We all were witnesses of a great panic and a lot of accusations of how weak and non-safe is e107 recently. The reason was a massive attack against most of the e107 based (community and non-community) sites and e107.org itself.

Let's summarize the facts first.
It's true that a number of security holes was recently reported, and some of them were bad - really bad. I'll write in a separate post the sad story behind some of the reports, which caused SO MUCH damage to a lot of e107 based sites and hosting companies (sad, because it was done by PHP security adviser owner of php-security.org - a popular person - who acted as a teenager - understand totally unprofessional). I'm pretty much sure this story triggered the start of the attack against e107 but this is not a subject of this article.

The reaction of the core development team was fast enough - we did quick fixes, we released number of quick patches and security releases. We were already prepared with a notification system which delivered the information about the recent available security patches direct to site owners' administration area. We also published a lot of information (news on e107.org), all the information we got. I don't think the whole could have been done better.

The panic came AFTER the last security patch. It was caused by a number of bot attacks which were trying to go through an ALREADY PATCHED security hole (the so popular recently contact.php). Bots were following (exactly) the INSTRUCTIONS pointed in one of the advisories - php-security.org/2010/05/19/mops-2010-035-e107-bbcode-remote-php-code-execution- vulnerability/index.html (do you remember the sad story I was talking about earlier?)

What exactly happened?
The bad guys used the fact that this vulnerability was first published and spread around the World Wide Web without the knowledge of e107 core development team. They attacked and infected servers (not secured enough - see below). All infected servers was made attackers. They infected more servers, etc.
The number of infected servers was low at the beginning of the attack - at this time patch was already available. The problem is people do not pay enough attention on this even if shown on the top of their site administration panel, so patching required time. Those who were late, lost the game. Unfortunately those who weren't late, didn't win the game. They were attacked by all infected servers. Although the hole was patched, attacks became DDOS. They affected all servers which can't handle such attacks.

What can do e107 CMS about all this?
Near nothing, nor any other CMS/PHP script can do more. e107 core development team could do one thing only - security patch, preventing php code execution in this particular case. Neither development team nor PHP itself are able to help you stop the requests to your site. I hope everyone understand this.
I saw all kind of advises as 'delete contact.php', 'add .htaccess rules', etc. This could work in very short term.
Here are blocked requests from the logs on this server:

As you see, there is only one solution - server security software.

Solution?
I can point server owners/shared hosting companies to a solution based on our current experience. It involves an installation of a free software package on a Linux web server, best suitable for RedHat or derivative Linux platforms (read more details about different software requirements below). The solution is fully integrated with Cpanel/WHM server management system.

Additionally, the company behind some applications of this package is offering low cost Cpanel configuration services which allows you to order installation and configuration of all required software on a dedicated server(s) for a very fair price. Learn more about the ConfigServer Cpanel services.

I'll try to explain how the whole is working in few words.
Real time protection (active scanning)
Requests to the server are being analyzed (e.g mod_security rules, suhosin) and temporary blocked if recognized as a hacking attempt. Temporary blocked IPs doesn't have access to the server for 300 seconds (default value). Additionally, number of temporary blocks are resulting in permanent block (csf.deny file). Permanent blocks are added to the server's iptables. The default max number of permanent blocked IPs is 100. You could increase the number if required but be careful:

You should find the appropriate number based on your server resources and the strength of the (eventually) current attack against your server.

Server monitoring (on-demand scanning)
ConfigServer Firewall comes with Login Failure Daemon (lfd) which effectively blocks IPs based on the number of login failures. You should start number of cron jobs for various checks (e.g. rkhunter, Chkrootkit which is not listed here etc). In the end you should be able to be informed about the state of your server just reading email reports once per day. eXploit Scanner (if installed) will add additional server monitoring (beside its active scanning, it's able to perform scanning of files, directories and user accounts for suspected exploits, viruses and suspicious resources).

Just a side note - I'm not saying people who has the software below will be 100% secure. There is no such a thing when you are plugged-in to Internet. I'm just saying you'll be as much secured as possible, it'll work for you in most if not in all cases.
This article is not intending to explain How to protect yourself (installation/configuration instructions) but what to install to be protected. Links to appropriate resources are provided together with every product listed below.

