Dragonfly CMS v9 ⇒ Security v9 :: Archives ⇒ Stop from getting hacked? (PC full of viruses) :: Archived ⇒ Community Forums ⇒ CPG Dragonfly™ CMS
Forum IndexSecurity v9

Archived ⇒ Stop from getting hacked? (PC full of viruses)


Hey all.

I implemented Dragonfly CMS about a month ago. Im pretty new to web development/related stuff. Well, I got hacked the first time today.

Some guy added himself as a Super User somehow and deleted all my admins. He then posted on the front page

"This site has been hacked by thereisnospoon"

What do I need to do to fix this? Is this an issue with the CHMOD settings? Do I need to change permissions on a particular file?

Dont want this to happen again...any help would be appreciated.

And just for the record...I'm running 9.0.6.1 because of an issue with databse names containing capital letters. Also, my site is hosted on a paid host called discountasp.net

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
PHP 4.3.4


I think someone knew your password, there is no other way of becoming an admin.

If he only deleted the admins, well just add one back in Wink

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial


Did you forget to delete the install.php and/or install folder? Did you have an easily guessable or unprotected phpmyadmin interface? Such as yoursite.com/phpmyadmin.

Wiit

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Win2016-nano/IIS10/5.5.43/5.5.14/9.4.0.0


It is interesting that I see you left his account active, and he opted to give himself an Elijah Wood icon.

Diagon Alley - Top Design

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux/1.3.37/4.1.21-standard/4.4.4/9.1.1


My password was a 10 digit alpha numeric password, nobody knows it.

I did do a virus scan of my computer, (I normally don't install virus scan because I don't care for resources being used by it)

Anyway, I had 2150 infected files and like 12 different instances of trojans and malware, most likely due to filesharing.

What are the chances someone actually figured out my password and that I was an administrator of a website just from that? I investigated the trojans, worms, and viruses and it mostly revealed they were popup generators, dialers, and one seemingly malicious one that could download and isntall programs without consent. I didnt return a keylogger on any of them, but with almost 2200 infected files, seems like anything could be a possibility.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
PHP 4.3.4


I barely remember anything about IIS which is pretty sad since I used to be certified on it...

What level of logging did you have enabled? Seeing what urls he accessed in what order would certainly help tell the story of what happened.

Edit: You might want to check for this module, and if possible post where you got it from.

Diagon Alley - Top Design

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux/1.3.37/4.1.21-standard/4.4.4/9.1.1


tfpriest86 wrote
(((SNIP)))
I did do a virus scan of my computer, (I normally don't install virus scan because I don't care for resources being used by it)

Anyway, I had 2150 infected files and like 12 different instances of trojans and malware, most likely due to filesharing.
(((SNIP)))


Sounds like it's time to dedicate some resources to a real time virus scanner.

While pretty is always good, good is not always pretty.

www.2guyzandsumtrains.com/
hobby-machinist.com/

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
FreeBSD 4.8-STABLE (i386)/1.3.29/4.1.15-log/4.3.10/9.2.1 upgd from 9.0.1.1

All times are UTC