Opened 6 years ago

Closed 6 years ago

#6992 closed Bug/Something is broken (fixed)

Viagra ads when you google our site

Reported by: https://id.mayfirst.org/lmestres Owned by: https://id.mayfirst.org/ross
Priority: Medium Component: Tech
Keywords: site-compromised google pharma-hack Cc:
Sensitive: no

Description

Here is a link when you google Brecht Forum:

https://www.google.com/search?q=brecht+forum&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a Is there anything we can co to fix this?

Change History (6)

comment:1 Changed 6 years ago by https://id.mayfirst.org/ross

  • Keywords site-comprmised added

Hi Liz,

I found one corrupt file 'common.php' in web root. I've moved it to your home directory, out of the way. I don't know if this will fix the problem, but we can wait and see.

~/ross

comment:2 Changed 6 years ago by https://id.mayfirst.org/ross

  • Owner set to https://id.mayfirst.org/ross
  • Status changed from new to assigned

comment:3 Changed 6 years ago by https://id.mayfirst.org/dkg

  • Keywords site-compromised google added; site-comprmised removed

It's probably also worth reviewing the site's database for any corrupted content (e.g. at least mysqldump --skip-extended-insert $dbname | grep -i viagra or something), and checking the modification date on the corrupted file to try to track down when the compromise happened. If some user's password was cracked in order to be able to make these changes, it would be good to know, and worth changing the password on that account.

We can also do better than "wait and see" with regards to google's decisions and representation about the site. google has some directions about what to do to get google to review the site after cleanup (i found that link by clicking on the "this site may be compromised" link from the search page, and then following the webmaster "instructions" link on that page. I know google changes what they display for different people, but those links were there present for me when i followed lmestres's link anyway.

comment:4 Changed 6 years ago by https://id.mayfirst.org/ross

  • Keywords pharma-hack added

I have figured out how the hack worked. It's deemed the Pharma hack and you can read about it here:

http://blog.aw-snap.info/2011/02/pharmacy-hack.html

In the version you were subject to the hack was able to get write access to the file system and put a php file on the site. I have not figured out how this vulnerability. Once they had write access, they added to the .htaccess file directing all google and yahoo robot traffic to group.php, which subsequently re-wrote the page to include the spam content.

In the process of debugging this site, I also discovered numerous .csv files in the web directory fully accessible, which listed over 2000 brecht forum contacts. You should not be storing such files such that the whole world can download them. I have moved them into ~/backup-csv.

This site really needs to be cleaned up. There is one security update for organic groups that should be implemented immediately, but please try to walk through the whole site and remove any unnecessary or unused modules and content that does not need to be seen by the world...files like this one.

http://brechtforum.org/CiviCRM_Member_Search_10641b9e0be8fbeab1fb0bfbd2c57458.csv.error.log

Anyway, I also made the .htaccess file unwritable, so this particular hack should no longer be possible.

~/ross

comment:5 Changed 6 years ago by https://id.mayfirst.org/ross

  • Resolution set to fixed
  • Status changed from assigned to feedback

comment:6 Changed 6 years ago by automatic

  • Status changed from feedback to closed

No news is good news (we hope)! Given the lack of feedback, we think this ticket can be closed.

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.