Yes, CMSs can be

Renegade — Wed, 24 Feb 2010 03:33:15 +0000

Yes, CMSs can be targets/hosts of scams - which is why it is a good idea to throughly research the CMS you want to use and keep up with security updates from them.

This of course doesn't mean that you should not use CMSs at all though because generally speaking, any website can be the host or target, it just depends on what security models you have employed.

Best way of not getting targeted which is 100% effective is to not have it up in the first place

When you say third party

jj1 — Mon, 22 Feb 2010 15:26:49 +0000

When you say third party scripts, could a content management system be the host for scams like this? I ask as we're just looking into getting a CMS and have wondered about security.

As others have pointed out,

JeevesBond — Fri, 08 Jan 2010 23:48:52 +0000

As others have pointed out, this is mostly caused by out-of-date third-party scripts. Since scamming has become big business, attacks are almost all automated these days; for example, I can guarantee that since you posted this our server has been probed for Wordpress, Joomla!, phpBB vulnerabilities (among others) by bots.

As for the action to take, I’m not so sure. You could ask your hosting company if they’re interested in seeing your log files and the scripts uploaded by the crackers.

Another avenue of attack is a weak SSH or FTP password, so make sure you change those.

In cases I've investigated

Shaggy — Thu, 07 Jan 2010 20:14:16 +0000

In cases I've investigated like you describe, the culprit is often a popular third party script someone has installed that they've not kept updated, or just was not well written.

Usually the attacker first takes advantage of an open upload function that allows them to put their own scripts on the server that they access via http(s).

Some are just gateways that allow them to run commands on the shell via passthru / etc. Others are quite sophisticated and scan for other vulnerable services / libraries on the machine. Check your upload directories / web roots for anything the webserver created /owns. Anything that could be executed is a candidate.

Once you are clean secure those upload functions... and make sure anything uploaded can:
1) Only be written to a single place
2) Nothing in that place can ever be executed.

Cheers,
Shaggy.

It looks like they set up

pr0gr4mm3r — Thu, 07 Jan 2010 12:11:03 +0000

It looks like they set up your site for a spoofing operation. I would be curious as to what those scripts contained. I'm guessing it was collecting Bank of America passwords and emailing them to the hacker. If you know PHP, you should be able to find the email address for the hackers in those scripts.

One time, I found a similar script that emailed that information to someone. What I did was redirect that email to myself and submit the form to see what that email looked like, and then sent several emails of that format to the hacker's account, flooding him with bogus information. I'm not recommending it, but if you are looking for payback...

As far as your site, I would update everything to the latest version and check your file permissions. If your server setup has suPHP or suExec running, ALL files should only be writable by you (not 0777).