Atomic ModSecurity & ModSecurity Rules
Overview and installation instructions: http://www.configserver.com/cp/csf.html
Additional help by configuring the rules: http://www.atomicorp.com/wiki/index.php/Mod_security
This is a part of the Atomic Secured Linux (ASL) project.
Mod Security is an open-source web application firewall. Atomic Rules are set of predefined mod_security rules which are updated on a regular basis.
For a Cpanel users, the best option is to install mod_security via the Easyapache module. See below why.

ConfigServer ModSecurity Control (cmc)
Product page: http://www.configserver.com/cp/cmc.html
The product provides you with an interface to the cPanel mod_security implementation from within WHM. It gives you additional GUI control over your ModSecurity installation.

Suhosin
Product page: http://www.hardened-php.net/suhosin/
Suhosin is an advanced protection system for PHP installations. It is designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core.

iptables SPI firewall (ConfigServer Firewall - csf)
Product page: http://www.configserver.com/cp/csf.html
You'll find full feature list and all required installation instructions.
You pretty much need 3-4 shell lines:

rm -fv csf.tgz
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

ClamAV
Product page: http://www.clamav.net/lang/en/
It's an open source (GPL) anti-virus toolkit for UNIX, nothing more or less.

ConfigServer eXploit Scanner (cxs)
Product page: http://www.configserver.com/cp/cxs.html
This is the only non-free product in this list. You may or may not buy & install it. I suggest you install it.
It does active scanning of files as they are uploaded to the server. It has Cpanel GUI control panel.

MailScanner
Product page: http://www.mailscanner.info/intro.html
MailScanner is an e-mail security and anti-spam package for e-mail gateway systems. It supports Clam Anti Virus.

Rootkit Hunter
Product page: http://www.rootkit.nl/projects/rootkit_hunter.html
Rootkit scanner is scanning tool to ensure you for about 99.9%* you're clean of nasty tools. This tool scans for rootkits, backdoors and local exploits by running various tests.


Fine tuning
I'll update this section in the future with information about what could break your e107 site installations and how it can be tweaked/re-configured.

Summary - be smart, not paranoid
Panic creates paranoid thoughts. You need to find the balance between security and flawless working web applications on your server(s). People using hosting services want to be secure and not to block the access of half of the world to their sites. I'll try to keep an updated list here in the future of common needed for e107 installation configuration changes needed to make the CMS and its plugins work well (and not to block/ban innocent visitors).

Anyway, the idea is you should be safe enough against both exploit & DOS attacks. I can confirm that the access the contact form on FS is blocked (403 error) very efficient from mod_security currently. There are many blocked daily attempts and no CPU overload on this server. This is the reason I decided to share all this. It may (it should) work for you as well.

The story

Those of you who are using the 'PHP development tools' (PDT ) plugin for Eclipse should know this is the most wanted ever feature from the PDT development team (Zend company). I think I know the reason why it's still not implemented - it's available for the commercial PDT analogue - Zend Studio for Eclipse.

I did a wide research half year ago and didn't find anything even close to useful. The breakthrough came a month ago. I call it pure luck - I don't know how I ended up to a site (free hosted) in totally illegible for me language (Chinese?) except it's title I was able to (almost) understand the rest thanks to Google Translate project.

However I wasn't able to find any reference to the person/team behind this page. If someone can give me information in this matter, please do it. I really wanna say "Thank you" to this guy.

To understand better how lucky I was, I'll tell you that some days later I was trying to open this page with no success - it was restricted to US IP's only (and I'm far from US located).

Requirements

JRE 6.+
Aptana 2.+ (tested on 2.0.2) OR Eclipse 3.4+
Eclipse Web Tools Platform (WTP) 3.+ - tested on v3.1.1
Eclipse Dynamic Languages Toolkit (DLTK) 1.+ - tested on v1.0.1
PHP Development Tools (PDT) 2.+ - tested on v2.1.2

Download

Project URL: http://atlanto.web.fc2.com/pdt/workshop/formatter_plugin.html
Direct download (free-source.net mirror) PDT 1.3: va000137.pdt.tools.formatter_0.92.4.jar
Direct download (free-source.net mirror) PDT 2.x: va000137.pdt.tools.formatter_0.92.4.v20081027.jar

Installation

Copy the downloaded .jar file to your Aptana/Eclipse 'dropin' folder (INSTALL_PATH/dropins), restart Aptana/Eclipse, done. Yep, so easy it is.
Now go to Preferences / PHP / Code Style / Formatter and set your preferred code styling options.

