Symphony.

Nick, have you experience in anything like this with Airlock?

How do you mean? I’ve not had to tidy up a hacked site before, if that’s what you’re asking.

@brendo: I did a ver_dump of the $googleURL results:

http://ajax.googleapis.com/ajax/services/search/web?v=1.0&rsz=large&start=0&cx=016097269284915202942%3Atkftrjuzal0& key=ABQIAAAA9bByhFZHObZBg46083iSVBQ8hSyIbYQ6gTcjxRtG-I2zwUiPxhT7nyo7ZgQK4jZ1patVoEbjSn5Vjg&safe=moderate&q=cialis

Hmm, it’s odd that clicking a result will keep your URL, but display content from the spam site. (ie. this).

I’d be interested in where your Rewrites are going, this might help.

Edit: removed advice in favour of next comment.

On further inspection, the debugdevkit extension has been hacked. inc.php, by the looks of things, gives them an admin interface to do what the want with your database.

Files so far:

/extensions/globalresourceloader/content/menu.php
/extensions/debugdevkit/inc.php

This is what they’ve used, it looks to be split up over the server somehow.

I read recently that the Chinese had hacked Google using Rackspace servers, which Rackspace admitted on their blog, which has since been removed. I seriously suggest leaving Rackspace, especially if they are adamantly claiming they are secure. It is pretty obvious they are not.

I’m going to keep looking through the files you sent me, but I really need to see a copy of the Symphony core files. You have my email…

@designermonkey. Fantastic investigative work! Those files were indeed compromised.

I was able to find more inflected files in lib/core/class.session.php and lib/core/log

I found the culprit. There was a simple “log” file in the lib/core/ folder that contained practically everything. Once I removed it, i was able to click links and get to the right page.

Cool.

I’ve sent you some more by email. I think we’ve broken the back of it now.

All that remains is, how did they get that admin script there in the first place? I’ll leave that to you and Rackspace ;o)

Edit: Did you clean the class.seesion.php file before you sent it over? It hasn’t changed from the git repo copy that I can see.

So is there anything that can be done by Symphony to help prevent these attacks? Or has this just happened on a server level?

I’ve not been able to establish myself, whether it was a server level thing or not, I would have thought so, but until I do some research into how hackers can write files to the server, I’m not sure.

It has got me thinking about permissions etc on a live site. I’m beginning to think that restricting permissions to read only on all folders other than temp dirs, cache dirs and workspace upload folders is a good idea. Coupled with that, my shared host leaves no access to chmod chown etc to ensure security so that scripts like the one we found can’t modify these things. It seems to be a good idea to ensure that the php user has these same restricted rights.

As for the stability of Symphony I don’t know. I wouldn’t know how to check either as I’m still learning PHP…

I’m beginning to think that restricting permissions to read only on all folders other than temp dirs, cache dirs and workspace upload folders is a good idea.

That’s already the case: Unless you specifically set the permissions to 777, all newly uploaded files are only writeable by the FTP user.

One thing I’ve never liked though is the need to give write permissions to / to be able to complete the install.

FYI, stumbled on this by curiosity, and the links, including the navigation ones, are still spammy.

I’ve just let iPOTS know, there is something going on under the surface here. This hack has got the culprit files in a different place now so I don’t think it’s automated.

Update:

Spam has continued to be an issue but i think it’s starting to clear up. I found that there was malicious scripts outside the main domain, in the subdomain, log and CGI folders. I found a few unencrypted PHP scripts with some really nasty stuff inside. To much to really understand what they are doing but it appears that these scripts make calls to another server, download and extract compressed (.gz) files automatically, call SQL queries, create new folder on my server and dump the spam throughout.

Now that these files are apparently gone, we’ll see how it goes.

Hi man!

Thanks for the update. What were Rackspace’s comments on this problem?

They said it might of been a folder permission issue. I confirmed all permissions but the same came back this morning.

Does anyone have a clean copy of Symphony 2.0.5 that i can download to compare with what i have on the server?

Does anyone have a clean copy of Symphony 2.0.5 that i can download to compare with what i have on the server?

They’re all on GitHub, just click the big “Download” button on the right hand side.

Thanks so much.