Site has been temporarily disabled as it has been flagged as compromised

[martcol]

I have built a site for a friend that is currently in a sort of temporary state waiting for the friend to get around to providing more information. It has all of its structure in a password protected "test" folder and the only thing available to the public is a home page with an "Under Construction" message and a contact page with the Tectite formmailer script. It's about the 4th site I've used it on without difficulty and without knowing the first thing about PHP.


When I did that of course, I thought it would be a couple of weeks but it has stretched out to months and I'd pretty much forgotten about it. In the last couple of days I the site owner had a message from the host titled: "This site has been temporarily disabled as it has been flagged as compromised. It is being used for malicious purposes" which to me looks pretty alarming!

I'll post the email copy at the bottom. I have had a look around the folders on the site and can't find anything untoward anywhere. It all looks the same as what I uploaded. The only thing I can think of is that I use the Tectite form mailer and whether I might have been subject to a malicious attack or attempt?


Obviously, I don't know what to do or what might be wrong. The form on the site still works as does the rest of it. I don't want to go fiddling with it and make things worse. There's honestly, nothing else there. No Javascript, some static pages, CSS files and images. That's it.

Thanks in advance

Martin

Message from Host:

Site scripting was disabled today after it was noticed that the site was launching processes used for malicious purposes. The attack appeared to be distributed and controlled from a remote location. In the site directory structure we discovered "backdoor" scripts, and scripts written to probe the server and remote sites. These appear to have been installed on the site through the use of vulnerabilities in the site scripting.

Generally this is usually achieved in one of several ways. a) Site allows arbitrary uploads -- an easy way to get scripts onto a site. b) Site allows the "inclusion", via PHP, of remote text. c) Site allows the running of code from a remote location. d) Site has directories with permissions that allow anyone to create files there.

Unfortunately the above site seems to allow most, if not all, of these, and, once the infected files have been used by an attacker, the site is known to be vulnerable and this information is then distributed around cracking si!tes.

This means that another attack is very likely unless the vulnerabilities are removed. What needs to be done now... 1) backup the database and ensure the passwords are all recorded. 2) backup the site, but mark it as unclean so that is never re-used. 3) remove the entire site. 4) change the FTP and database passwords. 5) if the site connects to any external data-sources - databases, mail servers, RSS feeds, etc. Change the password there as well, and then modify the scripts as necessary. 6) download the latest versions of the software used for the site. Again - do not rely on version numbers being the same. 7) upload and configure the new software, to get the site back as it was. 8) ensure no directories are writable by any other user. So, "drwxr-xr-x", not "drwxrwxr-x", or "drwxrwxrwx". (chmod 0755) 9) remove any installation files - typically named something like "INSTALL.php" 10) contact us so we can re-enable the site. As these infections commonly come via add-on modules, extensions and themes, we would suggest limiting these to only
those necessary and taking care to ensure they come from the home-site of the module provider (as many themes / modules / extensions are available __pre-infected__ on third-party sites.).

A simple way to remove the ability for attackers to use options "b", and "c", in the list above is to add a "php.ini" file at the top-level of the website with the following contents - be aware though, that the site will need testing afterwardsd to ensure that no legitimate actions are affected by this. The php.ini directives are... allow_url_include = "0" allow_url_fopen = "0"

[russellr]

Hi,

Tectite FormMail has always been safe against major attacks.

The only exception has been some potential Cross Site Scripting attacks , but these have been resolved and are generally considered minor. So, make sure you're using the latest version of FormMail.

However, if you setup FormMail incorrectly or modify the logic of the script, you can break the security. It's generally not something that would be easy to do, but it is possible.

So, I recommend you ask your host these questions:

1. In exactly what script or system have they detected a problem?
2. What evidence do they have there is in fact a problem?
3. Do they have some standard test of which you can see the results?

If they claim there's a problem in FormMail and can provide evidence of the problem, we'll investigate and, if there is a problem, we'll solve it.

[martcol]

Thanks for your offer to help Russllr.

I have been in touch with the host and they say, "we did have a problem with our detection scripts when the site was flagged up as being hacked. What I would suggest is that if it happens again to contact us." And they said sorry.

So, I am guessing that it had nothing to do with the script or my site but was a freak event.

Needless to say, I'm releived.

Regards

Martin

[russellr]

Hi,

That's good news.

It's nice when there is actually no problem to be investigated!