EDIT: Thanks to tgtje who pointed me to PDT Tools project on SourceForge Japan. You can download the most recent version of Code Formatter dropin from there and I can say: "Thank you so much atlanto from sourceforge.jp" :)

Our only wish is to stay close to the community, so we added one more option for 'real time discussions' to our site services - join our newly created channel #fsnet at irc.freenode.net

For those of you not familiar with IRC, here are some nice & popular IRC clients:

• Chatzilla (Fiirefox extension): OS independent
• xChat : available for Windows and Linux (note: windows build requires donation, but you could google for free Windows build)

I'm just sitting in a public area and testing veskoto's new nokia phone and its browser. Well, I need to say 'Good job to all from the FS Team'. There are some small JS bugs, but I'll fix them in a zero time :). It is a time that we need to start optimize all of our work not only for all major browsers, but also for mobile phones. Until then - it's party time!

PS: Sorry for any typos, I'm typing on phone keyboard.

In addition to this I need to say that you can use this great grid system not only with 12 or 16 columns grid. You can also create your own grid based on 18, 20, 22, 24 ... XX columns. The point of 960px is that it subdivides nicely into lots of equal column sizes so is a very versatile width. It also happens to be slightly less than the minimum width you can actually use when a browser is maximized on a 1024 pixel wide display. As you might have heard, we've already created an e107 theme Blue City using this great concept. In this blog post I'll try to explain you how to use 960 Grid System in your e107 themes.

All modern monitors support at least 1024 × 768 pixel resolution. 960 is divisible by 2, 3, 4, 5, 6, 8, 10, 12, 15, 16, 20, 24, 30, 32, 40, 48, 60, 64, 80, 96, 120, 160, 192, 240, 320 and 480. This makes it a highly flexible base number to work with.

Why using a grid sytem?

The answer is very simple. It saves time when writing your HTML and CSS code and is easy to use. It is also very useful in creating the graphic design for your theme.

Tools

You can use various tools in your theme creation process.

• Variable Grid System - http://www.spry-soft.com/grids
  
• Grid System Generator - http://www.gridsystemgenerator.com
  
• 960 Gridder - http://gridder.andreehansson.se
  
• 960-Grid-System Templates - http://github.com/nathansmith/960-Grid-System/tree/master/templates

Graphic Design

Well I'm not a guru in creating graphic concepts, because we have one of the best designers in e107 (and not only e107) Stoewarius, nevertheless I'll show you how to use 960 Grid System in your graphic design. I my all day work I prefer to use Adobe Fireworks for slicing but you can also us Adobe Photoshop. Go to http://960.gs and download the template package.



Inside this package you can find useful templates for your preferred graphic software. I'll use the 12 column one for Fireworks. Browse the package to /templates/fireworks and open 960_grid_12_col.png. As you can see there are 12 red columns and this is your working grid. Every column is 60px wide with 10px left and 10px right margin. The whole width is 960px and the real content width is 940px.



With this template you can easy create you layout. Let say you need in your header logo and banner areas, left column, center column and two menu areas after the header area. I'll not create a real design for a theme, I'll only show you how to use this grid system for your layout.

Using 960.css

The ZIP you've already downloaded (download again) comes with a lot of stuff to help you design with the 960 system, including PDF grid paper, templates for Fireworks, OmniGraffle, Photoshop, Visio, and CSS framework with demo HTML. We'll only used the CSS files, which is all you need for coding your site. The system comes with 3 CSS files.

• 960.css – Sets up the grid system, the 12-, and 16-column containers, alpha, omega, and prefix. This file is necessary to the grid system.
  
