Recent Topics
  1. b2evolution CMS Support Forums
  2. b2evolution Support
  3. General Support
  4. [2.x] Have I been hacked?

[2.x] Have I been hacked?

1 Jun 07, 2010 13:33    

My b2evolution Version: 2.x

I'm using b2evo 2.4.2.

I've just finished a conversation with my webhost; I had been firewalled from my own site. According to them, there was a mod_security firewall put up, and the following was the log they gave me:

Access denied with code 406 (phase 2). Pattern match "(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(?:\b\W*?[\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*? ..." at REQUEST_HEADERS:Referer. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "94"] [id "950006"] [msg "System Command Injection. Matched signature "] [severity "CRITICAL"]

I have no idea what any of that means, but the command injection got me worried. Have I been hacked? And how do I track down the problem if I haven't?

Any advice would be very much welcome!
Thanks!

Back to top

2 Jun 07, 2010 14:37

More info:

The firewall block occurs whilst I'm logged in. The page I see looks like what happens occasionally when the legacy skin is missing CSS (the admin toolbar isn't styled) and the rest of the page doesn't have any CSS showing at all. Unfortunately, just looking at this page kicks the firewall up, so I can't add more than that.

All my files have correct permissions.

The problem may be a particular page on my website:
http://www.puppetsinmelbourne.com.au/blog.php/2008/09/12/finger-puppet-pattern-now-on-sale

I've checked that skin's index/header files and nothing unusual turns up. The error logs however do show a 406 error for that url when I accessed it.

Back to top

3 Jun 07, 2010 14:42

You're going to have to get your host to exclude certain portions of your site from certain mod_security rules for b2evo to work properly. It's kind of rude of your host to turn on mod_security with no warning or instructions.

You can try adding this to your .htaccess file: (requires mod_rewrite)

<LocationMatch "/blogs/.*">
        <IfModule mod_security2.c>
                SecRuleEngine Off
        </IfModule>
</LocationMatch>


Of course, you have to change the LocationMatch statement to reflect the location of your b2evo installation. But SecRuleEngine Off may not be allowed in .htaccess... I don't know.

If not you can try turning off the rules one-by-one until it works: (also in .htaccess)

<LocationMatch "/blogs/.*">
        <IfModule mod_security2.c>
                SecRuleRemoveById 950006
                SecRuleRemoveById ...etc...
                SecRuleRemoveById ...etc...
        </IfModule>
</LocationMatch>

The "950006" is the id of the mod_sec rule that's currently blocking you, according to your host's log.

Back to top

4 Jun 07, 2010 14:48

Thanks BushLeagueCritic, I'll try those and reply if they work/don't work.

It's kind of rude of your host to turn on mod_security with no warning or instructions.

Actually, if it's the host's problem then it's even more odd. I've been using the same b2evo version for probably a year or so now (been meaning to upgrade) and have not had any problems with mod_security until today. Furthermore, I have a number of sites hosted with them, all using b2evo (3.x for at least two of them) and had been working on those all day today. No problems at all.

Back to top

5 Jun 07, 2010 15:17

Hmm, adding the first piece of code didn't work. However, in replacing the .htaccess file with my original (ie. removing the suggested code), it seems to have popped my site back into place.

If it doesn't hold, then I'll come back and try the other suggested code.

Back to top


Form is loading...