Support ⇒ Security ⇒ Index / Forums / Photo Gallery etc Pages All Missing ⇒ Community Forums ⇒ CPG Dragonfly™ CMS
Forum IndexSecurity

Index / Forums / Photo Gallery etc Pages All Missing Reply to topic


Hello,

I have done a few searches of the forums looking for issues relating to this, but the problems others were having seemed to happen immediately after a domain move or something, which was not the case here. Will try to explain the full story, any help would be greatly appreciated.

At some point last night, almost all of my website (www.defiancelinkshell.com) became unviewable. This includes the index page, along with forums, photo gallery, statistics pages (pretty much everything except the admin panel).

Around 2 weeks ago, the website was moved from www.ishtarr.com to www.defiancelinkshell.com. The move went fine, there were no issues. I had to update the cookies and domain information etc in the admin config panels, but aside from that there were no problems at all. The website has been up and working without issue for around 2 weeks since.

Now all of these pages are gone. If you view source etc in the browser on these pages, there is nothing there at all. I have checked the FTP and the files are there, so I would expect to see at least an error of some kind but there is nothing.

It should also be noted, I still own the old domain (www.ishtarr.com) and the exact same issues occur when trying to view the website through this domain. However I am able to see and login to the admin panel via both domains.

Does anyone know why these pages would suddenly become unviewable, or heard of something like this happening before? I am hesitant to start making changes in case I worsen the problem.

I have also logged the following ticket with my hosting provider, but I expect them to come back saying its nothing to do with them, its the website. The biggest problem I have is am due to go on holiday in 2 days time and there are around 60 people who rely on the website on a daily basis.

This is the support ticket logged with my hosting provider, should anyone wish to see it: Click Here

Thank you in advance for any help,

Dominionix

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


Further to this, I have just received the below response from my hosting provider:

Hi

It shows that the index.php file was modified at 11:45pm last night, it is possible that this is a hack attempt on your site or someone has gained access to your password for FTP access. It is also possible it has been a code vulnerability in the CMS system you are using or possibly a virus on the system that is being used to upload files.

You will need to look at the index.php page and either see if there is any extra code in there or upload the index.php again overwriting the corrupt version on the server

Regards
Richard


I have downloaded a copy of the index.php file, and I am not able to see anything wrong with it. I am at work at the moment, so have no had a chance to compare it to the back-up I have at home from 2 weeks ago, is anyone able to see anything particularly wrong with this code?:

<?php
/*********************************************
  CPG Dragonfly™ CMS
  ********************************************
  Copyright © 2004 - 2007 by CPG-Nuke Dev Team
  dragonflycms.org

  $Source: /cvs/html/index.php,v $
  $Revision: 9.37 $
  $Author: phoenix $
  $Date: 2007/10/04 03:04:30 $

  A free program released under the terms and conditions
  of the GNU GPL version 2 or any later version

  Linking CPG Dragonfly™ CMS statically or dynamically with other modules is making a
  combined work based on CPG Dragonfly CMS.  Thus, the terms and conditions of the GNU
  General Public License cover the whole combination.

  As a special exception, the copyright holders of CPG Dragonfly CMS give you
  permission to link CPG Dragonfly CMS with independent modules that communicate with
  CPG Dragonfly CMS solely through the CPG-Core interface, regardless of the license
  terms of these independent modules, and to copy and distribute the
  resulting combined work under terms of your choice, provided that
  every copy of the combined work is accompanied by a complete copy of
  the source code of CPG Dragonfly CMS (the version of CPG Dragonfly CMS used to produce the
  combined work), being distributed under the terms of the GNU General
  Public License plus this exception.  An independent module is a module
  which is not derived from or based on CPG Dragonfly CMS.

  Note that people who make modified versions of CPG Dragonfly CMS are not obligated
  to grant this special exception for their modified versions; it is
  their choice whether to do so.  The GNU General Public License gives
  permission to release a modified version without this exception; this
  exception also makes it possible to release a modified version which
  carries forward this exception.
  gnu.org/licenses/gpl-f...dInterface

***********************************************************************/
$start_mem = function_exists('memory_get_usage') ? memory_get_usage() : 0;
require_once('includes/cmsinit.inc');

