Config File Hacked?

Shadowdare

My config file was either hacked or there was some glitch with Vanilla. On my Vanilla config.php file all that it says now is:
<?php if (!defined('APPLICATION')) exit();

// Garden
$Configuration['Garden']['Analytics']['LastSentDate'] = '20110127';

// Last edited by THEUSERNAME (his IP)2011-02-05 07:12:21

My Vanilla index only displays the installation page. Is this a bug with Vanilla or has it actually been hacked? I managed to get my forum back up though. Seems to be an urgent Vanilla problem, @Mark. If so, I wonder how it can be replicated.

I notice that when I edit a setting in the dashboard by being an admin myself, that it leaves a last edited by comment at the bottom of the config.php file. How can the user have did this and where did all the other variables go to?

The user said that he was submitting a post before this happened.

UnderDog

It is a really interesting problem, yes. Did you save the config file that was overwritten by THEUSERNAME? Maybe there's something you can see in there that he did.

Maybe it's also time to start discussing taking some config files outside the document root :-)

Shadowdare

Yes, I replaced his username with THEUSERNAME to indicate who he was. I think that the "// Last Edited" line is generated by Vanilla when a setting in the dashboard is modified by an admin. This user doesn't have access to that but it just happened when he was posting a reply. The config file is in the /conf folder. This whole problem is weird.

I saved the config.php file that was overwritten by the user. I already copied and pasted all of the text into my first post here in the yellow highlighted text. I'm not sure what posting a reply has to do with the config file, though.

whu606

The same thing happened to me twice yesterday, and once today.

The most recent instance left this in my config file:

<?php if (!defined('APPLICATION')) exit();<br />
// Garden
$Configuration['Garden']['Analytics']['LastSentDate'] = '20110117';

// Last edited by Don'tShowAUserName (NEVERshowIP'sInForumThreads)2011-02-06 04:53:14

There's no way the user involved would have intentionally tried to cause this behaviour.

As far as I can tell, the user had no activity beyond browsing the forum when the file was rewritten.

I thought it related to the WhoIs plugin, but now know that it doesn't.

I've removed all write permissions from config for the meantime.

UnderDog

@Mark or @Tim

Shadowdare

If it is related to plugins then I might as well list the ones I'm using: Emotify (which keeps getting disabled at random times, but now it's good), Flagging, Mark All Viewed, Minify, Tagging, Vanilla ProxyConnect, and Vanilla Statistics.

I'm guessing the Analytics variable is related to Vanilla Statistics. If so, then maybe there is something wrong with the plugin. I don't use the WhosOnline plugin so it may be something else.

garymardell

It wouldn't have to be the stats plugin because it must auto write every so often when it updates. However that is the only new addition I see to the vanilla codebase. I will have a try at bug hunting but vanilla guys will know best.

Shadowdare

It's very weird. Like you said, I guess only the Vanilla guys will know.

leafboxtea

@mark @tim @lincoln - highlighting this again. It just happened to me to. I upgraded to latest Vanilla about a day ago. I think shows this is not an isolated server or host issue.

Any news on this?

martz

it seems to be a bug: http://vanillaforums.org/discussion/comment/135505#Comment_135505

Shadowdare

Thanks.

martz

Omg, it now happened to me too last night! I am glad that I read this topic and could fix it really fast.

Unfortunately the forum has been offline for quite some time during peak hours, my mailbox was filled with a lot of confused user e-mails.

The quick fix for me is to chmod the config.php to 555 - this would disallow the www-data user to write the file. I guess this should work.

smoigecom

// Last edited by Unknown (ip)2011-05-20 00:04:31

The config.php file should only be edited by the admin right?

Aolee

// Last edited by Unknown (ip)2011-05-20 00:04:31

The config.php file should only be edited by the admin right?

i had experienced this one tooo. i was just lucky i made a backup 5mins early before my config.php got changed by "unknown".

smoigecom

Everything still works. This sucks! I ll just chmod it to 555 like martz said. Would a htaccess file that allows just one ip access to the conf folder work?

Lincoln

No, it would not.

dandv

Just had the same issue with 2.0.17.10 - config.php edited by some random IP.

UnderDog

See a piece of text from Tim here:
http://vanillaforums.org/discussion/comment/141233#Comment_141233