Hacked website

[kunago]

Today while browsing some of my websites I found out one website was hacked. It's hard to tell what has been modified but at first sight there are new files in the root, new files in the site and in site dir there is a new dir "classes", where the file "HomePage.php" is extending "Page". I am not a big professional in this but the hack seems to be targetting ProcessWire.

If there is some security team, I am willing to send the website backup so you can investigate for any security holes.

[alexm]

Interesting! And you’re certain it’s not your hosting that has in fact been compromised? Be it your login details to access cPanel or similar, or if you are on shared hosting that they’ve not managed to exploit a vulnerability on that side of things?

You could ask your hosting provider if there is anything interesting in your access logs etc.

Do you have forms on your website and if so, are they sanitising the data? Is there any old modules or JavaScript libraries?

Is ProcessWire up to date?

I’m no security expert, but these would the key areas I would be asking questions about that come to mind right off the bat.

[kunago]

It's running on my own server so there's really no hosting company to ask for logs. I reviewed my security setup and it seems to be all fine. There are no forms on the site and no login could have been compromised as I am the only admin with the login. There is just one extra user with regular privileges with no access to shell anyways.

No, it was not the latest version of Processwire. I updated as soon as I noticed. Later on I found the core "wire" folder had some extra files as well. I looked at a backup from 2 weeks ago and it differed from the one from last night. There were some new files. Apparently someone was actively messing with it.

I have a backup 2 weeks old, from last night; today I upgraded and will monitor whether there are any changes in root, site or wire dirs.

What is odd though is the "class" folder with files trying to hack the Page class.

No idea what's going on but I will set an extra log for monitoring that specific site.

[wbmnfktr]

You see this?

 

That's fine! It's part of ProcessWire since version 3.0.152 - see here:

https://processwire.com/blog/posts/pw-3.0.152/#new-ability-to-specify-custom-page-classes

 

9 minutes ago, kunago said:

What is odd though is the "class" folder with files trying to hack the Page class.

It tries to extend the Page class.

[kunago]

Oh, okay, thanks. I don't see it in any other website and did not notice it anywhere else. However, it's not only this file being present on the server. Thank you for clarification.

So I guess it is a generic hack using...who knows what security hole. Hopefully not something undiscovered yet. I have an up to date version as of today.

[wbmnfktr]

4 minutes ago, kunago said:

However, it's not only this file being present on the server.

Give us a screenshot and list those files, please, so we can check AND please download the whole directory and archive it in case someone wants to look into it further.

[kunago]

I will run a full-text search on the whole website for some strings mostly targeting http headers and creating files, and also hidden timestamp files apparently logging the last activity. Most of the strings are Unicode encoded though.

For sure everything is backed up so if anyone would like to look into it, let me know.

[alexm]

I’ll be intrigued to see what someone more knowledgable than myself finds if and when. The only other thing I can think of is if you have a page that accepts url parameters, say for Ajax requests or something such and those values that get processed aren’t sanitised. But that’s all I’ve got.

[kunago]

Nope, not even any Ajax requests. It's a very simple static site for a hotel having a booking engine page which might be the only one more vulnerable, rather than other pages. But the same booking engine is running on more sites I host and those have not been impacted. Maybe a matter of time, maybe some other issue.

Do you know about any program or ways to test website vulnerability?

[alexm]

7 minutes ago, kunago said:

Do you know about any program or ways to test website vulnerability?

Not that I can recommend. I’d just be doing a google search and suggesting tools that I’ve not used to be straight up honest. Sorry!

[teppo]

Since classes/HomePage.php is part of the default site profile (blank profile) for recent ProcessWire versions, this makes it sound like the site might've been updated and possibly reinstalled.

Would be interesting to know what those new files in wire were, e.g. if they were also files added by an update. Same goes for those new files in root dir as well.

The site shouldn't update on its own, of course, so that still doesn't explain what might've happened in the first place.

Your site didn't have install.php available, by any chance? That, combined with write permission for the web server user, could be one potential gotcha.

This sounds like something that @ryan might want to look into, just in case. With the information we currently have available it is not possible to figure out much more.

[flydev]

2 hours ago, kunago said:

No idea what's going on but I will set an extra log for monitoring that specific site.

But actuals logs, stack and software version plus taking note of all files timestamp before doing any modif should be the minimum to help here.

[wbmnfktr]

When everything is up and running again, as it was before, you could initialize a Git repo on your server.
Every change in every file would be totally transparent from that moment.

At least in theory.

[kunago]

23 minutes ago, wbmnfktr said:

When everything is up and running again, as it was before, you could initialize a Git repo on your server.
Every change in every file would be totally transparent from that moment.

At least in theory.

Good point. I will create a repo.