[TYPO3-english] Have I been hacked? Please help.

[Jigal van Hemert]

Hi,

On 19-3-2011 18:02, Thomas "Thasmo" Deinhamer wrote:
> Andreas Becker wrote:
>> How to get access to the backend you can contact me via PM. IMHO it
>> is not good to discuss this here on the list as actually everyone
>> can already read how to get inside TYPO3 if the developers and site
>> adminstrators don't take at least common security measures into
>> account.

There is plenty of information around how to take the common security 
measures. The TYPO3 installation warns for many common security problems 
(default admin account, default install tool password, etc.) in various 
places in the backend. If you still leave those things open it's not 
anything which cannot be discussed in public places.

If you know of ways to get access to installations which have the normal 
security measure taken into account you should report this ASAP to the 
TYPO3 security team and not discuss it with anybody else.

> Does that mean there are ways to get into the backend without having
> the login credentials?
>
> Or why would it be a secret or unwise to tell here?

It's not a real secret and it will only work if you have ftp or ssh 
access with enough rights to create and modify certain files. This is a 
pretty normal procedure IMO and not a trade secret. It used to be part 
of the old installation method, until a more user friendly installer 
(and for 4.6 there is a project to overhaul the whole install tool) was 
created.

In order to get access to your backend you can use the install tool to 
create a new admin user (this is a normal option in the install tool). 
To get access to your install tool there must be a file named 
ENABLE_INSTALL_TOOL in the typo3conf directory and the file may not be 
older than 1 hour. If your install tool password doesn't work you can 
edit the typo3conf/localconf.php file and set an MD5-hash of the desired 
Install Tool password in that file.

As you can see, this requires that you have access to these files and 
enough rights to create and/or modify them.

If your installation is hacked it would be best to reinstall the entire 
server from scratch and restore the database and certain user files 
(images, etc.) from backups (after manually checking them for signs of 
hacks).
The next best thing is to change each and every password in your 
installation (control panel, root password, FTP, SSH, database, install 
tool, BE users, etc.). Because it happens rather frequently that login 
information is harvested from infected computers, all users who have 
some form of backend or server access should have all their computers 
checked for malware.

-- 
Kind regards / met vriendelijke groet,

Jigal van Hemert.