eZ Community » Forums » General » Ez Publish v 2012.5 known...
expandshrink

Ez Publish v 2012.5 known vulnerabilities

Ez Publish v 2012.5 known vulnerabilities

Friday 23 January 2015 12:25:08 pm - 1 reply

Hi there

I have a serious problem! Some days ago my site has become very slow. Checking the server performances I noticed a strange process, so a killed him. Unfortunately the process recreates itself everytime I try to get rid of it! So I restored a backup of my site... but after a while the malware process appeared again. So... do you know any vulnerability in version 2012.5 that I can consider to solve my problem?  The server is pretty protected... I cannot understand what kind of attack is this sad.gif Emoticon 

Saturday 24 January 2015 1:34:47 am

Hello Simone,

I'm very sorry to hear your having problems like this. I had a couple of thoughts on this afternoon.

First, eZ Publish Community here on share has a poor track record of publishing security vulnerability documentation. If you want this level of service you would be best served by establishing service with eZ Systems directly.

There is a hidden section of past security advisories on share.ez.no but these are all very old and not maintained or promoted. In the last 5 years (or so) there have been a lot of sections like this on the old ez.no community site before the move to share.ez.no and over all this kind of content is only published long after the concerns have been solved in eZ Publish development repositories and improved releases have been made. Also these records do not stay online very long and are often lost during website changes or upgrades.

http://share.ez.no/community-project/security-advisories/

Second. I have serious doubts that eZ Publish (stock) is the cause of your problems. In fact I asked a co-worker today and he took a look and just laughed at me and told me I was out of line and did not understand how eZ Publish works if I believed that.

In any case you should seriously consider that your running unsupported software on many levels. In fact the version of php your using (which is?) is full of security vulnerabilities, it's unsupported and really really should be upgraded to the latest stable release. It would also be a good idea now to take the time to upgrade to the latest community release to go with your php upgrade.

I would expect your server software / php to be more vulnerable than eZ Publish could be exploited :\

In fact it strongly sounds like the malware infection has nothing to do with eZ Publish and has infected your server and not the website. This is more evident in that you have restored from backups already and the malware still exists.

Third, when your suspecting your infested with malware you really have to do more research and share more information for anyone to be even able to begin helping you actually solve these problems.

A couple of questions come to mind.

  • What is the name of the process in question?
  • What username is running this process in question?
  • Have you done any research on the internet to learn more about this process? It is possible this not malware at all.
  • Are you sure this is not a service and not just a single process?
  • Do you know the name of the malware?
  • How did you find it?
  • What does it do?
  • Is this a binary or script?
  • Where on disk is the malware found/stored?
  • Have you forced a password audit and change on all server shell users?
  • If you don't know what kind of attack this is it may be early to blame eZ Publish

You say "The server is pretty protected". What makes you say this? How are you protecting the server and it's applications (given your running outdated and insecure software)?

I've recently found that even the latest version of wordpress admin not under acl can be exploited to install email sending malware (had to upgrade and clean a site 3 times in less than 8 months).

But eZ Publish is really quite different in this regard. It's just not something that happens, not to say it absolutely can't happen but it's very very rare if at all. eZ Publish is put through extensive security reviews and is even used in some of the most security focused organizations around like the DOD, USA Navy and beyond; meaning that they have audited it extensively to even allow it's use.

My co-worker recommends you wipe your server and re-install the latest server software (including php) not the previous versions, restore your website from clean backups and upgrade eZ Publish before bringing it back online. This way you are certain your doing your very best to secure your server using the latest software possible and have wiped the malware from disk entirely.

I hope this helps!

Cheers,
Heath 

expandshrink

You must be logged in to post messages in this topic!

36 542 Users on board!

Forums menu

Proudly Developed with from