Recent Topics

1 Jul 16, 2007 01:20    

My b2evolution Version: Not Entered

After a breach(s) I reported in another thread I wiped our server and began again. I have reinstalled B2's at the latest version plus some static HTML files and some images.

We've been exploited again and it's getting kinda heavy. Some of this needs to be disclosed in PM's with moderators and/or devs.

I'm gathering information right now but my current info is that the exploit is B2 specific.

2 Jul 16, 2007 01:32

So the attack was done with only b2evo installed? If so, what skins and plugins were you running? Maybe what you could do is supply a phpinfo page, and a .zip of your entire site and database, of course cut out your passwords and sensitive data, mysql database info is all hashed so no need to worry about that. That would be the surest way to try and duplicate it. Providing you trust me ;)

3 Jul 16, 2007 01:41

I trust you Baluptin but something else just occurred to me. The exploit appears to be in a directiry filled with static HTML files but which are actually Blogger (yes google) blogs. I used this before I discovered B2. As setting up a blogger account to run on your own server rather than blogspot requires FTP I wonder if this could the area of vulnerability

4 Jul 16, 2007 01:45

Is this folder in the standard b2evo distribution? Like am I able to check it out right now?

- balupt[u]o[/u]n ;)

5 Jul 16, 2007 07:28

sorry balupton I went to bed right after that last post. Yes you could check out that directory but I can't leave it much longer as I am getting the usual messages from our host that are usually followed by a shutdown.

The directory is not in a B2 install. It's like before ::- B2 is/was used as the gateway but the files can be placed anywhere.

where they are now caused me to wonder if the weakness could be our old blogger blogs as they were updated by FTP. I realise now this can't be the fault cos I've deleted all FTP accounts and changed the main password.

The guy who alerted me to this has given me info relating to the nature of this.

The scammer has a method of hacking a particular type of blog.
Apparently you have that blog software.
You may need to take the blogs offline.

B2 is the only blog software I have running

6 Jul 17, 2007 08:34

Our site/sites is/are down again which is quite disastrous and embarrasing as it represents many publicly funded community projects.

I'm proposing to move web hosts. We currently operate a managed server and the only way to go is quite a financial leap. However I feel I must do this to get more solid hosting. Our current host may not be responsible for the exploit but they certainly could be more helpful and understanding rather than simply shutting us down. I've spent ages cleaning off the server and re-intsalling which I shall have to do all over again.

I'm concerned to be hearing nothing here in this forum about the exploit that has ocurred. I have stong indications that the breach has been achieved through B2 Evolution although I don't have specific details. Indeed much of this is way over my head. I'm running 1.10.2 in all instances now

7 Jul 17, 2007 17:33

stevet the people who can do something pay attention to this type of thing and work on it, but don't expect anyone to ever say "wow that's a big giant hole in security that anyone with no moral code can exploit very easily". Think about it okay? If you had access to the core files and learned that there was a hole would you brag about it, or fix it then point out how everyone needs to upgrade? Are you absolutely sure it's a b2evolution issue? Someone saying "it's your blog" is not really convincing - is it? BY THE WAY I HAVE NO KNOWLEDGE OF HOW HACKING HAPPENS OR IF THIS APP IS GOOD OR NOT WRT SECURITY but I'll believe the dev team long before I believe "some guy said it's your blog". No offense there okay?

Change ALL your passwords. FTP, host login, blog admin, all of them. Everything!!! Change hosts if your host can not tell you - absolutely and without a doubt - exactly how the hacker hacked you. Remember they are in business and therefore MIGHT say whatever it takes to get your money next month.

8 Jul 17, 2007 17:47

I hear what you're saying EdB and to be honest I wondered if it might be the case. However since nobody has asked for any further details I struggle to see how any investigation into it might be happening. As I am in the dark I wish I could get a bit of reassurance s'all.

And the disclosure thing cuts both ways. I have not fully disclosed the info imparted to me because I don't think I should on a public forum.

How I've come to believe it "MAY" be B2 is based partly on what I've learned and partly by a process of elimination and deduction. I wiped my server and there is nothing much more on there other than B2 installations. Anything else is just a few static HTML files and images.

I'm not knocking B2 and I'm not accusing it of being insecure. I have every respect for the people who developed this fantastic software and everyone who supports it.

9 Jul 17, 2007 18:50


FYI ... [url=]our blog[/url] was recently hacked and all we run is b2evolution, but it wasn't b2evolution - it was a cPanel security hole, which allowed hackers to gather FTP account information.

Even though you're only running b2evolution software as an end-user application, there are a myriad of other (underlying) applications that are running on your host - cPanel, FTP, apache, mySQL and PHP, just to name a few.

Our hackage was apparently quite different than yours (an IFRAME link to some Real Estate site was appended to the end of every HTML and PHP file on our website).

Our fix was easy. (1) Restore our site to a previous date (only a bit of data was lost); (2) delete and create a new FTP account (user/password) and (3) Our host plugged the cPanel security hole.

I think it's more likely that cPanel or some other bit of server-run software is causing your issue. Unfortunatley, not many hosting company's are forthcoming with their clients regarding in-house security breaches and other software issues. I've noticed (my hosting company included) that they're quick to point the finger at clients, yet very mum about anything they may have done or not done.

One thing you might try, is to use a service like [url=]myipneighbors[/url] to find other sites that are hosted by the same company. If you can find a site that is similarly exploited, but not running b2evo, then you KNOW it's not b2evo. (When our problem came, I noted a bunch of dynamic sites - drupal, wordpress, etc. - were failing with similar error messages and ALL had the IFRAME crap in the HTML). Bingo ... was our HOST!

Hope this helps.

Good luck.

[EDIT] ... Just noticed. My 1000th post. :D :D :p

10 Jul 17, 2007 19:00

Stk just made a very good post.

The reason I'm lead to believe that it is not b2evo, is that other b2evo installs would be getting attacked as well, eg., w3c. Like why is it just yours?

If you could move your website to a different host, for say 2 weeks, see if anything happens, and if nothing does, then good :)

Could you pm me the email of your host, and/or the people that are informing you that the hole is in b2evo, so that I can see what I can find out?

Your just very unlucky in this circumstance... But if it makes you feel better, i'm still waiting for my graphics card to be repaired after 3 months of being away now ;).

11 Jul 30, 2007 14:14

Oops - sorry Balupton. - I didn't get notification of your posting. I will PM you what you ask. The guy who told me about a Romanian Scammer didn't say it was B2Evo - he said

The scammer has a method of hacking a particular type of blog.
Apparently you have that blog software.
You may need to take the blogs offline

It's been quite for a week or two now but I'm moving hosts anyhow. I've no idea who is to blame for the attacks but I need a more robust, quality and helpful host.

12 Jul 31, 2007 19:43

stevet, I have responded to your pm.

Form is loading...