Check out the LimeSurvey source code on GitHub!
Welcome, Guest
Username: Password:

TOPIC: Limesurvey is hacked

Limesurvey is hacked 4 years 2 months ago #81130

  • amisaka
  • amisaka's Avatar
  • Offline
  • Fresh Lemon
  • Posts: 2
  • Karma: 0
I would like to know what are the measures to make the limesurvey more secure. My application was hacked twice and even using a hosting service that restricts the access to the folder.
Could someone please help me out with this issue?

Thanks!
The administrator has disabled public write access.

Limesurvey is hacked 4 years 2 months ago #81136

  • Ben_V
  • Ben_V's Avatar
  • Offline
  • Platinum Lime
  • Posts: 1805
  • Thank you received: 445
  • Karma: 111
Hi,
If your host allows it, for the less you have to set a .htaccess file (at the root of your LS instalation)...
Have a look at apache.org website for details.

If you don't care about a widely universal access... you can set this file to block some wellknown range of IPs or countries

Ben/
Benoît

EM Variables => bit.ly/1TKQyNu | EM Roadmap => bit.ly/1UTrOB4
All LS releases => bit.ly/1VMuTDu | 2.06lts => bit.ly/1Qv44A1
Demo surveys => bit.ly/20NW9V8 (already included in /docs/demosurveys)
Last Edit: 4 years 2 months ago by Ben_V.
The administrator has disabled public write access.
The following user(s) said Thank You: amisaka

Limesurvey is hacked 4 years 2 months ago #81146

  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • Moderator Lime
  • Posts: 9305
  • Thank you received: 1330
  • Karma: 386
Hello amisaka,

How do you find/know LS is hacked ?

There are some 'virus' on the net who find your ftp access (see Gumblar for example). LS team can do nothing for that, you have to remove the virus and change your ftp password.

The best is to give the code modification to know the virus/hack used.

Denis
Assistance on LimeSurvey forum and LimeSurvey core developpement are on my free time (Say thanks ?).
A bug not reported is a bug not corrected. | Please, read the documentation | La doc en français à besoin de vous
The administrator has disabled public write access.
The following user(s) said Thank You: amisaka

Limesurvey is hacked 4 years 2 months ago #81194

  • amisaka
  • amisaka's Avatar
  • Offline
  • Fresh Lemon
  • Posts: 2
  • Karma: 0
Thanks Denis!
I received two messages, one from rsa.com and another from my hosting service.
I am increasing the security issues on my web applications.

Antonio
The administrator has disabled public write access.

Limesurvey is hacked 4 years 2 months ago #81199

  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • Moderator Lime
  • Posts: 9305
  • Thank you received: 1330
  • Karma: 386
Hello,

Did the message say how your installation are hacked ?

One think you can do is to change CHMOD for some files:

Remove write authorisation for all on all files, after put write authorisation on upload and tmp for your web server user.

You need to put write authorisation for autoUpdate.

Denis
Assistance on LimeSurvey forum and LimeSurvey core developpement are on my free time (Say thanks ?).
A bug not reported is a bug not corrected. | Please, read the documentation | La doc en français à besoin de vous
The administrator has disabled public write access.

Limesurvey is hacked 4 years 1 month ago #83027

  • Haap
  • Haap's Avatar
  • Offline
  • Gold Donor
  • Posts: 13
  • Karma: 0
Hi all,

My limesurvey installation is also hacked, twice. This means dat some random .js-files have been replaced. In my case this where files in the templates, in the scrips-folder, and so on. It were quite a few changed scripts. I am not sure how this has been possible. Especialy the second time, where I had a 128 character ftp-password. All I can think of is a problem with permissions, due to the comfort-update-thing. But I am not sure about that.

Also, I am not sure what to do next. I don't feel like simply re-installing my limesurvey and wait to start spreading a virus again...

Cheers, Haap
The administrator has disabled public write access.

Limesurvey is hacked 4 years 1 month ago #83028

  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • Moderator Lime
  • Posts: 9305
  • Thank you received: 1330
  • Karma: 386
There are some virus stole your FTP password on YOUR computer (or another computer with your FTP password).

Then :
1: change your FTP passwird.

And could you give some line of javascript ?

Denis
Assistance on LimeSurvey forum and LimeSurvey core developpement are on my free time (Say thanks ?).
A bug not reported is a bug not corrected. | Please, read the documentation | La doc en français à besoin de vous
The administrator has disabled public write access.

Limesurvey is hacked 4 years 1 month ago #83029

  • Haap
  • Haap's Avatar
  • Offline
  • Gold Donor
  • Posts: 13
  • Karma: 0
Dear Denis (and all others),

I've changed my FTP-password twice. Once after the first attack, and now again. My FTP-password is only stored in an encrypted (2048 bits) file on my computer. That's it. It's not remembered in any browser/ftp-client.