• reset.css - “Initializes” the system so that all margins and paddings are 0, outline is 0, etc… This file is necessary to the grid system.
  
• text.css - Sets the font sizes including headers, adds margins to lists, etc… This file is not technically needed for the 960 grid system - we can ignore this file

960.css uses the following classes to structure the page:

• container_XX is used in the outermost box to determine how many columns. You can use container_12 or container_16.
  
• grid_XX is the bread and butter of the system. XX is for how many columns you want the block to be. For example, grid_10 will be 10 columns wide. The exact pixel width is determined by how many columns you’ve divided the grid into.
  
• prefix_XX allows you to add in blank columns before a block. XX specifies how many blank columns you want.
  
• sufix_XX allows you to add in blank columns aftera block. XX specifies how many blank columns you want.
  
• push_xx and pull_xx. These classes can be used for "Content first" layouts.
  
• alpha is for if you have children blocks. If you do this, you’ll want the first child to have no margin on the left side. alpha makes that happen.
  
• omega is similar to alpha, except that it gives no margin on the right side. Use it for the last child
  
• clearfix and clear - Clear Floated Elements, more info at http://sonspring.com/journal/clearing-floats and http://perishablepress.com/press/2009/12/06/new-clearfix-hack

There are lot of tutorials over the web on how to combine and use all this classes.

960 in action

Now it is a time to start creating your first 960gs based theme. Copy 960.css to your theme folder. Open theme.php and add these lines to the theme_head function.

function theme_head() {
echo '
	<link rel="stylesheet" href="'.THEME_ABS.'960.css" type="text/css" media="all" />
';
}

Because theme_head function will load after the main style.css file we need to put the contents of reset.css at the top of your style.css. Copy the code from reset.css and paste it to the top of style.css

The last step is to create your $HEADER and $FOOTER. You can easy create your HTML code for the layout without any line of CSS code. Everthing is don by 960.css.

//In the code below remove the empty space after the " { " (left curly brace )
$HEADER = '
<div class="container_12 clearfix">
	<!-- HEADER BOF -->
	<div class="grid_5">
		<!-- Add your LOGO and SITENAME content here -->
	</div>
	<div class="grid_7">
		<!-- Add your BANNER SHORCODE here -->
	</div>
	<div class="clear"></div>
	<!-- HEADER EOF -->
	
	<!-- AREA 2 BOF -->
	<div class="grid_6">
		{ SETSTYLE=menu_area}
		{ MENU=2}
	</div>
	<!-- AREA 2 EOF -->
	<!-- AREA 3 BOF -->
	<div class="grid_6">
		{ SETSTYLE=menu_area}
		{ MENU=3}
	</div>
	<!-- AREA 3 EOF -->
	<div class="clear"></div>
	
	<!-- AREA 1 BOF -->
	<div class="grid_4">
		{ SETSTYLE=menu_area}
		{ MENU=1}
	</div>
	<!-- AREA 1 EOF -->
	<!-- MAIN CONTENT BOF -->
	<div class="grid_8">
		{ SETSTYLE=center}
';

$FOOTER = '	
	</div>
	<!-- MAIN CONTENT EOF -->
	<div class="clear"></div>
	
	<!-- FOOTER BOF -->
	<div class="grid_12">
		<!-- Add your footer content here -->
	</div>
	<div class="clear"></div>
	<!-- FOOTER EOF -->
</div>
';

As you can see your layout is done by these few lines. The only thing you need to remember is that you always need to add DIV with class CLEAR after every grid column combination. Every grid_xx is floated to the left and you need to clear these floats to start a new "row" with columns.

I hope this post was helpful. Just try 960.gs and you'll find how easy to use is this grid system and how many time you'll save when writing your code. Happy coding !!!

Overview

eCheck Seciruty is a tiny tool for detecting malicious PHP scripts and code portions on your website. It was originally build to check e107 CMS based sites, but it can be actually used on any kind of PHP based projects.
This tool is licensed under GNU General Public License - http://www.gnu.org/licenses/gpl.txt

Before you start using the tool, I have to warn you - DON'T PANIC when you first see the 'suspicious' results. Be sure you read the 'Analyzing the results' chapter.

Download most recent version of eCheck Seciruty here

Shell script (echeck.php)

Copy echeck.php somewhere on your server. In this example I'm copying it in /home/secretr/

[secretr@SecretR /]$ cd /home/secretr/
[secretr@SecretR ~]$ ./echeck.php -v
eCheck 1.0 beta
Report issues or get help on http://free-source.net or irc://irc.freenode.org/e107
[secretr@SecretR ~]$

You can always get quick help

[secretr@SecretR ~]$ ./echeck.php -v
eCheck 1.0 beta
Report issues or get help on http://free-source.net or irc://irc.freenode.org/e107

[secretr@SecretR ~]$ ./echeck.php -h
This is a command line PHP script for checking for/cleaning PHP malicious code.

Usage:./echeck.php [options] /path/to/wwwroot
Options:
-v                      Script version
-I                      Output a list with infected files only
-S                      Output a list with suspected files only
-C                      Clean files (MAKE A BACKUP BEFORE DOING THIS), confirmation is required
-r number            Directory depth level

[secretr@SecretR ~]$

Now, the only thing you need to know is the path to your web root (e107 root for e107 user). In my case this is /home/secretr/public_html and my e107 Installation is located in e107_0.7 folder. There are two alternatives. You could let eCheck know the path to your web root:

$ ./echeck.php -I -S ./public_html/e107_0.7/

or the opposite - navigate to web root and call the script with the proper path:

[secretr@SecretR ~]$ cd public_html/e107_0.7/
[secretr@SecretR e107_0.7]$ /home/secretr/./echeck.php -I -S ./

Here is the output of eCheck scan on fresh e107 v0.7 CVS copy:

[secretr@SecretR ~]$ ./echeck.php -I -S -r 10 ./public_html/e107_0.7/
Directory depth set to 10

./public_html/e107_0.7/backend.php...SUSPECTED (shell execution)
./public_html/e107_0.7/e107_plugins/pdf/pdf.sc...SUSPECTED (shell execution)
./public_html/e107_0.7/e107_handlers/resize_handler.php...SUSPECTED (shell execution)

Files checked: 1040
Files suspected: 3
Files infected: 0
Files cleaned: 0
Clean errors: 0
Clean warnings: 0

NOTE: SUSPECTED DOES N0T MEAN INFECTED! DIFF AGAINST TRUSTED COPY OF SUSPECTED FILES TO BE SURE EVERYTHING IS OK.
SUSPECTED FILES ARE NOT CLEANED!

[secretr@SecretR ~]$

There is (still experimental) cleanup option you could try if eCheck finds files marked as INFECTED. I recommend to make a backup of your files first. Additionally, you need write permission on all checked files (e.g. run eCheck as root) and your PHP version should be at least 5.0.
I'll put infected and real malicious files inside my local e107 system to show you what happens:

[secretr@SecretR ~]$ ./echeck.php -C -I -S ./public_html/e107_0.7/
Directory depth set to 100

Did you make a backup? Be sure you did it!  Type 'yes' to continue:

You need to confirm (type yes and press enter) to continue the operation

[secretr@SecretR ~]$ ./echeck.php -C -I -S ./public_html/e107_0.7/
Directory depth set to 100

Did you make a backup? Be sure you did it!  Type 'yes' to continue: yes
./public_html/e107_0.7/echeckwww.php...SUSPECTED (eval/base64_decode found)
./public_html/e107_0.7/backend.php...SUSPECTED (shell execution)
./public_html/e107_0.7/index.php...INFECTED...CLEANED
./public_html/e107_0.7/e107_plugins/pdf/pdf.sc...SUSPECTED (shell execution)
./public_html/e107_0.7/e107_files/public/shell.php...SUSPECTED (eval/base64_decode found)
./public_html/e107_0.7/e107_handlers/resize_handler.php...SUSPECTED (shell execution)

Files checked: 1043
Files suspected: 5
Files infected: 1
Files cleaned: 1
Clean errors: 0
Clean warnings: 0

NOTE: SUSPECTED DOES NOT MEAN INFECTED! DIFF AGAINST TRUSTED COPY OF SUSPECTED FILES TO BE SURE EVERYTHING IS OK.
SUSPECTED FILES ARE NOT CLEANED!

