Infected v1.4.2 Site - Suggestions Welcome

Discuss phpwcms here, please do not post support requests, bug reports, or feature requests! Non-phpwcms questions, discussion goes in General Chat!
Post Reply
VITWNOW
Posts: 11
Joined: Mon 8. Dec 2008, 02:10

Infected v1.4.2 Site - Suggestions Welcome

Post by VITWNOW »

In the middle of November, 2015, a client contacted me regarding a site built in 2009 using version 1.4.2 of phpwcms. It had not been upgraded since but had been working without issue for years. Upon investigating, the home page and all pages return a blank screen. The root folder on the hosting account included a recent php file with with an obscure name and content (i.e. <?php $commissioners ='J_r?l';$fable='?';$fevered = 'seAs'; $crawled= ')';...). Removing the file had no positive effect. The administrative backend functions normally and all pages appear to be intact, however, it is not possible to preview any pages. A quick visual scan of the MySQL database looks okay as well. Admittedly, I have not done a thorough investigation neither of the client's files/database nor of this forum but thought that this community might provide direction to reduce the effort. I intend to install the latest version of PHPWCMS and, assuming the structure is similar, apply the customization (files and load certain tables using SQL from a backup). Thank you in advance for information you can provide regarding similar corruption and recommended actions to avoid recurrence.
Old Boy
Posts: 1203
Joined: Fri 23. Nov 2012, 13:52

Re: Infected v1.4.2 Site - Suggestions Welcome

Post by Old Boy »

Is there any change of the PHP version in the last time?

If PHP has changed to PHP 5.5+ , please have a look into the following file!

https://github.com/slackero/phpwcms/wik ... th-PHP5.5-


Just 1 hour ago, i have had the same problem (white pages) with an 1.4.2 and an 1.4.7 Installation :shock:

And the little code-changing did the job :D


Give it a try ... only 5 minutes, and we know :idea:
VITWNOW
Posts: 11
Joined: Mon 8. Dec 2008, 02:10

Re: Infected v1.4.2 Site - Suggestions Welcome

Post by VITWNOW »

PHP Version 5.2.17. I'll take a look though and let you know. Fingers crossed. Thanks.
VITWNOW
Posts: 11
Joined: Mon 8. Dec 2008, 02:10

Re: Infected v1.4.2 Site - Suggestions Welcome

Post by VITWNOW »

I made the change to the boolval section within general.inc.php but the issue persists. Thanks for the suggestion tho.
VITWNOW
Posts: 11
Joined: Mon 8. Dec 2008, 02:10

Re: Infected v1.4.2 Site - Suggestions Welcome

Post by VITWNOW »

I compared a site backup against the hosting server's file list and found/removed the following questionable files in various folders. All contained similar cryptic code. After removal, index.php on the 1.4.2 site was functional:

size filename
------ ------------------------------------------
5,263 compat-mootools-core_backup.php
5,263 default_infoold.php
5,418 f3cee429_bck_old.php
4,876 filebrowser_new.php
4,876 filehelp_prevv1.php
5,263 line-lightgrey-dotted-538_new.php
5,263 slider_ver1.php
5,418 ss_image.colortohex_prevv1.php
4,876 tableftG_indesit.php
5,418 userFontSize_big_new.php

I will upgrade the site in the hopes that the latest version prevents further infiltration.
User avatar
Oliver Georgi
Site Admin
Posts: 9888
Joined: Fri 3. Oct 2003, 22:22
Contact:

Re: Infected v1.4.2 Site - Suggestions Welcome

Post by Oliver Georgi »

often it's not phpwcms that is the base of injection — side loaded based on other scripts like Wordpress or just based on leaked accounts of customers (too weak passwords and so on). A hint is that there are only a few known installations. But never say never.

Sure, the best is to update the installation. Also update passwords and let all users having access by ftp and/or to the backend proof their system against malware/Trojans…
Oliver Georgi | phpwcms Developer | GitHub | LinkedIn | Систрон
Post Reply