Unfortunately I've deleted all the javascript-files. There are several questionaires online, and a call centre waiting for me to re-enable them. In the rush, I've simply overwriten all corrupted files.

Attached is a file of the virus-warning. It's the best I've got, I'm afraid. I am sorry about that.

Thanks,

Haap

====

Edit: I must add that I've been fooling around with chmod for the comfort-update. I actualy don't know why I've done that (with knowledge of what can happen), and have perhaps set permissions to write (!) to the scripts...
Attachments:
Last Edit: 4 years 1 month ago by Haap. Reason: added the persmissions-thing
The administrator has disabled public write access.

Limesurvey is hacked 4 years 1 month ago #83039

  • holch
  • holch's Avatar
  • Offline
  • LimeSurvey Team
  • Posts: 5097
  • Thank you received: 756
  • Karma: 227
It is difficult to know how they hacked your account, if it was via FTP or via another account on a shared server or via the software. Now, you need the thing to run again, right?

What I would do then is to set up Limesurvey in a new server folder, but using the same database. If everything runs smoothly, you can delete all files in the other folder and all infected files should be gone.
Have a look at the manual! It is a really valuable source for information. Here some helpful links:
Manual (EN) | Question Types | Question Attributes | Workarounds

If you found this answer helpful and it saved you some time please consider a donation to the project to keep Limesurvey going!
Last Edit: 4 years 1 month ago by holch.
The administrator has disabled public write access.

Limesurvey is hacked 4 years 1 month ago #83041

  • Haap
  • Haap's Avatar
  • Offline
  • Gold Donor
  • Posts: 13
  • Karma: 0
Dear Holch and others,

Thanks for your reply. I have set up the installation twice yesterday. The call centre performing the questionaires had stopped working for the afternoon, so I had some time to fix everything. I first overwrote (is that proper English? ;-) ) the old files with fresh ones from my computer. Somehow this did not fix the problem. So I backed up the database, and sipmly deleted all the files on the server. It has only the limesurvey software installed on it, so that is no problem. After that, I made a fresh installation of the yesterday compiled software, and so far, no infections are found (fingers crossed).

If somehow the installation will become infected again, I will export the entire installation, and post it here. But still, somehow, I hope that it won't be nescesary.

Cheers,

Haap
The administrator has disabled public write access.

Limesurvey is hacked 4 years 1 month ago #83251

  • Haap
  • Haap's Avatar
  • Offline
  • Gold Donor
  • Posts: 13
  • Karma: 0
Dear all,

After yet another infection, I have made a complete copy of my httpdocs. It can be found, zipped, in my dropbox (I'm sorry for the slow connection). Also, one of the infected scripts I have attached to this post.

I still don't have a clue about how this got to my server, and why it happened thrice by now. There are (at least) three possible problems:
  • File permissions. The installation wiki and the wiki are not clear about that
  • A hack of my ftp-account (for the third time in a row, with a 256 character password)
  • A virus on the webserver that hosts my limesurvey


The infected survey_runtime.js.
Last Edit: 4 years 1 month ago by Haap. Reason: Cannot attach scripts..
The administrator has disabled public write access.

Limesurvey is hacked 4 years 1 month ago #83278

  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • Moderator Lime
  • Posts: 9305
  • Thank you received: 1330
  • Karma: 386
Yop:
blog.unmaskparasites.com/2012/06/22/runf...om-domains/#more-883

Update (June 23, 2012): Thanks to everyone who left comments. The problem seems to be really in Plesk. Axel found traces of the attack in Plesk access logs. The attacker logged in and used file manager’s editor to modify .js files. Axel blames the Plesk vulnerability (versions before 10.4 are affected) found earlier this year and suggests that server admins fix it: kb.parallels.com/en/113321 and reset passwords for all plesk accounts:
Are you on a plesk server ?

Denis
Assistance on LimeSurvey forum and LimeSurvey core developpement are on my free time (Say thanks ?).
A bug not reported is a bug not corrected. | Please, read the documentation | La doc en français à besoin de vous
The administrator has disabled public write access.
The following user(s) said Thank You: Haap

Limesurvey is hacked 4 years 1 month ago #83315

  • Haap
  • Haap's Avatar
  • Offline
  • Gold Donor
  • Posts: 13
  • Karma: 0
Yes, I am on a plesk server. I will contact my sysadmin...

Edit: and of course: I will keep you all posted.

My hosting provider knew about this problem, but stated that he had updated the plesk-software. However, he is checking it out, and will report back to me.
Last Edit: 4 years 1 month ago by Haap. Reason: ISP != hosting provider
The administrator has disabled public write access.
Moderators: ITEd
Time to create page: 0.245 seconds
Imprint                   Data Protection Statement                  Revocation information and revocation form