Support ⇒ Security ⇒ My welcome message changed to Hacked by Rell-4 ⇒ Community Forums ⇒ CPG Dragonfly™ CMS
Forum IndexSecurity

My welcome message changed to Hacked by Rell-4 Reply to topic


I logged on to my site today to find that the welcome message had changed to hacked by Rell-4.

I have placed the site in maintenance.

I am after some help to identify how it happened and how to prevent it happening.

There were no new users or admins added to my SQL tables.

Help please
Attachment: pic1.jpg
Description A pic of the home page with the welcome message changed.
Filesize 120.70 KiB
Viewed 21 Time(s)
You are not allowed to view/download this attachment

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
unix / Apache 2.2.15 / MySQL 5.0.92 / PHP 5.3.8/ CMS 9.4.0.0


That doesn't look like the usual welcome message - looks more like a normal block.

Rell-4 does a lot of (faulty) server level attacks - you need to contact your host first.

DonationsPro for DragonflyCMS & SMF

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


Sorry Phoenix but it is the messages from with in the admin module.

The only way I can access it is through the admin menu, then Messages

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
unix / Apache 2.2.15 / MySQL 5.0.92 / PHP 5.3.8/ CMS 9.4.0.0


If IP Tracker was installed it might have provided some clues, but you really need to go through your server logs.

It's the first step that anyone should carry out, otherwise we're working in a vacuum.

From some info provided to Nano, it appears the time was Mon, 26 Dec 2011 13:30:47 GMT.

DonationsPro for DragonflyCMS & SMF

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


Just to keep everyone updated, as far i can see the website is running quite few phpnuke-ported modules, most likely never updated since support was dropped by each mantainers, probably years ago.

It is highly possible that one, or more, of those modules contains security holes, logs and or IPT will help finding the source of the issue.

.:: I met php the 03 December 2003 :: Unforgettable day! ::.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
CloudLinux / Apache 2.4 LSAPI / MySQLi 5.6 / PHP 5.6 / DCVS


I have requested the logs and hope to have them soon.

I have spoken to the sites other admins and they have indicated that they had very simple passwords aswell.

As phoenix has said earlier it may have been done at server level and not nessecarly at CMS level.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
unix / Apache 2.2.15 / MySQL 5.0.92 / PHP 5.3.8/ CMS 9.4.0.0


I have just been informed only logs i can have access to is FTP log and the last 300 visitors to my site.

Apparently the C panel they (Site Host) use doesn't log access to phpmyadmin so I have no info for you to follow. Mad Embarassed

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
unix / Apache 2.2.15 / MySQL 5.0.92 / PHP 5.3.8/ CMS 9.4.0.0


All i can tell you is to disable all the unsupported modules.

Seek support, if found look for updates. If not found disable the module.

I'll invite you to share your findings, it may be possible that it draws attentions, interest and why not a focused help.

However, after installing IP Tracker you will have your own logs.

.:: I met php the 03 December 2003 :: Unforgettable day! ::.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
CloudLinux / Apache 2.4 LSAPI / MySQLi 5.6 / PHP 5.6 / DCVS


I have compelted my review of the installed modules. I found nothing that outstanding or that might be vunerable.

I have table it in a xls and posted it for review if any one is interested or can provide some advice.
Attachment: df cof site.zip
Description results of review
Filename df cof site.zip
Filesize 9.32 KiB
Downloaded 9 Time(s)
You are not allowed to view/download this attachment

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
unix / Apache 2.2.15 / MySQL 5.0.92 / PHP 5.3.8/ CMS 9.4.0.0


Brilliant list!

I see there are some of our own cvs modules that fails to upgrade, i need to have a look at it ...

FAQ module in downloads is 2.0.2, but in cvs is still 2.0.1.2 ... gone out of synch here ...

.:: I met php the 03 December 2003 :: Unforgettable day! ::.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
CloudLinux / Apache 2.4 LSAPI / MySQLi 5.6 / PHP 5.6 / DCVS


I am having theme trouble since the hack Mad and am not sure what is going on :-?. I don't think the hack is to blame, but it the index.php page was working fine prior to the hack.

Diz was working on fixing the whole theme! but no updates as yet 😢 . Does any one know why the theme has gone funny after the hack?

Or better still what they change to make the home screen look so out of order. The right blocks appear at the bottom of the screen etc.

The theme only has the problems when there is a right block set up. Embarassed

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
unix / Apache 2.2.15 / MySQL 5.0.92 / PHP 5.3.8/ CMS 9.4.0.0


I would like to thank the team here at dragonflycms for helping me resolve the issues and getting my site back up and running quickly after the attack.

Thanks Guys

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
unix / Apache 2.2.15 / MySQL 5.0.92 / PHP 5.3.8/ CMS 9.4.0.0


No problem mate, sad we had no logs or any good clue to found the hole, if nay. This guy is knows to perform attacks from within the server.

.:: I met php the 03 December 2003 :: Unforgettable day! ::.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
CloudLinux / Apache 2.4 LSAPI / MySQLi 5.6 / PHP 5.6 / DCVS

All times are UTC


Jump to: