Brand new and hacked!

Only took 1 day! Installed Elgg, added a couple plugins, everything working fine. Come back today and my index.php page had been hacked to include a huge list of porn sites!

I am not new to this game. I have a VPS with experience managing more than a dozen sites. There is a huge security hole in this product and I was more than shicked to find the injection. Basically, this was a default install.

I am finding the discussion threads here hard to follow. I do not find much on this topic but I also find very little on a lot of topics. Some thinking needs to go into how user friendly this product is and the security. At the very least, if there are security holes that need to be addressed upon install, they should be outlined clearly.

Since I had to spend all morning changing access passwords, I think I'm going to set this project aside for now. I'll check back in after there's a few miles on the tires.

 

  • Hello! The fact that your index.php file was changed by your web server means you made a major mistake configuring your site. This is web application security 101. Perhaps you made the data directory web accessible. Perhaps you had some other security hole. Unlikely to be an Elgg issue.

  • How exaxtly has your site been manipulated? If you found a security issue within the Elgg code I would suggest to tell any of the Elgg core developers about it directly (and not open a ticket at Trac).

    If the file index.php has been manipulated directly, it's quite unlikely that the hackers used any undetected security holes in Elgg but more likely that they hacked your server directly - which is surely beyond the scope of Elgg. Or could they simply have guessed your admin password?

  • @Skyforum

    Do you have on your server any wordpress site?

    Did you save the changes on your index.php? Did you check if your .htaccess have been modified?

    Rodolfo Hernandez

    Arvixe/Elgg Community Liaison

  • Are there any other scripts running in parallel in same server, same location? Is your data directory web accessible?