[secretr@SecretR ~]$

Our index.php was infected with known infection, so eCheck was able to clean it. Note we have one new line - './public_html/e107_0.7/e107_files/public/shell.php'. We'll talk about this one later.

One last example - let's execute eCheck as root (your current user should be sudoer), output everything (all checked files) and write the output to a file - log.txt in our case.

[secretr@SecretR ~]$sudo ./echeck.php ./public_html/e107_0.7/ > ./log.txt
[secretr@SecretR ~]$cat log.txt | more
Directory depth set to 100

./public_html/e107_0.7/install_.php....CHECKING...OK
./public_html/e107_0.7/user.php....CHECKING...OK
./public_html/e107_0.7/rate.php....CHECKING...OK
./public_html/e107_0.7/search.php....CHECKING...OK
./public_html/e107_0.7/online.php....CHECKING...OK
./public_html/e107_0.7/fpw.php....CHECKING...OK
./public_html/e107_0.7/print.php....CHECKING...OK
./public_html/e107_0.7/upload.php....CHECKING...OK
./public_html/e107_0.7/page.php....CHECKING...OK
./public_html/e107_0.7/links.php....CHECKING...OK
./public_html/e107_0.7/e107_languages/English/lan_notify.php....CHECKING...OK
./public_html/e107_0.7/e107_languages/English/lan_np.php....CHECKING...OK
./public_html/e107_0.7/e107_languages/English/lan_usersettings.php....CHECKING...OK
./public_html/e107_0.7/e107_languages/English/lan_membersonly.php....CHECKING...OK
./public_html/e107_0.7/e107_languages/English/lan_sitelinks.php....CHECKING...OK
./public_html/e107_0.7/e107_languages/English/lan_upload_handler.php....CHECKING...OK
./public_html/e107_0.7/e107_languages/English/lan_fpw.php....CHECKING...OK
./public_html/e107_0.7/e107_languages/English/lan_download.php....CHECKING...OK
--More--

Scan via a browser (echeckwww.php)

For those who don't have shell access to their sites (most common case for shared hosting) there is an alternative.
Copy echeckwww.php to your site root (in my case /home/secretr/public_html/e107_0.7/) and just call it in your favorite browser like this:
yoursite.com/echeckwww.php
You should see something like this (click to enlarge)


Keep in mind you don't have any options you can set in this case. Auto-clean is not available as well

Analyzing the results

Scripts are analyzed in two ways:

• Known infections - based on hackers code infection that I inspected in the time - files are added to output list as INFECTED, auto-cleaning is possible in some cases - on your responsibility though ;)
• Suspected infections (heuristics) - based on most common hackers habits - files are added to output list as SUSPECTED, cleaning is not possible

Suspected doesn't mean files are infected in some way. Most of the phrases (generic php functions) are used in all kind of software. The process of analyzing the results is your responsibility. If you know the structure of your site, and you have generic knowledge of 'what, where happens', it would be easy to identify the problems (if there are any).

I'll use the example above, more precisely this line from our latest shell example:

./public_html/e107_0.7/e107_files/public/shell.php...SUSPECTED (eval/base64_decode found)

Every e107 user should know that /e107_files/public/ folder should not contain any scripts. Experienced admins would know what to do from now on - checking the file last modified date and investigating the Apache logs to find out how was this file uploaded on the server, eventually reporting the problem to e107 core team.
In other hand we see

./public_html/e107_0.7/backend.php...SUSPECTED (shell execution)
./public_html/e107_0.7/e107_plugins/pdf/pdf.sc...SUSPECTED (shell execution)
./public_html/e107_0.7/e107_handlers/resize_handler.php...SUSPECTED (shell execution)

lines are appearing on and on. These are the false positives I'm talking about. You'll have many of them on a live site with a lot of 3rd party code. You just need to investigate all you see - it's pretty easy to distinguish malicious from creative code.

Where can I get help?

• Support forums
  Use support forums to report problems or just give me a feedback.
• irc://irc.freenode.org/e107
  Get help on e107 IRC channel