Forum

Thread tagged as: Question, Problem, Discussion

Perch site hacked

Hi,

A client website that I built with Perch got hacked for the second time. I have not been able to determine for sure what the underlying vulnerability is or if it has anything to do with Perch or not. I figured it was a password breach or permission thing but now when it happened again I'm looking into other possibilities. Anyway, we were running the latest Perch 2 release (2.9?). Now after the second attack I cleaned the site and upgraded to Perch 3 and enabled PERCH_PARANOID and PERCH_VERIFY_UPLOADS. We don't use SSL so PERCH_FORCE_SECURE_COOKIES is set to false.

My question. I found this article reporting on "Perch CMS 3.0.3 Cross Site Scripting / File Upload vulnerability". Is that fixed already in 3.0.10? Also it might be helpful to know if others have advice for keeping their sites safe.
Tim Kinali

Tim Kinali 0 points

  • 3 years ago
Drew McLellan

Drew McLellan 2638 points
Perch Support

3 years ago

Is that fixed already in 3.0.10?

That was fixed before the report was even published, and it only affected one authenticated user being able to attack another authenticated user. So the risk was limited to rouge employees or compromised accounts only. (So a storm in a teacup, pretty much.)

Have you rebuilt the compromised server?
Tim Kinali

Tim Kinali 0 points

3 years ago

Good to hear it was fixed quickly but yeah it doesn't sound like that could have been the issue anyway.

To answer your question, I only have FTP access to the server so after assessing the damage I took these steps:

  1. Backed up the hacked site
  2. Deleted all files on the server, including hidden folders
  3. Changed all the passwords (db, ftp, perch accounts)
  4. Starting from a clean copy from the git repository, I cleaned things up removing unnecessary folders and checking permissions, tightening it up in a few places.
  5. Copied files in 'Resources' from the backup of the hacked site to the cleaned version (after verifying nothing harmful was in there)
  6. Uploaded everything again

That was the first time. Now the second time I basically did the same thing but also upgraded to Perch 3 and turned on Paranoid mode.

FYI what they did both time is adding a script called config.php in the Perch dir, which then is included directly after runtime.php on the index page. If the user agent is a google bot it then appends a query string to the url that loads spam content through obfuscated files they put in a another hidden folder. Also several backdoors and upload tools where placed in hidden files and folders here and there.

Appreciate any advice!
Drew McLellan

Drew McLellan 2638 points
Perch Support

3 years ago

My advice would be to move to a hosting account that uses something a bit more secure than FTP.

FTP sends passwords unencrypted over the wire, so it's fairly easy to hack.