ProsePoint Express: hosted newspaper website content management software

Injection Hack?

  • strict warning: Non-static method view::load() should not be called statically in /home/prosepoint.org/bzr/public_html/profiles/prosepoint/modules/views/views.module on line 879.
  • strict warning: Declaration of views_handler_argument::init() should be compatible with views_handler::init(&$view, $options) in /home/prosepoint.org/bzr/public_html/profiles/prosepoint/modules/views/handlers/views_handler_argument.inc on line 0.
  • strict warning: Declaration of views_handler_filter::options_validate() should be compatible with views_handler::options_validate($form, &$form_state) in /home/prosepoint.org/bzr/public_html/profiles/prosepoint/modules/views/handlers/views_handler_filter.inc on line 0.
  • strict warning: Declaration of views_handler_filter::options_submit() should be compatible with views_handler::options_submit($form, &$form_state) in /home/prosepoint.org/bzr/public_html/profiles/prosepoint/modules/views/handlers/views_handler_filter.inc on line 0.
  • strict warning: Declaration of views_handler_filter_node_status::operator_form() should be compatible with views_handler_filter::operator_form(&$form, &$form_state) in /home/prosepoint.org/bzr/public_html/profiles/prosepoint/modules/views/modules/node/views_handler_filter_node_status.inc on line 0.
  • strict warning: Non-static method view::load() should not be called statically in /home/prosepoint.org/bzr/public_html/profiles/prosepoint/modules/views/views.module on line 879.
  • strict warning: Declaration of views_handler_filter_boolean_operator::value_validate() should be compatible with views_handler_filter::value_validate($form, &$form_state) in /home/prosepoint.org/bzr/public_html/profiles/prosepoint/modules/views/handlers/views_handler_filter_boolean_operator.inc on line 0.
  • strict warning: Declaration of date_api_filter_handler::value_validate() should be compatible with views_handler_filter::value_validate($form, &$form_state) in /home/prosepoint.org/bzr/public_html/profiles/prosepoint/modules/date/includes/date_api_filter_handler.inc on line 0.
  • strict warning: Non-static method view::load() should not be called statically in /home/prosepoint.org/bzr/public_html/profiles/prosepoint/modules/views/views.module on line 879.
  • strict warning: Declaration of views_plugin_row::options_validate() should be compatible with views_plugin::options_validate(&$form, &$form_state) in /home/prosepoint.org/bzr/public_html/profiles/prosepoint/modules/views/plugins/views_plugin_row.inc on line 0.
  • strict warning: Declaration of views_plugin_row::options_submit() should be compatible with views_plugin::options_submit(&$form, &$form_state) in /home/prosepoint.org/bzr/public_html/profiles/prosepoint/modules/views/plugins/views_plugin_row.inc on line 0.
5 replies [Last post]
tim.cappalli
User offline. Last seen 6 years 26 weeks ago. Offline
Joined: 11/03/2009
Posts:

Our Prosepoint install seems to have gotten hacked. Our older stories are having porn / sex links injected into the content area or at the bottom of the content area. I have changed the database passwords along with our hosting passwords. As a temporary fix, I have been blocking the source IP's (from Austria) as I see them. I have hit a roadblock and would appreciate ANY help.


Thanks!

beng
User offline. Last seen 4 years 31 weeks ago. Offline
Joined: 27/02/2009
Posts:
...

Hi,

You could start off by checking:

Whether there are any signs of hacking into your web hosting account. If your webhost has been broken into, then ProsePoint source files could be altered and all bets are off.

Check your web server logs to see if there is anything suspicious in there.

Whether the inserted text links are just normal text content which can be removed by editing the stories. If so, check your site logs to see when the node(s) were edited and by which account.

Perhaps the attacker got access to some user accounts by phishing emails or malware on your users' PCs?

At this point, it's uncertain whether ProsePoint itself was the entry point, or through another means (ie. webhost provider, or email phishing, or sniffing passwords over http://).

You might like to also run a directory compare of your ProsePoint installation against a freshly extracted version of the source code to see if any source files were modified.

These are broad areas you can check. Depending on what you find, that will narrow your search down as you go.

Good luck.

Beng

tim.cappalli
User offline. Last seen 6 years 26 weeks ago. Offline
Joined: 11/03/2009
Posts:
What I find weird is that the
What I find weird is that the log says they are using the anonymous user account to make the changes.
beng
User offline. Last seen 4 years 31 weeks ago. Offline
Joined: 27/02/2009
Posts:
...

Hi,

This could be because ...

The permissions have been altered to allow anonymous users to edit content. You might want to check that.

Or,

The changes were done with an account that was then deleted. Depending on configuration, when an account is deleted, all posts and comments by that account are attributed to the anonymous account.

tim.cappalli
User offline. Last seen 6 years 26 weeks ago. Offline
Joined: 11/03/2009
Posts:
So I have a new development

So I have a new development with this issue. I noticed that the stories that were getting hacked, had the edit and workflow tabs available to anonymous users, yet newer stories did not.

I pulled up a newer story and compared the settings and they both have 'Public" and "Published'.

As far as permissions, the only permissions that anonymous users have is view content. (see attached)

What could be the issue with the old stories? Could something have become corrupt?

Thanks

AttachmentSize
newslinc1.png 523.33 KB
permiss1.png 100.56 KB
beng
User offline. Last seen 4 years 31 weeks ago. Offline
Joined: 27/02/2009
Posts:
Not quite. The Workflow module overrides some of the permissions

Hi,

Not quite. The Workflow module overrides some of the permissions (mainly node-related ones) from .../admin/user/permissions.

See .../admin/build/workflow on your site.

Another thing ... if you'd like to reset and rebuild the permissions for all your pages, visit .../admin/content/node-settings and click on Rebuild permissions.