symphony. Rackspace has already confirmed before that the server is secure and this type of issue is most likely a problem with the software.

No other PHP is on the server.

I appreciate the advice but I have two sides point their fingers at one another. Neither offer any real solution.

I can understand your frustrations, did you mention the cnet thread to the core team? I hope someone has.

I’d love to look at the code on your site. Have you looked at the templates like @creativedutchmen suggested? Is it the Google search extension you’re using?

I hate hackers, they’ve got me before on Wordpress…

Sorry to keep spamming this thread…

Have you considered an upgrade to 2.1.2? The SQL injection attack mentioned in the Cnet thread shouldn’t be a worry if you haven’t got any frontend input, plus there is the new XSS Extension bundled with 2.1.2. Worth a thought…

I actually stumbled across that article yesterday while researching this issue. I’ll forward it on the core team.

I’ve combed through the code many times looking for something. I am using the Google Search extension. The problem is definitely limited to the search. The behavior i find strange is that you can navigate directly to those URLs but you can’t click the links.

I can upgrade to 2.1.2 but i wanted to make sure that the Database is clean.

Yeah, I noticed that. It got me thinking that the Frontend Class has been hacked somehow as it’s returning their content rather than yours.

Also, it only ever happens when the q url parameter is ‘cailis’. When it’s something else, the words in the h4 elements are still their words, but the links work fine… That makes me think the templates are altered, and the Frontend Class is too.

What are the timestamps on the files on your server? Any that look oddly recent? Especially compared to all the rest?

I’d check that on every single file of your install. It could narrow it down, or not if they’re all the same…

Can you zip up your /symphony /extensions /workspace/pages and /workspace/utilities folders and send them to me? contact at designermonkey dot co dot uk

I really want to look into this and help. I’m not a genius with this stuff, but I think the core team are mighty busy sorting 2.2 out, so I’d like to help if I can (while I have time before my new job starts).

I am using the Google Search extension. The problem is definitely limited to the search.

Could the problem be in Google Search?

I was thinking that myself. The question is, how would it happen? I’ve looked through the code for GCSE and I can’t see that it would happen there. The results get returned and are output into the page, with the correct URLs. It does seem to me that it’s happening in the Frontend class when the query parameter is set to cialis, to curl content from another url (http://real-pharmacy.net/index.php?said=|www.classicist.org|).

We’d need to check the symphony core code…

Edit: A hacked extension could also be using a delegate, which could reside in the database… (just thinking out loud)

When you debug the search page, can you confirm that the ‘spam’ results are appearing in the XML?

If you are using GCSE (2.3), just after line 96 ($googleURL = 'http://ajax.googleapis.com/ajax/services/search/web?v=1.0'.$p.'&q='.urlencode($q);) in the data.gcse.php file can you add a var_dump($googleURL);exit;.

I’m curious to see when the spammy results are being included.

Clicking on other links on the left showed me spammy pages too.

I think it’s definitely a PHP hack, either en extension or the core.

Nick, have you experience in anything like this with Airlock?