hacked me

Hi
Security is very low
I got hacked a few moments before
And in the Homeimage

  • can you contact your host and ask them how you got hacked and report it back here so we know how to stop our sites getting hacked, by either a update to elgg or not using the company you use for hosting

  • Yes, I talked to the service
    He is being investigated
    And I must thank you very much
    For Support
    We wish the best for you
    Thank you all ( specially 
    UK , Tom , ura soul ,rjcalifornia , krismb Matt Beckett )

  • sorry for the late reply, your most welcome, i am now trying to find the tutorial were you remove the install folder from elgg and other things to secure a elgg site even more : )

    heres the post i made for refrence 

    http://community.elgg.org/discussion/view/1524956/secure-your-elgg-site-stop-hackers

  • according to this video all ssl has been compromised years ago!
    http://www.youtube.com/watch?v=ibF36Yyeehw

  • @Michele Just a mention about some .htaccess rules (a first step to security)

  • It seems that there are a lot of attempts going on to hack servers that have php installed at the moment. This could be a possible attack vector used. The hackers are using a security hole that was included in older versions of php. It has been fixed in php 5.3.12 (and in 5.4.2 within the 5.4 tree) but not all servers might have been updated to later versions.

    You could check your server log for entries similar to

    212.62.X.Y - - [04/Nov/2013:15:16:53 +0100]
      "POST /cgi-bin/php5?%2D%64+%61%6C%6C .."

    which might indicate attempt that your server was attacked.

  • security issues you may encounter using elgg (these may or may not be problematic):

    • elgg is, i think, using md5 hashing which is not especially great.
    • elgg is not updated to reflect the changes in newer versions of php with regard to mysql.
    • ssl has been compromised and is, as yet, as far as i am aware, not fixed - so, your admin password can be targetted and hacked with commonly available software.
    • elgg community plugins are not necessarily being coded to carefully prevent script injections etc. - malicious coders can release plugins to the community, find that you are using them and then use their own deliberately included exploitable weaknesses to hack your site.
    • your server may not be correctly hardened. e.g. the server may be outputting error text to the web that includes sensitive data or your server's php and other parameters may not be as secure as they need to be.

    from what i am seeing, the ONLY way to use SSL securely is to have your entire site operating via https on every page and if you are not doing that then your passwords can easily be stolen.

  • @ura soul SSL isn't a 'gold' solution. Plz, don't suggest it as panacea. There're more reasons for hack your server--you mentioned about it above.

    About Elgg... I think Elgg is a best solution for safety if you use it on your server than WordPress or Joomla, or Drupal. I've too much years of own practice with all of them ;)

    But you're right when talks about 'devs' plugins... Some 'developers' can't or don't want to use simple principles of security and it's a big problem for novice Elgg's users.

  • i think possibly you are mis-interpreting what i wrote, as compared to my intention.

    what i am saying - here with more detail - is that the option to 'encrypt login via ssl' with elgg is insufficient to secure the login due to 'man in the middle' attacks which intercept the data while the page is in non-https mode. if you watch some of the videos in my other thread you will see the full gory details of this.

    so while you may have other security issues to resolve too, if your site is not fully https enabled then it simply is not secure. (even if it is fully https enabled it may not be fully secure, but at least there is one less possibly vulnerability to harden).