Support ⇒ Security ⇒ Need an opinion - Help! ⇒ Community Forums ⇒ CPG Dragonfly™ CMS
Forum IndexSecurity

Need an opinion - Help! Reply to topic


Hi All,

I wanted to get some opinions before I talk to my idiot web hosting place.

Here is what happens:
My site is up and running smoothly, no problems. after an unspecified - there doesn't seem to be any kind of definite timeline for this happening it just does! - amount of time, when i go to the site all I get is a blank page. Upon further investigation, I see that the index.php has jumped in size from 7 k to 93 k. Download the file, and then reupload the original index.php (from the public_html folder) and the site is back up and running...When I check out the larger index file I see that it has been totally modified and I see this at the top the page:

<?php @register_shutdown_function("__sfd1225923949__");function __sfd1225923949__() { global $__sdv1225923949__; if (!empty($__sdv1225923949__)) return; $__sdv1225923949__=1; echo <<<DOC__DOC

DOC__DOC;
} ?>


And at the bottom of the file I see a whole bunch of entries that look like this:

<u style=display:none><a href="http://I REMOVED THE LINK CAUSE IT IS A VIRUS SITE">openoffice.org</a><a href="I REMOVED THE LINK CAUSE IT IS A VIRUS SITE">hobby lobby.com</a><a href="I REMOVED THE LINK CAUSE IT IS A VIRUS SITE">ludachris</a>


and it goes on for a lot of lines with basically the same setup. So can anyone tell me what is going on? And if this is something in DF that needs to be changed or something on my host?

Thanks,
Convict
Attachment: index.rar
Description This is the rar&#039;d index file with the additions.
Filename index.rar
Filesize 14.82 KiB
Downloaded 14 Time(s)
You are not allowed to view/download this attachment

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
FreeBSD 4.9/MySQL 4.1.11/PHP Version 4.4.8/DragonFly 9.2.1


Looks like someone other than you has access to your webspace. If your host provides some means of changing the password I'd do it.

Gaming League / Cup - www.leaguecms.co.uk :: Other DragonFly modules - www.cmsdreams.co.uk

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


If that person got access to the root of the server, it wont matter.

Lead Theme Designer - WebSiteGuru Designs

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux 2.6.9 / Apache 2.2.6 / MySQL 5.0.27 / PHP 5 / DF Version 9.2.1


Hi Thanks for the advice. Funny thing is I had actually changed my password at the end of last month, then I changed it again when the index.php file was changed the last time, and of course I changed it again last night when i discovered the problem again.

So if the person has access to root, and I am not in charge of the server, there isn't a whole lot I can do about it right? Esp. if the web host denies there is a problem on their end and blames dragonfly?

EDIT: Another funny thing, I host four different sites with this host, 2 are running dragonfly and 2 are running B2Evolution...both of the dragonfly sites are affected and the B2Evo sites are fine?

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
FreeBSD 4.9/MySQL 4.1.11/PHP Version 4.4.8/DragonFly 9.2.1


If they hacked the server and have root access. The only thing you can do is find another host. Most shared hosting companies are not very good at security.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Multiple Setups


Concur with Diz on that one. Try finding a respectable one if you can. Don't just go for the chepest.

Lead Theme Designer - WebSiteGuru Designs

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux 2.6.9 / Apache 2.2.6 / MySQL 5.0.27 / PHP 5 / DF Version 9.2.1


ConViCt wrote
EDIT: Another funny thing, I host four different sites with this host, 2 are running dragonfly and 2 are running B2Evolution...both of the dragonfly sites are affected and the B2Evo sites are fine?


Are they all hosted on the same server?

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial


Hi,

"ConViCt" problem seems the same as my problem.

My site running smoothly until one time (10 days ago) it's a blank page. I investigate and found out that site index.php has been modified. I uploaded the original and the site is back and running again. But, in the next day problem comes again and so on. The same set-up, bottom of the index.php file have several lines referring to several virus sites.

I'm already exhausted talking to my site host, same thing they will say... change your password, they upgraded their router, they blocked the attacker, blah blah blah.

The idea of changing my host is already in plan but when I read this post maybe something can be done. Please help. Thanks.
Attachment: indexold1.zip
Description one of modified index.php
Filename indexold1.zip
Filesize 17.38 KiB
Downloaded 6 Time(s)
You are not allowed to view/download this attachment

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
FreeBSD 4.9/Apache1.3.29/MySQL4.1.20/PHP4.4.8/CMS Version9.2.1


Maybe a coincidence or not but just to be sure.

Each of you having this issue consider replying with:

  1. DragonflyCMS™ version number.
  2. Entire list of modules excluding DragonflyCMS™ modules.
  3. Installed wysiwyg editors.
  4. Admin -> System (or General for older versions) -> System Info and check if "Process Owner" match with "File Owner".
  5. Do you have other websites or sub domains installed under the same account.
    1. Software and version.
    2. If the software used is DragonflyCMS™ list all installed modules sharing the above module list.
    3. Is this happing on those sites as well.
  6. Does this happen on every file called "index" or just the one located at the root your site.
  7. Ask you system admin if other server accounts are having the same issue (0.000001% will admit the issue).
  8. Because we want to keep your privacy safe only Moderators will be able to download attachments.

.:: I met php the 03 December 2003 :: Unforgettable day! ::.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
CloudLinux / Apache 2.4 LSAPI / MySQLi 5.6 / PHP 5.6 / DCVS


Not coincidence - server IPs are 203.22.204.79 (512 domains) and 203.22.204.75 (239 domains).

Looks like some amateurish reseller, or a host on the way out of biz.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):

All times are UTC


Jump to: