Our web site has been inaccessible since last Friday. When I try to login as administrator OR when anyone tries to go to any other sub page, the page is either plain white or more likely it has the three words in the upper left corner, “Disallowed Key Characters.”

We are currently without a support person for EE since our original developer support closed his business and no longer is available.  I need some EE support to figure out how to fix this problem and get access to the EE control page in the admin section of our web site.
The primary site with the problem is http://www.michigandisciples.org
We have a secondary site that is working fine at http://www.michigandisciples.org

I’d appreciate help from support folks here.

Hello NETopliffe,

I am sorry to hear you are running into this problem.

Welcome to the forums, I wish it was under better circumstances.

Both of the URLs that you have listed are the same.

It’s odd, I visited the url and it was fine, I refreshed and it then had the Disallowed Key Characters message.

Do you know if any changes were made right before this started?

Do you have FTP access to the site?

Please let me know and we can go from there.

Do you know what version you are running? That would be in the config file, but if you are not familiar with ExpressionEngine I can help you find that.

Thank you,

Cheers,

Shane, thanks for the reply. I’ve busy with other commitments today so not able to get back with you but will still need some assistance. Is someone available tomorrow or should I check back in here on Monday?

Hey NETopliffe,

Well here we are at Monday! Sorry I missed this response before I could let you know.

How are things going?

Cheers,

Turns out I’ve been out of pocket until now so no problem in getting back to me today. Some good news. The original developer and I have had contact. He accessed the site and found hackers code in a key htpaccess.php (I think I have that name right) file plus 2-3 other new bogus php files that were added. He did clean things up so the web site is working again.

I’m also actively working at finding a new Expression Engine support person but no luck so far. However, it is clear from what I have heard from you folks and our developer, we remain vulnerable to hackers getting into our site again so I need your help from your side to know what we need to do even in the short term to lock things up better.

I now have access to Dreamhost FTP of our site. I am not familiar with Expression Engine. I believe we are running the latest version, certainly it is ver 2.1.3.

In the next email I’ll send you text of two initial emails I received from DreamHost Hackscans support people that showed the vulnerable files and setups that needed changing. This is where I need your help as far as you are able to go. I’ll send those text files and await your follow-up contact with me. Thanks.
Neil

Here is the report back from ABUSE Support folks last week. These are the corrupted files that I believe our original developer/support person fixed but I’m not sure he did all of them. He confessed that the security issues were beyond his scope of work experience. I’m not clear about setting up the the default ‘755’ permissions setting for directories, and ‘644’ for files. Is that something you can do or tell me how to do? Are there other things we need to do to keep hackers like the one that got into our site from having such access in the future?

Neil Topliffe

- - - - - - - -
[wilboy5 59216844] Web site sign in problem

——-Original Message——-
From: DreamHost Security / Abuse Team [mailto:secalerts@dreamhost.com]
Sent: Tuesday, June 19, 2012 6:08 PM
To: .(JavaScript must be enabled to view this email address)
Subject: Re: [wilboy5 59216844] Web site sign in problem

1) Update all pre-packaged web software to the most recent versions available from the vendor.  The following site can help you determine if you’re running a vulnerable version:
http://secunia.com/advisories/search/

You should check ALL domains for vulnerable software, as one domain being exploited could result in all domains under that user being exploited due to the shared permissions and home directory.

2) Remove ALL third-party plugins/themes/templates/components after upgrading your software installations, and from those that are already upgraded under an infected user.  After everything is removed, reinstall only the ones you need from fresh/clean downloads via a trusted source.  These files typically persist through a version upgrade and can carry hacked code with them.  Also, many software packages come with loads of extra content you don’t actually use and make searching for malicious content even harder.

3) Review other suspicious files under affected users/domains for potential malicious injections or hacker shells.  Eyeballing your directories for strangely named files, and reviewing recently-modified files can help.  The following shell command will search for files modified within the last 3 days, except for files within your Maildir and logs directories.  You can change the number to change the number of days, and add additional grep exception pipes as well to fine-tune your search (for example if you’re getting a lot of CMS cache results that are cluttering the output).
find . -type f -mtime -3 | grep -v “/Maildir/” | grep -v “/logs/”

In scanning your michigandoc user we found 1 hacked files that we were able to try and clean.  Backups of the original hacked files can be found at /home/michigandoc/INFECTED_BACKUP_1340143654 under your user, with a full list of the original files at /home/michigandoc/INFECTED_BACKUP_1340143654/cleaned_file_list.txt.  You should verify that your site is working fully after being cleaned and then delete the INFECTED_BACKUP directory fully.

Likely hacked code / hacker shells that we could not automatically clean were found under michigandoc here:
/home/michigandoc/michigandisciples.org/themes/cp_themes/default/page.php

IMPORTANT NOTE: One or more of your users has been found to have a file or directory with fully open ‘777’ permissions.  This allows full read, write, and execute access to everyone on the server.  This makes your site vulnerable because if there is another user on your server that is hacked or malicious they could be looking to exploit other users with improper permissions.  You should always use the default ‘755’ permissions setting for directories, and ‘644’ for files.  The directories/files listed below have been reset to these values, but you must keep this in mind going forward in case this was a point of intrusion.  More general information on filesystem permissions for Unix/Linux systems can be found here:
http://en.wikipedia.org/wiki/Permissions
- - - - - - - - - - - - - - - - - - - - - - - Files under michigandoc that had full write permissions:
/home/michigandoc/crystalconferencecenter.org/uploads/_thumbs/Brochures_Composites_Crystal-web_1.jpg
/home/michigandoc/crystalconferencecenter.org/uploads/_thumbs/Pioneer_Place_of_Contemplation.jpg
/home/michigandoc/crystalconferencecenter.org/uploads/_thumbs/SunsetCross3_1.jpg
/home/michigandoc/crystalconferencecenter.org/uploads/_thumbs/crossSunset1.jpg
/home/michigandoc/crystalconferencecenter.org/uploads/_thumbs/016_15A_edited-2.jpg
Listed 5 out of 43 files.  Full list located at: /home/michigandoc/bad_permission_files.txt.
- - - - - - - - - - - - - - - - - - - - - - -

For information specific to WordPress hacks please see:
http://wiki.dreamhost.com/My_Wordpress_site_was_hacked
More information

Here is the results response to a second scan by Nate Y at Dreamhost Abuse dept. on 6/21/12 [wilboy5 59302923]. These are the files that were fixed/deleted by my original michigandisciples.org web developer/supporter. I send this FYI at this point. My question to you: should I ask Nate Y to run another scan now that the files have been repaired to be sure everything has been caught or is this something you can do?

- - - - - -
Hello,

I think I found the issue. There’s code in your .htaccess file that’s redirecting visitors to your site through a file called images/image.php when they’re referred from one of the major search engines.

The offending .htaccess file is here:

/home/michigandoc/michigandisciples.org/.htaccess

The file it’s redirecting requests through is here:

/home/michigandoc/michigandisciples.org/images/image.php

I ran the scan again and it turned up the same file it did last time:

/home/michigandoc/michigandisciples.org/themes/cp_themes/default/page.php

If you have any questions or need any additional assistance, respond to this message. I am always happy to help!

Thanks!
Nate Y

—
- DreamHost Abuse/Security Team

Shane, I now have access to EE control panel for michigandisciples.org but have not had any experience with EE.
There are three alert messages, two saying permissions need to be changed to 666 in config.php and database.php files. Another message says another file needs to be changed to 777 permissions. I do not know how to do this.

Hey NETopliffe,

You need to remove that file asap or ask your hosting provider to do it for you.

If you have an ftp program like filezilla, you can right click on the listed files and change their perms.

It might also be worth your time to hire an admin for an hour of work to get rid of the hack and get EE setup correctly, might even be worth upgrading at the same time to 2.5.2. But that is your call. I will help you as best I can.

DreamHost has had a rash of security issues in the last few months, we have seen a lot of those here on the forums. You will want to really make sure that your files are clean, or this issues will just return.

Please let me know if I can be of more help.

Cheers,

Hey Shane,
The .htaccess file has been cleaned up and other hacked phony files also have been deleted.
I believe I now have ftp Dreamhost access so can go in and change perms on the files in question. Thank you for telling me how I can do that.

I have been trying since last week to get an EE PRO person to reply to me and/or agree to look at our site/project. Finally today I’ve had a response and in process of getting them to fix our site, including upgrading to 2.5.2.

Thanks for the heads up re Dreamhost security issues. The concern for issues returning is exactly my anxiety in trying to get someone on this asap.

You have clarified some things and giving me some helpful info to keep moving forward. Thanks.

Neil

Hey Neil,

It’s my pleasure! I really glad to hear that you are getting a pro to help and that you are upgrading at the same time. Very smart.

If you cannot get DreamHost cleaned up, take the opportunity to move to a different hosting service while you have a pro there. I am sure your pro will have their own opinions about hosting solutions. I am not trying to tell you where to host your site, or that DreamHost is bad. Trying to make sure you use your Pro for all they are worth so that you are happy when all is said and done. Peace of mind is a great thing.

Is there anything else I can help with?

Cheers,

Thanks.
Does DH have to send me an email to have permission to use FTP software? If so can you do that for me. I’m using FTP Voyager and can’t seem to get it to log me in.

Neil

Hey Neil,

You should have the login details in an email somewhere from DH. It’s a part of the welcome email.

Cheers,

ooops, you are EE! Not DH. My bad.

Hey Neil,

No worries!

Cheers,