$file = isset($_POST['file']) ? $_POST['file'] : (isset($_GET['file']) ? $_GET['file'] : 'index');
if (!ereg('^([a-zA-Z0-9_\-]+)$', $file)) { cpg_error(sprintf(_ERROR_BAD_CHAR, strtolower(_BLOCKFILE2)), _SEC_ERROR); }

if (isset($_GET['name']) || isset($_POST['name'])) {
	$module_name = strtolower(isset($_POST['name']) ? $_POST['name'] : $_GET['name']);
	$home = 0;
	if (!ereg('^([a-z0-9_\-]+)$', $module_name)) {
		cpg_error(sprintf(_ERROR_BAD_CHAR, strtolower(_MODULES)), _SEC_ERROR);
	}
	if ($SESS->new) update_referrer();
	if ($module_name == 'credits' || $module_name == 'privacy_policy') {
		require(CORE_PATH.'info.inc');
	} else if ($module_name == 'smilies') {
		require_once(CORE_PATH.'nbbcode.php');
		echo smilies_table('window', $_GET['field'], $_GET['form']);
		exit;
	}
	$module = $db->sql_ufetchrow('SELECT mid, title, custom_title, active, view, blocks, version FROM '.$prefix."_modules WHERE LOWER(title)='$module_name'", SQL_ASSOC);
	$modpath = isset($module['title']) ? 'modules/'.$module['title'].'/'.$file.'.php' : 'modules/'.(isset($_POST['name']) ? $_POST['name'] : $_GET['name']).'/'.$file.'.php';
	if (!file_exists($modpath)) {
		cpg_error(sprintf(_MODULENOEXIST, (is_admin() ? $modpath : '')), 404);
	}
	$module_name = $module['title'];
	require('includes/meta.php');
	if ($module_name == 'Your_Account' || $module_name == $MAIN_CFG['global']['main_module']) {
		$module['active'] = true;
		$view = 0;
	} else {
		$view = $module['view'];
	}
	if ($module['active'] || (can_admin($module_name) && !$CLASS['member']->demo)) {
		get_lang($module_name, -1);
		$showblocks = $module['blocks'];
		if ($module['custom_title'] != '') 	{ 
			$module_title = /*defined($module['custom_title']) ? constant($module['custom_title']) :*/ $module['custom_title'];
		} else {
			$module_title = defined('_'.$module_name.'LANG') ? constant('_'.$module_name.'LANG') : ereg_replace('_', ' ', $module_name);
		}
		$module_version = $module['version'];
		$module_id = $module['mid'];
		unset($module, $error);
		if ($view > 0 && !is_admin()) {
			if ($view == 1 && !is_user()) {
				$error = _MODULEUSERS.($MAIN_CFG['member']['allowuserreg'] ? _MODULEUSERS2 : '' );
			} elseif ($view == 2) {
				$error = _MODULESADMINS;
			} elseif ($view > 3 && !in_group($view-3)) {
				list($groupName) = $db->sql_ufetchrow('SELECT group_name FROM '.$prefix.'_bbgroups WHERE group_id='.($view-3));
				$error = '<i>'.$groupName.'</i> '._MODULESGROUPS;
			}
		}
		if (isset($error)) {
			cpg_error('<br /><br /><strong>'._RESTRICTEDAREA.'</strong><br /><br />'.$error, 401);
		} else {
			include($modpath);
		}
	} else {
		cpg_error('<br /><br />'._MODULENOTACTIVE, 503);
	}
} else {
	// index.php
	if ($SESS->new) update_referrer();
	$module_name = $MAIN_CFG['global']['main_module'];
	$home = 1;
	$module = $db->sql_ufetchrow('SELECT mid, blocks, version FROM '.$prefix.'_modules WHERE title=\''.$module_name.'\'', SQL_ASSOC);
	$modpath = 'modules/'.$module_name.'/'.$file.'.php';
	if (file_exists($modpath)) {
		get_lang($module_name, -1);
		$showblocks = $module['blocks'];
		$module_title = '';
		$module_version = $module['version'];
		$module_id = $module['mid'];
		unset($module, $error);
		require('includes/meta.php');
		require($modpath);
	} else {
		cpg_error((is_admin() ? '<strong>'._HOMEPROBLEM.'</strong><br /><br />[ <a href="'.adminlink('modules').'">'._ADDAHOME.'</a> ]' : _HOMEPROBLEMUSER), '');
	}
}
function update_referrer() {
	global $db, $prefix, $MAIN_CFG;
	if ($MAIN_CFG['global']['httpref'] && isset($_SERVER['HTTP_REFERER']) && !empty($_SERVER['HTTP_REFERER'])) {
		$referer = Fix_Quotes($_SERVER['HTTP_REFERER']);
		$httprefmax = (int)$MAIN_CFG['global']['httprefmax'];
		if (ereg('://', $referer) && !eregi($MAIN_CFG['server']['domain'], $referer)) {
			if (!$db->sql_query('UPDATE '.$prefix.'_referer SET lasttime='.gmtime().' WHERE url=\''.htmlprepare($referer).'\'', true) || !$db->sql_affectedrows()) {
				$db->sql_query('INSERT INTO '.$prefix."_referer (url, lasttime) VALUES ('".htmlprepare($referer)."', ".gmtime().")", true);
			}
			$numrows = $db->sql_count($prefix.'_referer');
			if ($numrows >= $httprefmax) {
				$db->sql_query('DELETE FROM '.$prefix.'_referer ORDER BY lasttime LIMIT '.($numrows-($httprefmax/2)));
			}
		}
	}
}
if (defined('HEADER_OPEN')) { require_once('footer.php'); }
{SCRIPT REMOVED}


Also, after receiving this response I logged back in to my FTP and checked the "last modified" date on all of the files on the website. The only others I could find modified in the last day were "a_login.php" and "config_MAIN_CFG.php" in the "Cache" folder. I assume these were modified by the system if they are in the Cache folder, and not directly by a user?

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


Dominionix wrote

{SCRIPT REMOVED}



THIS part does not belong in the index.php ...

Since there is no way to modify the index.php from within dragonfly, there has to be a problem with the security settings of your hosting provider ...

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux/1.3.x/4.0.27/ 5.2.10/9.2.1.0


As you were replying to this, I downloaded a copy of the original index.php (from the same version of Dragonfly as mine) and compared it to the current one, and found the same portion of code that was different.

That being said, I would have installed themes etc since the original install, is it possible one of these themes put this code in the index.php? Because whilst I am not the best with code, from what I understand it doesn't seem to be doing anything... malicious. Or anything else you would expect a "hack" to do.

Does anyone know what that portion of code is actually trying to do?

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


Ok I replaced the index.php with the original which seems to have resolved the issue.

I will change my FTP password and anything else which might be a security risk to the site.

Out of interest, does anyone know what this code was attempting to do? Why would this have been added?

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


I have done some more research in to this, with some assistance from people at work (I work in IT and have a lot of colleagues who have an understanding of scripting).

Having looked at the additional piece of code, a colleague suggested it looked like it was creating / referencing something which would exist on my local machine, and they believed it may involve Google. Now I thought this very unlikely, but none the less...

They suggested I do a search on my machine for any file containing the following text: qYjeCeDf

A javascript file was found called "sessionstore.js" within "C:\Documents and Settings\***My Username***\Application Data\Mozilla\Firefox\Profiles\3ihh5fpn.default", which contained the following code. Some of this code can be seen directly in the code pulled from the website.

I don't really want to upload the entire file, as 1) its very long and 2) it contains what seems to be a lot of personal information about website access. However what was immediately obvious was that the file was referencing Google.

Here is a snip-it of code from the file:

SCRIPT REMOVED[/code]

Possible attempt by Google?

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


I noticed the script has been removed from the above posts? Is there a reason for this? Was it malicious?

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


A very good reason:
Rules & Regulations - section1k wrote
Members are asked to not post topics or replies containing information which may detail a security vulnerability in DragonflyCMS.
We don't accept posting of any scripts - any more and I'll delete the topic.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


Phoenix wrote
A very good reason:
Rules & Regulations - section1k wrote
Members are asked to not post topics or replies containing information which may detail a security vulnerability in DragonflyCMS.
We don't accept posting of any scripts - any more and I'll delete the topic.


I apologize, however the script did not seem to be something that would "detail a security vulnerability in DragonflyCMS" unless intentionally added directly to someones index page, and having read the topic I don't see why anyone would do that. Even then, nobody (as of yet) has been able to tell me what the script was actually doing, so how do we know it was a security vulnerability?

The lines directly after the one you have quoted from the rules suggest emailing support if I believe I have found a security flaw, but that if it is a basic support issue, I will not receive a response. Do you believe this justifies an email? Would this assist in the development of Dragonfly?

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


If the script is something special that no one should know about, then e-mailing it is the best solution.

Otherwise, a very good reason for not posting the script in here (but for example put in on pastebin.com/ and put a link here) is that some antivirus applications will think that dragonflycms.org is affected with something and will nag the users with that. Has happened before with some people.


(Offtopic: Wow, we have a new banner in the footer)

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
-

All times are UTC


Jump to: