Having trouble cleaning up Concrete5 after rr.nu hack


#1

I’ve been able to clean up my WordPress installations (still in progress, actually), but I’m struggling to get the last vestiges of this stupid recent hack out of my Concrete5 site. I think I got rid of most of it, but it’s still not all the way there…

Any ideas?

The site is valposhelter.org, if it helps to look at it.


#2

use sed


#3

Did you make a backup of the site directory before beginning to clean it?


#4

Hey sXi, I’m sure you’ve already considered this, but what about setting up a few honeypots in secured users with apps containing known vulnerabilities? You might have a steady source of new scripts…


#5

Well, I don’t know how to use sed, so I didn’t go that route. I’d downloaded all the files and an export of the MySQL database before starting anything. Then I started using TexFinderX to search and replace all the crap at the beginnings of every php file here on my local copy. But the junk was still in there somewhere, and I was having no luck finding it. (Sed or TexFinderX or whatever tool you use only works if you know what you’re looking for. I don’t know what code was sticking that stupid rr.nu crap in there. I couldn’t find it.)

So I just moved all the files on the server into a temp folder (much faster than deleting them with my ftp program) and uploaded a freshly downloaded version of Concrete5 4.2.2. I had to create a new database to install it into, then switch it back to the old database once it was installed. Oh, and I had to re-upload the theme I’d been using. Voila. Problem solved.

For now, anyway. :slight_smile:


#6

First thing I did haha :smiley:

[quote=“richschmidt, post:5, topic:57202”]I don’t know what code was sticking that stupid rr.nu crap in there. I couldn’t find it.)

So I just moved all the files on the server into a temp folder (much faster than deleting them with my ftp program) and uploaded a freshly downloaded version of Concrete5 4.2.2. I had to create a new database to install it into, then switch it back to the old database once it was installed. Oh, and I had to re-upload the theme I’d been using. Voila. Problem solved.[/quote]

Did you remove anything that might have been an entrypoint for the exploitation, or have you just reset everything back to the way it was before and are hoping that the bot will forget about the site?